Cybercrime: what insurers need to know By Dan Weis, Security Specialist and Lead Penetration Tester, Kiandra IT | 25 Aug 2016

The Ashley Madison breach exposed 37 million curious (or active) users looking for an affair, hacking attacks on the Democratic National Committee in the US have made Donald Trump seem an almost plausible Presidential candidate, eBay had the personal details of 145 million users stolen, and these are just a small sample of the very highest profile cybercrimes in the last two years. In 2015 alone there were more than 700 million breached records, half a billion variants of malware detected and more than 10 million web attacks each month – and they are just the ones we know about. And don’t think that a malicious cyber-attack is just in the realms of the high profile and the mega-corporation. The fact is the majority of hacks that happen to smaller national and local businesses are not reported. The 2015 Ponemon Institute Cost of Cybercrime study shows that on average cybercrime costs an Australian organisation anywhere from $792,932 - $18,000,000 per breach, with the average cost for a business at $2.5 million. Australia is currently ranked the third highest globally for malicious URLs/phishing attacks, and the fourth globally for the number of botnet infections. If it wasn’t obvious before it is now - it isn’t a matter of will your business be hacked, but when. Like any risk there are both practical and financial ways to deal with this and the insurance industry is providing more and more options for cyber-attacks as the problem escalates, but it remains woefully behind the progress of this morphing criminal threat.

In many instances cyber insurance policies are the only way an organisation will recover in the event of a breach, certainly the only way they can protect themselves against the protracted interruption to their business. In addition, they can be a much cheaper alternative for accessing specialist services during, or post breach than paying for remediation outright, after-the-fact. The range of services and coverage that are typically included in a policy are:

Privacy breach costs including:

Forensic investigation expenses

Legal and public relations expenses

Notification expenses

Digital asset replacement expense coverage

Business interruption coverage

Security and privacy liability coverage

Regulatory proceedings coverage

Cyber extortion threat and reward payments coverage

Civil fines and penalties coverage

Internet media liability coverage

Public relations services

Credit monitoring services.

But it’s important to note that these policies are not preventative measures. No level of insurance will cover the hit on a company’s reputation and the brand damage associated with a breach, and one of the most serious losses afterwards is that of trust. No one wants to do business with a company that's been hacked.

So what should you do? At Kiandra we often talk about the layers of security for business, the more layers you have the more security and protection you have in place. We strongly advocate a multilayer approach to mitigate security breaches. At a minimum the base level preventative measures you have in place should include:

Staff awareness training and regular testing (do your staff know what common attacks look like, do they know the latest threats, are they exercising common sense?)

Making sure that your I.T team put in place the necessary security controls (intrusion prevention systems, end-point protection, whitelisting and lockdown, networking and email protection, firewalls)

Documented and tested incident response policies and procedures for cyber-attacks. Penetration testing (a trained professional attacks your systems from a malicious hacker’s point of view, to

uncover security vulnerabilities and weaknesses within an environment)

It doesn’t take a nation-state or Anonymous to wreak havoc on your business. The reality is that with modern hacking tools and applications you don’t need to be a specialist to cause severe damage in an unsecured network. A security breach could be initiated by a disgruntled ex-employee, a bored teenager, a budding hacker after credibility, or someone trying to gain information on one of your clients via your systems. Hacking tools are widely accessible and are designed to cause maximum destruction, covertly. It’s not as simple as stealing credit card information. Even if you don’t store credit card details online, almost all companies hold sensitive information about finances, trademarks, strategy and general email conversations not only for their own business but those of their clients – everyone is a potential target and the consequences of a breach can be devastating and irreparable. Combining a couple of the more traditional security measures such as firewalls, intrusion prevention systems, web filtering, email filtering and virus protection alongside penetration testing and staff awareness training, and appropriate insurance can keep a business on stable financial footing should a significant security event occur.

- See more at: https://anziif.com/members-centre/articles/2016/08/cybercrime-what-insurers-need-to-

know?p=1&mbs=&cat=articles#sthash.xNiMFuor.dpuf