Recently we updated our physical security program to help reduced the cost of our cyber insurance. This was part of a months-long program based on security requirements identified through a security assessment performed by our insurance company.
–Security director, major public facility
Cyber insurance goes by many names, including e-commerce insurance, e-business insurance, information security insurance, cyber risk insurance, network security insurance, hackers insurance, network intrusion insurance and cyber liability insurance. Cyber insurance is a generic term for an insurance policy that includes one or more of the following coverages:
• Network Security coverage — against allegations/claims made by third parties that were economically harmed by a breach in the insured’s network. It also covers identity theft and private information that is made public.
• Privacy coverage — for exposures stemming from the misuse of personal information. This can extend network security coverage to paper files.
• Digital Media Liability coverage — for exposures related to the misuses of trademarks, domain names, plagiarism, copyright infringement, defamation and libel on the Internet.
• Virus, Worms and Trojans coverage — for the costs associated with a related interruption in business and the reconstruction of any lost data.
• Digital Asset coverage — for the loss (including loss of use) of data and/or network resources.
• Digital Business Income coverage — for the loss of income due to a network intrusion and/or other computer event that makes the network inaccessible or causes it to operate slowly.
• Internal Criminal Acts coverage — for malicious acts perpetrated by employees using computers.
• Hackers coverage — for losses resulting from a direct attack on your company’s network, or the use of your network as a platform or gateway to launch a third-party attack.
• Crisis Management coverage — provides funds to help handle the public relations fallout from a security breach.
There are no standards for cyber liability coverages, thus coverages can vary significantly from one company to another. Did you notice the overlaps in the descriptions of coverages above? The language of specific policies must resolve these, but in being very specific such language can also create coverage gaps. Some insurance companies or their brokers will perform a gap analysis of existing policies to determine if there are holes in cyber liability coverage.
“Financial institutions of all sizes, from a community bank to a multinational asset management firm, are just as prone to security breaches and other cyber exposures,” explains Tracey Vispoli, vice president and global cyber solutions manager for financial institutions for the Chubb Group of Insurance Companies, in an article titled, “Putting Cyber Risks on the Board’s Radar Screen.” Vispoli continues: “What does matter is whether or not the company implements and maintains a ‘best practices’ model for safekeeping of confidential information.”
Physical Security and Cyber Insurance
In the same way that fire insurance companies require the use of protective measures against fire, cyber insurance companies require that computer and network security measures are in place. The cost of the insurance will depend in part on what those security measures are. Depending on the type of coverage being sought, a cyber risk assessment by a third party may be required.
Next month’s column will provide some excellent resources relating to cyber insurance, and will also present two innovative physical security products that can significantly contribute to cyber insurance rate reduction.
Has your security program been affected by cyber insurance requirements? If so, what were the impacts?
If you have experience that relates to this question, e-mail your answer to me at ConvergenceQA@go-rbcs.com or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
Don’t forget to visit www.SecurityInfoWatch.com/STandDextrasto participate in this month’s convergence benchmarking study — it will only take a few minutes of your time, and the final results will be published in an upcoming issue of ST&D.