Security Experts:

Covering Your Bets With Cyber Insurance

If you’re being honest with yourself, major successful cyber attacks on companies in the past few years should convince you of the fact that your business could eventually fall victim to a cyber attack.

Whether your company is big or small, whether you handle ‘protected’ data or not, whether you have a few customers or millions – a data breach could be a company crippling event.

To be fair, a data breach may not be entirely your fault. If the big guys, like the FBI, Lockheed, Zappos and Sony can get caught (and they have), even your best efforts may not be sufficient to ward off a smart, persistent hacker trying to cash in on his share of the billion dollar cyber crime industry.

Data Breach InsuranceUnfortunately, the down time spent repairing the breach, loss of clients and potentially enormous fines that might result from a breach won’t reflect the fact that your heart was pure. You’ll be just as injured.

If you’re in business and have made it this far, you’ve covered many bets over the years. Chances are, if your office burns to the ground, your controller empties your bank account or a well-deserved heart attack (working too hard, poor diet and a lot of stress) puts you in the hospital for a month, your contingency plans and insurance should handle the expenses and problems these disasters might bring.

What you probably don’t have covered, however, are the costs and problems associated with a cyber attack. Most companies not only do not carry cyber insurance coverage, but also do not even know what to insure and how it might save their company after a digital security breach. You’re not alone - cyber insurance, like cybercrime, is relatively new and even insurance companies are still figuring it out.

My goal in the next few sections is to give you a brief view of the pain within a data breach and list a few insurance policies that might allow you to survive a breach. Finally, I’ll give you a bit of advice that might make your ordeal a bit easier.

The Pain of a Cyber Breach

Unlike a fire or a flood, a cyber breach isn’t a natural disaster; it is often a well-orchestrated attack by professional cyber criminals with technological resources and expertise well beyond anything you can possibly muster.

A professional cyber criminal will hack into your IT systems, silently compromise your data, and leave you oblivious of the fact that your information is now for sale in the cybercrime marketplace.

A very professional cyber criminal will return to your IT systems multiple times, taking advantage of the IT traps he set up to provide even more access to your information.

Alternatively, a low-level hacker (a script kiddie) will take a joy ride through your IT systems and wreak havoc just for the social recognition it will provide. Just to add insult, he might also steal and sell your data. You get to be just another on-line video game.

In either case, there’s a good chance a breach will cost you more than just embarrassment. To name just a few:

• Customer confidence – After a cyber breach, your company will always be the one that cannot be trusted. A good PR firm, with a sincere message, will help you retain your clients. Sincerity is never inexpensive.

• Business Interruption – It will take time to evaluate the damage done by a hacker. Even if your IT systems appear intact, they may have been tampered with. Your customers and your staff may spend many days, if not weeks in recovery.

Cyber Attack Insurance Plans• Federal and state penalties – Depending on your business and the type of compromised data, your fines may range from hundreds to thousands of dollars for each compromised record.

• Compressive forensic analysis – Remember above where I said hackers may have ‘technological resources and expertise well beyond anything you can possibly muster’? The cost to understand what data has really been compromised and where hackers gained access to your IT systems is often large.

• Data restoration – Recovery of your data after a script kiddie joy ride may be as simple as installing a backup database or as complex as rerunning your customer transition logs over the last month.

• Logistical and monitoring support for your clients and customers – Your company may have ethical and legal obligations to provide support at least through communication, and possibly credit and identity monitoring to your clients and customers whose data was compromised.

You, like many of your associates who read the problems above, may have had the same thought running through your head, ‘I haven’t the faintest idea …’. Cyber attacks, recovering from those attacks and the cost of recovery are new to most of us. Unfortunately, that doesn’t give us a license to ignore the potential of an attack until one happens. Talk to your IT guys, hire an outside security firm, insure against the worst – but whatever you do, do something.

Consider Cyber-Insurance

Cyber insurance, like cybercrime is still very much in its infancy stage. Not only is coverage all across the board, but there doesn’t even seem to be consistency in naming the coverage that does exist. A few names that you might have heard of include Cyber Risk, Cyber Security, Data Security, Privacy Liability, Security Liability, and Network Risk. Whatever the name, its intent is to insure company’s against the potentially devastating cost of a cyber attack.

Tom Breiner, senior VP at Indianapolis-based insurance firm Hays Companies, provided me with information on his approach to cyber insurance coverage. Policies can typically be set up to cover much of the cost of any cyber attack, including the following:

• Privacy Notification Costs – Typically legal fees and costs (including mailing expenses) to notify customers of a privacy breach

• Crisis Management Expenses – Costs associated with hiring a PR firm to mitigate negative publicity after a breach • Credit Monitoring Costs – Pays to monitor affected individuals for identity theft

• Forensic Investigation – Costs to determine scope and cause of breach

• Cyber Extortion – Threat to commit an attack against an insured’s computer system or to disclose personally identifiable information obtained through a security breach

• Business Interruption – Costs associated with interruption of the insured’s normal business activities due to a network security breach

• Data Restoration – Funds to recover or restore data that is damaged, altered, destroyed, stolen, or misused by a covered cause of loss

Many people may not have considered some of these costs as the fallout of a cyber attack. Consider this as just one more reason you should be talking to an insurance company that understands cyber risk – what you don’t know may be what kills you.

In addition to providing the actual cyber insurance, your insurance company should be one of your best front-line resources for providing guidance on how to better secure your offices as well as how to react after a breach. It is, after all, in their best interest, as well as yours, to minimize the effect of a breach, if not help you avoid a breach all together.

Softening the Ordeal

Here are a few tips to consider before a cyber breach:

• Turn on your system logs – system logs provide a complete history of your IT system access, with the potential of giving you enough information to determine how the breach occurred and what information, if any, was compromised. Without logs you really don’t have a foundation for (did you mean to end this sentence??)

• Encrypt your databases – a post-breach press release that contains the words ‘‘The data was encrypted, no sensitive data was compromised” may make even the most embarrassing breach bearable.

• Invest in cyber-insurance – treat a potential cyber breach the same way you do any other disaster; understand the cost of the risks and, when it makes financial sense, use insurance to cover the deadly financial disasters that might result.

The first two, turning on your system logs and encrypting your databases, are relatively easy to do, inexpensive and will make your life far easier if a breach occurs.

As for cyber-insurance – aside from underwriting the cost of a cyber breach, a good insurance company will be an excellent friend during the traumatic period after a breach – your breach won’t be the first they’ve seen. The guidance from their experienced staff will help get you through your dark days.

Finally, line up your ducks before a breach occurs and, above all, don’t panic.

Related: Breach Forensics - Keeping Things from Going from Bad to Worse

Related: You've Been Hacked. Now What?

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.