Thursday, January 27, 2011

Cyber Insurance

Cyber insurance is a topic that was recently discussed in a number of events and venues that I participated. In response, I have decided to dedicate this blog to a primer. According to the Internet Security Alliance, cyber insurance is:
“[A]n insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds. ”1
A healthy discussion is ongoing about how public and private partnerships can come together to create market incentives to stimulate the growth of a private cyber insurance industry. These partnership can both provide private economic incentives to spur greater cyber security efforts while also creating a private market mechanism that fosters adoption and compliance. If this topic is not on your radar today, it will likely be in the near future. As this topic gains more mainstream attention, the intent is there will be market incentives to encourage voluntary versus mandated adoption that leverage proven, successful security best practices, standards and technologies.

So what can you do? If you are starting from ground zero, having the discussion within your business on the merits for cyber insurance is a great first step, which will then lead to a discussion on risk and exposures to cyber exploits. Part of your risk discussion should include how your business stacks up against the benchmarks used for underwriting cyber insurance. As a guideline, the underwriting standard for cyber insurance is ISO/IEC 27001:2005, which is part of the ISO/IEC 27000 series of information security management systems. Obtaining an ISO/IEC 27001certification[2], like other ISO management system certifications, usually involves a three-stage audit process:
  • Stage 1 is a preliminary, informal review of the information system management system (ISMS)
  • Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001.
  • Stage 3 involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard.
The active side of an assessment is penetration testing—a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, (e.g., hacker). Many forms of penetration testing exist. The Open Source Security Testing Methodology Manual is a standard for professionals who conduct penetration testing. If you use credit cards in your business you may have to follow the Payment Card Industry Data Security Standard  requirements for penetration testing.

Other places to look for additional information include:
The hard and sobering truth is you can take all the precautions listed above and still be compromised. The choice is whether or not your company is prepared to know what to do next.

Your company survived Y2K and likely has a plan for business continuity and disaster recovery. In the connected world of today, I suggest you have a cyber plan as well.
Related articles
Enhanced by Zemanta
Posted by Paul Davis at 2:49 PM
Labels: , , , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)