First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Do you have or need cyber risks insurance in case of a cyber attack?


A growing number of companies are investing in cyber risks insurance, which offers a degree of protection against the consequences of cyberattacks such as hacking, business disruptions and digital data breaches. Organizations are increasingly buying insurance to protect against losses from computer breaches.

What is a cyber attack?

Techopedia defines a cyberattack to mean a deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft. Cyberattack is also known as a computer network attack (CNA).

Cyberattacks may include the following consequences:

  • Identity theft, fraud, extortion
  • Malware, pharming, phishing, spamming, spoofing, spyware, Trojans and viruses
  • Stolen hardware, such as laptops or mobile devices
  • Denial-of-service and distributed denial-of-service attacks
  • Breach of access
  • Password sniffing
  • System infiltration
  • Website defacement
  • Private and public Web browser exploits
  • Instant messaging abuse
  • Intellectual property (IP) theft or unauthorized access

What is cyber risks insurance?

According to Strategy+Business online,

Cyber policies offer a variety of protections and services — for example, business interruption insurance covers companies’ direct losses from being hacked, and post-breach responses include the hiring of computer forensic experts and the use of credit-monitoring services. Nonetheless, companies taking out such policies can remain exposed to liability, due to a combination of legal gray areas, a still-developing insurance market, and the ever-changing nature of cyber threats.

If having cyber risks insurance still exposes an organization to liability should they have one? and, do organizations need it?

Well, it is important to understand the issues at hand first, before answering the questions.

Scott J. Shackelford in his article, Should Your Firm Invest in Cyber Risk Insurance? (Business Horizons, vol. 55, no. 4, July–August 2012) explains,

One of the challenges to putting in place the right protections is that cyber-crime takes many forms. Identity theft costs consumers more than $5 billion a year, the author reports, and costs firms another $48 billion. Fraud is also a major problem, accounting for more than 600,000 complaints and $1.8 billion in claims from businesses in 2008. And as the persistent Operation Aurora attacks on Google and other multinational companies in 2009–10 proved, high-tech criminals are employing a series of sophisticated assaults to capture firms’ intellectual property.”

Looking back on this SANS institute Read Room 2004 paper on Cyber Risk Insurance, which provides a discussion and insight to the implications of insurance and cyber crime coverage and raises awareness of the uncertain ties within cyber insurance,

Today, the risks of cyber fraud are ever increasing. They can include stealthy espionage challenges to drive-by attacks that include denial-of-service and web defacements. Insurer’s have realized that the General Liability policies of past do not meet the requirements of today’s standards.”

Thus, the need for more event specific insurance coverage like cyber risks policies which include: Information property protection, network security & privacy coverage, among others.

But even if an insurance policy could play catch-up to the standards and increasing threats, there is still a need to further evolve the laws around the world related to privacy and data protection. There is an even greater need for organizations to implement the minimum standards established by the insurance industry and privacy and existing data protection laws.

According to IT experts, the technology used to create data breaches is changing and developing very quickly. They say that when privacy and security laws were first established, it was to cover computer hacking as a nuisance activity carried out by bored teenagers looking to deface a website or, at worst, disable an e-commerce portal. Today, many of the hackers are sophisticated criminals bent on stealing money or financial and personal information.

For example, the federal Privacy Commissioner have guidelines requiring organizations to notify affected customers following a breach in which personal information is stolen, but there’s no rule about broader public disclosure. Presumably, securities rules around disclosure of material events would cover major network break-ins but such events are rarely, if ever, mentioned in financial reports or press releases of Canadian companies.

Legislation is moving towards increase privacy and security standards; towards private and public companies of all kinds to disclose details of all network breaches resulting in material losses, including the actual costs to the company as well as the nature of the attack.

While this is happening, organizations are trying to figure out their exposure and the potential losses they could face. This requires among other things, a cyber risk insurance self-assessment. When you assess your risk you have to both look outside the organization and within. You also have to take a close look at your employees to ensure incidents don’t occur.

Performing a self-assessment allows and organization to systematically identify and consider computer security issues. There is great importance that must be given to the process of self-assessment discovery as it becomes the vehicle that will divulge how the business functions and what is needed to ensure that it continues to function after a disruption of services. (SANS institute Read Room 2004 paper)

It is appropriate you get in contact with an expert in this area and schedule one soon and periodically thereafter.

At this juncture the current state may be getting fairly serious, and if you have not done yet, getting a cyberpolicy is a smart move, but it shouldn’t be seen as a replacement for robust online security measures or risk mitigation strategies, experts say.

“But buying a policy should not give companies a false sense of security; strong internal countermeasures are still required” writes Scott J. Shackelford. Strategy+Business online.

In coming years cyber warfare could very well take on even greater complexity and frequency than has been made public in recent years.

If you are not already exploring this topic, now may be a good time to do so (e.g., read The Betterley Report posts, etc., such as this bit of news shared Sept 18, 2012).

Organizations should determine how much peace of mind cyber risks insurance is worth to them.

Ron Richard
Quality Management Specialist

Follow me

Ron Richard

Quality, Information Technology and Enterprise Risk Management specialist at Ron Richard Consulting
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist has held positions at most any level of an organization, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series. Read more
Follow me

, , , , , , , , , , , , , ,

Comments are currently closed.