Today, cyber insurance is very much like liability insurance but focused on covering the liabilities of a cyber breach.
Right now, these plans are based on financial and cyber threat evaluation and not on the company’s:
- A written and tested CISO plan for recognition capability (Visibility Plane)
- Corporate security policies and procedures enforcement
- Amount of security devices and other tools
- Advanced security efforts
- Prevention and avoidance plans and efforts
- Mitigation
- Recovery from an attack
- A real Visibility Plane for recognition of attacks to view active attacks and APT (Advance Persistent Threats) left after initial attacks
- Compliance with all industry standards of protection
- PCI, ISO, HIPPA, FISMA, CALEA, SOX, GLBA
- Audit and review efforts
Why should a company that has spent the time and effort to build a visibility plane and a comprehensive security plan be rated the same as a like sized financial company that has made little or no efforts to protect the data of their customers and clients?
However, insurance companies will soon begin to rate insurance on the corporation’s ability to stop, recognize and mitigate attacks along with real plans for compliance and auditing. I recently spoke with a high level insurance executive that said that soon insurance companies will have to quit issuing cyber insurance or start recognizing and rating companies based on the efforts and investment in security protection and compliance.
The Importance of Risk Assessment
A post from InfoSec Institute said:
As the Stroz Friedberg’s managing director Bryan Rose takes it, the fact that cyber insurers do not undertake rigorous assessment before creating cyber policies in writing means that they fail to identify the high-risk clients. Consequently, “[t]here’s a real risk that insurance companies are not appropriately pricing the risk,” Rose concludes.
The biggest factor in 2014 was that the average breach recognition time was over 170 days! The reason was that most corporations do not even have the fundamental ability to see that a breach has occurred, nor that it is still going on! Why? Companies for years have ignored building a real visibility plane and instead they have relied on active and hackable network devices that do not show a real time and full view of the network.
Even new network technologies like SDN, IPv6 and VFN do not have a real visibility plane and every network should have one or suffer the pains of not knowing what is going on in your network.
Do not wait until you have a serious problem or security issue! Remember today's breaches are costing an average of over $3.5M. Do not lose your company millions and ruin your reputation for a few thousand dollars!
This is a guest post by Tim O'Neill, Senior Technology Consultant & Chief Editor at LoveMyTool.
Want to learn more about the many network tools that help you manage your network? Download What Your Network Is Missing: 7 Tools To TAP