San Francisco Based Security Firm Recommends Full Cyber Risk Assessment to Prevent Losses that Can Cost Millions.
San Francisco, CA, USA -- Losses from cyberattacks and security breaches continue to plague companies of all sizes, and while more organizations are investing in basic cyber insurance, most are woefully underinsured. According to Greg Reber, CEO of AsTech Consulting -- independent cyber security experts specializing in software and IT infrastructure security -- to protect themselves, companies need a comprehensive risk assessment and to work with underwriters to make sure they both agree and understand the terms of cyber insurance policies.
The history of financial losses from a cyber-attack are well documented. Target reported $252 million in expenses related to its data breach in 2013, however the company only had $90 million in cyber risk insurance. Similarly, Anthem Inc. suffered a data breach in February 2015, and the company is now providing credit monitoring and identity protection services to patients who were affected. In both cases, insurance coverage was inadequate to cover costs and additional losses from litigation and class-action suits.
According to a recent study by the Ponemon Institute, companies are four times more likely to insure physical assets than information assets, even though the Probable Maximum Loss (PML) from loss of intellectual property can exceed $200 million. Of those surveyed by Ponemon, 52 percent see cyber risk exposure increasing but only 19 percent have cyber insurance coverage with an average limit of $13 million, and 54 percent have no plans to purchase cyber insurance.
"Executives underestimate the potential losses from a cyber-attack and are unclear how to best insure their operation against potential losses," said Reber. "They buy cyber risk insurance, but too often the coverage is inadequate since many insurance companies rely on self-reporting when assessing areas of coverage. By being better educated about cyber risk and cyber risk insurance and taking simple preventative steps to isolate potential areas of cyber risk, companies will be in a much better position to protect themselves when they do have a security breach."
Cyber risk insurance policy coverage is often based solely on information provided by the company and insurance questionnaires are generic and leave companies under insured. Another common issue is undervaluing the potential losses from a cyber breach, resulting in substantial losses not covered by insurance.
To ensure proper cyber risk insurance coverage, Reber recommends companies take a number of steps:
1. Assess their cyber risk to understand the specific possibilities for a cyber-attack and what data could potentially be exposed or lost. The best approach is to assume that you can't cover all possible contingencies, so it's a matter of when a breach will occur, not if.
2. Develop a cyber breach response strategy, including remediation and notification, to minimize potential losses.
3. Work with an experienced cyber risk underwriter that understands the potential losses from a cyber-attack or data breach and is willing to develop a policy with adequate coverage.
4. Review potential cyber risk annually, since the degree of cyber risk changes over time.
About AsTech Consulting
AsTech Consulting has been helping Fortune 1000 companies manage risk and protect vital information assets since 1997. AsTech's technical team are true Internet security experts, providing a full suite of services focused on risk management and mitigation including Vulnerability Discovery and Remediation, Secure Development Training, Secure Software Development Lifecycle Consulting and Security Architectural Design. For more information, visit http://www.astechconsulting.com.
Public Relations Director, Gumas Advertising