An associate, hopefully in jest, recently commented to me: “Remind me sometime to show you the scars from every time I’ve slit my wrists after reading one of your Sunny Ways bulletins.”
I take it that sometimes these newsletter stories may make it seem like living in cyberspace has become a futile existence. Sadly, I have to admit it’s true that our new dependency on everything “cyber” means we aren’t likely to get back to the worry-free world we knew a decade or two ago. We have to worry about the information and access we allow to apps, websites and the “Internet of Things”. But we may someday get to a “comfortable level of information security risk”.
To do that, however, I think we will need to change our expectations around risk.
Cyber insurance is a tool that can make life easier by transferring risk
Some of my long-term subscribers may remember an article I wrote from early 2016 (A Cyber-Crime story: Is it Crime or is it Cyber-Crime? And can it be covered by insurance? – last article in the newsletter) about how a financial organization lost $480 thousand to a social engineering scam where an accounting employee was tricked into wiring funds based on a forged email from an executive. While the company had cyber insurance, they were denied their claim because the incident didn’t fit the terms of a “cyber security incident”, as defined in their policy. At the time I understandably warned readers to be careful about cyber insurance.
However, I am becoming much more positive on cyber insurance because some insurance underwriters are now covering many more types of risks that have become common (including covering complex damages like third party costs from data breaches).
Consider consulting an insurance broker or agent about cyber security risks
A few weeks ago, I attended a presentation at the Ottawa Cyber Security Meetup by broker Chris Wilson of PBL Insurance, who explained the many new risks covered by cyber insurance. Chris is a sharp and energetic young broker who understands the emerging needs of people and businesses using technology, which includes most of us now. He was supported by underwriter Atonella Simoncelli (of AIG in Montreal), who helped answer questions about due diligence and the underwriting process around cyber insurance. It was very interesting to learn how they identify risks and set the premiums.
I do still want to caution everyone that you need to read and understand the terms and fine print of any insurance coverage you may decide to buy. A broker or agent should be able to help you with this task. And there will probably be times when you feel the premiums may not be worth the risk.
However, as insurance underwriters gather more statistics around the risks, the premiums and coverage should become more closely reflective of the situations against which we may have a hard time safeguarding any other way. Transferring risk to an insurance company may soon be the easiest way to ease our minds about living and working online.
In the meantime, and probably for the foreseeable future, anything you can do to better understand the unique risks faced by your business, and to educate your team on how to deal with them, will ultimately reduce unexpected costs from cyber security incidents.
Please let me know if you would like to discuss the risks facing your team.
Talk to your insurance broker or agent about cyber security coverage, and see if their offerings reflect the activities and potential exposures that reflect your situation. Read the fine print and try to weigh the premiums against the costs of having an unexpected loss without coverage.
If you encounter situations at work where there seems to be a risk that isn’t covered by a policy, procedure or technical safeguard, let your manager know, and suggest that it may be worth looking at whether or not insurance is available to cover that risk.
If you have done a risk assessment recently, review the list of unacceptable risks and consider whether or not there may be affordable cyber insurance available to cover any of them. If you haven’t done a risk assessment, it may be a good idea to do so, in order to get a better view of which risks should be transferred to insurance underwriters.
For more detailed information about the state of cyber insurance and where the most common gaps are, here’s a good paper from SANS.
If you have any questions about cyber security risks facing your team, and how to deal with them, please let me know.