Cyber-insurances, another support to your organization's security
We are going on with our campaign of prescribers of cybersecurity from REALSEC. This time, with the insurance company, SEGMEDIA, that tells us everything organizations need to know about the cyber-insurances and why they should have one hired if they want to be pioneers and proactive in terms of its cybersecurity.
Despite the fact that today there are many measures and robust systems of information security that organizations have at their disposal in order to be proactive in view of the attacks led by cybercriminals and minimize the possible risks, we can never say that there is a 100% security.
Hackers do not stop on their way to develop constantly more sophisticated cyber-attacks against organizations. Therefore, perhaps as an organization, we should contemplate the option of having a cyber-insurance or cyber-policy to reinforce the minimization of the impact in the event of attack besides having more security policies and more secure solutions, such as the cryptographic ones.
And in response to this need, there are different options such as Segmedia, who have told us the following:
1-Due to the current situation of cyber-risks that organizations are facing, besides their policies and actions to protect themselves, how can they strengthen their online confidence and feel more secure?
Indeed, virtually all the organizations with Internet connectivity and online business have already applied policies and security measures to protect themselves. As you mentioned, however, 100% security does not exist in any environment, particularly when advancement and proliferation of cyber-attacks is exponential, since the number of threats and drives to create them have exponentially increased as well.
The links between cybercrime and organized crime are obvious. But in addition, we have the regulatory and sanctioning aspects (fines) caused by leakage of data, human error, disloyal employees, etc.
At Segmedia we believe that getting an insurance policy for cyber incidents and failures of information systems is a major contribution of value to organizations, allowing to transfer different types of cyber risks to the business and add a layer of corporate protection, which brings a level of additional coverage to the excellent work carried out by the CISOs, the areas of Business Continuity and Disaster Recovery and Departments of Corporate Risk Management. Thus, the level of confidence and perception of security online is reinforced, having economic and legal support against possible cyber-attacks that cannot be mitigated by security measures or caused by human error.
2- What is cyber-insurance made of? What does it cover?
Cyber-insurances complement civil liability, accident, damage, civil liability of Directors and Officers (D&O) insurances, which have been already hired by almost all companies.
These cyber-policies add coverage like Third Party liability by leakage of personal data and corporate information; for example, if someone sues us because their confidential data have been compromised. That “someone” can be a company or an individual. If it is a company, lawsuits can be associated with very high compensations. Another interesting coverage are fines by regulators (such as breach of data protection act from the Data Protection Agency or soon, from the European Union for breach of data protection regulation, which in this case can be fined up to a 2% on the global revenue of the Organization). Other very interesting coverages are for losses of benefits and costs of restoration by incidents or failures of the ICT systems, rehabilitation of brand image (after an incident which has been made public), for events and faults in management control systems of Industrial control (SCADA), etc.
3- Are there agents specialized in this field of cyber-insurance in the market?
In Spain, the big insurance companies and brokers are beginning to offer this type of insurance. But their degree of specialization in ICT security is not the best in all cases. In Segmedia, we believe that a specialization in both fields, company insurance and ICT security, is the only way to offer organizations the most suitable product.
4- What requirements must an organization meet to be able to hire a cyber-insurance? Or what are the demands of Segmedia towards its potential insured clients?
Organizations must meet different requirements in different areas, both at the level of certifications or compliance (such as PCI-DSS (when electronic means of payment are used), ISO 20000, ISO 27001, ISO 22301, ANSI/ISA 99, etc.), regarding competence of the staff and systems and computer security department management, security technologies that are being used, especially in the field of data protection, in the Business Continuity Plans, etc.
It is in the field of data protection where encryption takes on vital importance, digital signature, time stamping, in general, the use of cryptography to protect sensitive data. Here is where user organizations of such technologies such as the REALSEC one would obtain cyber-insurance policies with more advantageous conditions, as they have a higher level of data protection, and therefore have lower risk of leakage or loss of sensitive data.
For example, if a client that uses debit/credit cards as a means of payment and does not comply with PCI-DSS regulations because it is not protecting the stored data of the card owners or because it does not encrypt data from card owners and confidential information transmitted over open public networks, both aspects covered by the HSM technology, Hardware Security Module, from REALSEC, would find it very complicated to hire a cyber-insurance policy.