0

Cyber Security Insurance Provider Dilemma

Consumers must aware of initial cyber security baseline, framework and benchmarking methodologies practiced by insurance providers to cost out the premiums. The insurance contracts must be valid and guaranteed and re-visited for up-to-date renewal, so while applying compensation claim, any magnitude of breach or data loss occurred must be compensated.

“It’s a prudent person rule, do your due diligence & execute due care, otherwise it is your negligence and you might be liable entirely”!

Unprecedented cyber security evolution, where constant innovations pushing for frequent evaluation of strategic solutions. In this interval, enlighten to become a cyber-insurance carrier/broker is going to be a thrilling mission to offer cyber security protection insurance for consumers across horizontal industries including individuals, organizations, state or nation.

Cyber Security & Insurance Bytes

In general, cyber security insurance providers (CIP) are transferred cyber risks carriers, the CIP are more profit oriented and may lack on encouraging or motivating their customers to posture best class security products and quality services for organizations.

Cyber security insurance brokers or risk managers are good in insurance solutions sales but most of them might not an expert on the future claim on the cyber-related loss and compensation.

Unified insured cyber security managed risks and services provide insurance coverage for cyber security arena, its unified approach is orchestrated in perfect cyber harmony to cover the security gaps and to identify transferrable risks.

In addition, risk managers eager to help on managed cyber security, risk identification and management and developing cyber insurance policy.

New York based consultants from RigoTechnology believe, there is no absolute guarantee cyber security solutions even though the cyber resiliency in place, cyber security risk that is acceptable but not avoidable, must be transferable. It would be you, who decides to buy proper cyber insurance just like the car insurance, health insurance or life insurance premiums.

Data breach or loss incidents can be claimed only after the digital forensic investigation is conducted throughout the e-Discovery process, result or proof must be certified for litigation purpose, and further reviewed by the legal authority, attorney or in complex cases criminal court consultation or fair judgment might require.

Cyber Risks & Mandate

An organization must buy a cyber-security insurance policy, where driving factors are laws, regulations and best practices and standards. A governance and management must adopt cyber security programs and policies as defined in management’s security mission or statement.

Rigo’s cyber security management defines “risk identification is the directive on functional policies in regards to functional issues, and must be associated to system or system specific. In essence, to comply with cyber security drivers, an organization must adopt standards, procedures, baselines and guidelines to deal with the cybercrimes, and cyber insurance policy must be bought”.

Regardless risk identification is the determination of risks likely to happen or affects you or your organization, no action at all on your systems, apps, and users is total risks; left over risks accepted without countermeasures are accepted risks; and the risks still persists after safeguards or countermeasures are residual risks.

As per quantitative analysis,

  • Threats * vulnerability * asset value = Total risk
  • Total risk * control gap = residual risk
  • Total risk – countermeasures = Accepted risks (transferrable or qualify for cyber insurance)

Eccentric Cyber Security Insurance Provider

By nature, cyber insurance providers do emphasis only on security frameworks and standards for compliance and risk analysis with less stress on risk management, equally do not focus on advancing consumers’ security products, services, and computer infrastructures recommendation, neither heavily engage on personal, state or national security concerns.

As per NIST framework methodology, identification, prevention, detection, response and recovery, all organization should comply with it to have proper cyber security posture in place to qualify for purchasing insurance plans. If any unpleasant cyber incidents occurred that are not covered by insurance providers cannot be compensated. Unless total coverage was defined within insurance premium contracts.

RigoTechnology due diligent wing concerns as,

  • How a cyber-security insured human right activist or an organization gets protection from insurance provider during active attacks or incidents that are beyond identifiable?
  • Even the proper security measures that are in place as directed by regulations might not capable of prevention? Perhaps total risk transfer, an expensive premium could be bought.
  • Are insurance providers concern for non-profit organizations and total loss compensation? Neither do governments shield their citizens from cyber risks.

RigoTechnology identifies these grey areas must be transparent between policy buyer and the cyber security insurance carrier as,

  • Comply with framework and standards
  • Adopt law and jurisdictions before contract signed
  • Thorough review during next renewal
  • Issues identified that are not defined in contract are subject to compensation or loss claim

 Cyber Insurance Provider Transparency

While engaging global cyber security insurance provider or partnering with them is not recommended as it does not help to improve nation’s sensitive security and expensive solution, rather allows more exploits, espionage and security errors.

Meanwhile, managed security solutions and insurance plans are expensive, and jurisdictions and laws might be beyond the reach to prosecute internal cybercrimes & cybercriminals.

For an instance, if data breach occurred at one state but attack was originated at the different state that does not share data privacy or cyber laws policies, in this instance, forensic investigation along with e-Discovery to litigation would be complicated, and also challenging to provide an evidence for forensic investigators to find the felony within defined timeline.

The chain of custody within a controlled conditions to handle chain of evidence such as events viewing, and accountable during the specific period, also criminal incidents and cybercriminals study in relation to crime scene are complex tasks to correlate or interrelate over various jurisdictions.

As a universal forensic investigation process involves evidence identification, preservation, collection, examination, analysis, presentation, decision, and destruction, it is quite challenging to have e-discovery team to adopt digital forensic investigation process across various jurisdictions.

As per NIST forensic timeline, collection of evidence on media, examination of data from the media, analysis of information (group of data) and reporting the analyzed evidence (collected information), and then finally after action review (AAR) reports to management as it has both success and failures of controls and systems.

Cyber insurance providers just rely on the output from forensic investigation service provider that involves intense legal activities and it is too expensive. However, RigoTechnology helps its clients transparently to ensure that whether the costs are covered by the cyber insurance providers and defined within the contract and comply with regulations prior engaging for the cyber insurance contract.

Ethical & Social Cyber Security Insurance Provider

Whatsoever, global insurance providers must change their strategy, be more region or local specific and separate the cyber security divisions and technology architecture based on local jurisdictions and needs. It would encourage and motivate the global cyber community to experience and explore a great sense of cyber security, data and personal privacy and security awareness experience locally.

Global insurance provider must be ethical, moral and social than ever before and act legally by adopting and respecting specific laws and regulations designed for local jurisdictions. Engaging in local community development and offering cyber-awareness training and programs must be an agenda to succeed prosperously and healthy.

In terms of serving the digital community, insurance carrier or provider involved at both local and global context, if a digital community experiences more local cyber police presence in the local internet streets, the digital community feels more secure.

As in United Nation Security Council, it perceives the cyber security in a global context (for entire internet). Involving local cyber authority for the digital community is acceptable, ethical and more social interests centric than having cyber military or UN cyber soldiers deploying to the global internet community with global command.

Cyber Privacy & Asset Risk Assessment

Cyber privacy and assets risk assessment include identifying assets, associated risks, types of data being transitioning or storage, and analysis of IT environment. Risk management and incident handling might be separated service managed by service providers, in-house or third-party.

Following items are assessed, evaluated and analyzed before finalizing calculated risks and transfer it to the cyber insurance provider for premium calculation for data breach coverage and compensation.

  • Organization data and business function
  • Company type, size, and sensitive BII information
  • Company asset, risk information & resiliency
  • Internet online activities and data movement
  • On-premise, cloud, hybrid facility and usages
  • In-house risk management and preventions posture
  • Incident handling and managements posture
  • Privacy and type of data, PHI, PII, PCI, & compliance
  • Current insurance policy and declaration
  • Credit transfer for cyber security compliant, guidelines, policies and framework existence
  • Breaches types and coverages inclusion such as ransomware, defame, non-compliant audit fees and charges, legal fees, customer data breaches, natural disaster, systems outages, coverage for mean time to recover etc.

Minimal Insurance Package Offer

NAIC (National Association of Insurance Commissioners) defines individual consumer protection from cybercrimes, for an instance any insurance company collects, use and store consumer insurance information are entitled to have an insurance from another insurance providers to cover for consumer data loss, and the insurance should cover any type of consumer data loss during insurance process. The consumer should contact state insurance department to determine existing consumer rights.

NAIC protects for an organization as a consumer entity in terms of buying data insurance from insurance providers, questions must be facilitated as what data protection package insurance should offer?

Insurance security baseline must offer a risk analysis, forensic digital investigation, response and recovery assistance. What exactly covered by the data insurance? Minimal coverages are listed below,

  • PCI, FISMA or HIPAA fines and penalties covered
  • Cyber extortion/ransom coverage, if your systems or information are being a hostage in exchange for money, where cyber insurance will cover it.
  • Internet and web media liability covers improper use of company’s website, social media, intellectual property and trade secrets, and reputation damages
  • First party coverage only covers the general liability and no coverages for the third party
  • Network security coverage in terms of IT infrastructures security systems fail
  • Third party privacy liability includes legal fees and all other damages extended to third party vendors, software providers, and escrows.

Insurance Solutions Baseline

To be qualified for data insurance, the business must satisfy insurance brokers or providers with cyber security policies and security solutions be reactive, protective, progressive, comprehensive and competitive. Referred as,

  • Reactive solutions are retroactive analysis, basic for the cyber security and data loss preventions, mostly activated after the attacks have occurred. As a reactive solution, use of SIEM & IDS sensors technology to capture logs, events, and data flows from systems and applications in real time and store the captures encrypted. The captures can be reused to analysis and correlate to perform attack aftermath analysis, audits and report generation. Also, the captures used for real-time monitoring purpose and act upon the issues identified.
  • Protective solutions are defined to be the minimal adoption of current technologies such as end-point security, unified firewalls and IPS/IDS solutions to block known signatures, viruses, malware and ransomware during data on move, stored and in use. A recognized or certified provider or vendor should be selected to buy our protective solutions.
  • Progressive solutions are equipped with Artificial Intelligence (AI) and machine learning languages and algorithms to tackle with predictive behaviors; security intelligence by utilizing geopolitical cloud services, big data and threat intelligence to tackle known malware signatures; plus a full suite of the protective solution. Progressive solutions are defined more offensive than defensive. For an instance, NSA, CIA, FBI type of organizations are constantly being progressive being offensive against the cyber criminals.
  • Comprehensive solution security must adopt framework such as NIST standards for the respective industries. The framework should offer at minimum protective, detective, responsive and recovery strategies while developing robust and resilient security and software solutions.
  • Competitive solutions provide fare deal of strong sense of security, so being vigilant with solutions objectives on protecting data and consumer to be in first place. Regardless the price of the solutions, compliance, feasible standards and defined framework selection provides more competitive solutions.

Cyber-Data Insurance Assessment

  • Cyber Crime: – Cybercrime is known, unknown and zero-days, for an instance unauthorized electronic funds transfer, cyber extortion, data espionage, and social-engineering and ultimate data loss.
  • Breach Liability: – Private information loss and liability, website media loss liability, not obliged with regulatory liability, patent & intellectual property reputation loss liability, PCI or HIPAA audit fines due to not being a compliant liability.
  • Breach Rectification: – Data breach response team, business interruption, Digital asset loss Data breach response team offers expert legal services, technical support, and resources to assist with notification, recovery and restoration efforts to policyholders who have identified a data security breach.
  • Application: – Property or asset assessment tool should allow to dramatically simplify the application process. Businesses can receive a quote by answering only a few questions. Pre-security assessment and post security assessment is a must to have for forensic analysis.

Managing Your Data Safe

Managing data safe is a risk management protection for an organization or an individual. Even the insurance or cyber protection packages have been bought the layers of defense as defined under solutions baseline should be in place to protect assets, software, and systems.

For an instance buy Microsoft Office 365 and Microsoft Enterprise Mobility + Security insurance should identify baseline, offer basic services and cover for the extreme loss as

  • Enterprise-grade protection and business continuity with 24/7 technical support
  • Continuous backup of files in globally distributed data centers
  • Multi-factor authentication secures information across file servers, email and collaboration platforms with document tracking and encryption and hash.
  • Perform daily automated backs of all the data stored in cloud as Office 365 for cloud
  • Instantly locate and restore data from any point in time
  • Detailed status history and records of all user and admin actions

Extra Incentive for your client

  • Clients that purchase O365 may be eligible for cyber protection package insurance policy credit
  • Policyholders that purchase cyber protection package and migrate to the cloud with the combined service offering may be eligible for a bundled discount from Microsoft and us.
  • Client that adopts the baseline solutions with the insurance providers authorized and verified dealer may get extra cash if data breach occurred
  • Client comply with regular audits, pen test, and vulnerability test is regarded more trustworthy

Organization Risk Transfer Natures

  • An individual, small business or a complex organization should cyber-consciously and offer a comfortable security distributed networks coverage for proliferating global cyber-IoT communities and users at utmost by utilizing their own capacity.
  • Cyber security risk identification, assessment or analysis must be performed to have proper cyber security regulations and manageable. The risk management models could be defined in-house, outsourced or engage third party provider as security as a managed service.
  • Any leftover cyber security risks that is not manageable with existing capacity and resources must be transferable, such as IoT traffic data, data volume, sensitive private information, big data collections, sharing and extractions must be secured and comply with local cyber laws and should not be globalized insecurely, however remaining unmanageable risks can be transferred to insurance providers.
  • For an instance, global big data that keeps the records of global weather details can be shared for global community benefits and are not subject to sensitive information. There are no risks and coverage even it is breached, however, if the third party is relying on this public big data information, the information should consider sensitive and must be covered by cyber insurance policy.
  • In another instance, as per GDPR privacy regulations, EU personnel data PII, PHI, SPI or BII must not be shared with the US by any business or agencies and must remain within EU, abide by the EU local law & jurisdictions.
  • In addition OECD (Organization For Economic Co-operation and Development) is a guidelines on protection of privacy and trans-boarder flow of data protection rules creates a cyber-forum of different global governments, legal entities and standards come together to tackle economic, social and government challenges and complexity of a globalized economy impacted or affected by the cyber security and data protection.

Conclusion

In a nutshell, cyber security insurance providers sharing business or personal data in global context should abide by local and regional jurisdictions, if practiced without consumers’ consent or against the regulations while transiting across global networks shall be defined as a cybercrime and clients must be compensated, if that happens.

  • Prior insurance qualification, cyber and privacy data input from the client must be normalized and perform transferrable calculated risks, such as liability associated with data storage, breaches and security, system damage, cybercrime and business interruption.
  • Computer ethical and moral values must embrace for clean legal business practices between a client and CIP (Cybersecurity Insurance Provider) that must be maintained at high level. There might be numerous perspectives to success with the adoption of cyber insurance business model.
  • For an instance, a company with total risk transfer must be able to claim data breaches in the global context as insurance provider are liable for global managed security services and the clients might eligible for total loss compensation, however, organizations with some portion of cyber risk transfer must be compensated locally and efficiently as defined.
  • Unfortunately, unconditional cyber-attacks, damages, and catastrophe cyber incidents may not be covered by the cyber security insurance provider, in this instances ethically and morally cyber insurance provider must provide compensation to the insured client, business or individual, that includes digital community and any cyber related physical harm and social defame.

Bip Khanal

Leave a Reply

Your email address will not be published. Required fields are marked *