27a (1).docx

Full Transcript

Cyber insurance is insurance [that] covers the losses relating to damage to, or loss of information from, IT systems and networks. Cyber Insurance in Risk Management fits into Risk Transfer. Low risks can be Transferred, Transfer Risk to a 3rd party such as an insurer – Cyber insurance. Cyber insurance is agreed upon these stages: A company send a request to buy RID2 to Cyber Insurance Cyber insurer would like to know security controls implementation to held reduce the impact if it occurs If unhappy, company can make it less impactful and send another proposal until agreement is reached Losses that resulted from cyber attacks: Intellectual theft – loss of value of this asset Cyber fraud – financial loss from direct use of computers to commit theft/fraud of money, property or security Data and software loss – data have been deleted or corrupted, cost in rebuilding this data Breach of privacy – cost of IT forensics and notifying affected subjects, fines from regulators Impact on reputation – less transactions from customers due to being viewed as untrusted. Main reason for existence of cyber insurance is legislation and the number of rising cyber attacks/breaches. Cyber Insurance covers Data Privacy and Security First Party Losses E.g data protection fines and penalties, data protection investigation & defence expenses. Public relation costs. Data breach notifications. Identity theft expenses. Key Challenges facing cyber insurance Data Unavailability Not enough data on potential losses that can occur, value of implementing security controls, probability of threat sectors attacking, probability of security controls not addressing threat or specified loss. Beast called cyber Attacks can come from any part of the world. Attackers have access to powerful cyber weapons which is not easier to break into a system than before. Median no. of days of an attacker being discovered on someone’s network is 146 days… One attack on a system can lead to vulnerability to other systems since cyber attacks are interdependent. Difficulties in quantification, impacting premium setting We don’t know : How to measure losses associated with cyber attacks How to Distinguish between attack related and other losses How much cascading losses and harms should be covered Some companies are refusing cyber insurance and this is the reason why cyber insurance is growing slowly. This is because Cyber insurance is still new and there are many unanswered questions. Orgs believe that their policies already cover cyber risks Budget is limited Attacks originated from foreign agents and are excluded in policies in Cyber Insurance. The Catch , apparently for big companies it doesn’t cost much to set up Cyber Insurance as its 1% of companies annual revenues. Cyber insurance products should minimum cover the cost of any financial losses due to financial fraud/ ID theft/ costs of IT specialist removing malware from devices and replacing lost data from your OS.