Last Line of Defense: Cyber-Insurance

Last Line of Defense: Cyber-Insurance
The booming phrase in Information Security/Cyber Security around which is becoming the backbone of every organization and the businesses-corporates revolve around is Risk Management. As a part of risk treatment, identified risks could be mitigated in 4 ways: Accept, Avoid, Reduce and Transfer.
 
Accept: With this mitigation approach, the technical and business impact of identified risk is measured against the organization’s risk appetite and accepted if found negligible.
 
Avoid: This approach direct the closure of business area leading to high risk due to the hefty effort involved in mitigation of the same. 
 
Reduce: This is the most common approach adopted by almost every organization to mitigate their security risks by engaging with various tools and techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the resulting negative impact of the anomalies.
 
Transfer: This approach as the name suggests transfers the impact of risk resultant to a third party.
 

Current Need for Cyber-Insurance

The IT infrastructure, its users and the services offered through this set-up are all subject to a huge number and variety of risks posed by threats that include but not limited to DDOS, Intrusions, hacking, phishing, worms, viruses, spams, etc. In order to counter the risk posed by these threats, network users traditionally depend on antivirus, anti-spam software, firewalls, IDSs etc. to reduce the likelihood of being affected by threats (Risk reduction). Also in corporate and in research labs, considerable efforts are centered on the development and usage of tools techniques to detect threats and anomalies in order to protect the cyber infrastructure and its users from the negative impact of existing anomalies.
 
However, it is impossible to achieve full-proof cyber-security protection mechanism. The credit goes to a number of reasons:
  • Limited sound technical solutions
  • Difficulty in designing solutions catered to varied intentions behind network attacks
  • Network users taking advantage of the positive security effects generated by other users' investments in security, in turn, themselves not investing in security and resulting in the free-riding problem
  • Customer lock-in and first mover effects of vulnerable security products
  • Difficulty in measuring risks resulting in challenges to designing pertinent risk removal solutions
  • Liability shell games played by product vendors
  • User awareness in optimally exploiting feature benefits of technical solutions

About Cyber-Insurance

This is an insurance product used to protect businesses and individual users from Internet-based risks relating to information technology infrastructure and activities.
 
Cyber-Insurance is a risk management technique via which insured’s risks are transferred to an insurance company with the payment of premium fees. Examples of potential cyber-insurers could include ISPs, cloud providers, corporates. Risks of this nature are typically excluded from commercial general policies or are not explicitly defined for coverage. This is not a well explored OR exploited segment of the Insurance domain.
 
Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data or defamation; and other benefits including regular security audit, post-incident public relations and investigative expenses, and criminal reward funds
 

Benefits of Cyber-Insurance

As insurers pay out on cyber-losses, also as cyber threats also develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber-insurance products are also early in development and underwriters are actively partnering with IT security companies to develop their products.
 
As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security incident. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance. Finally, insurance allows cyber-security risks to be distributed fairly, with higher premiums for companies whose expected loss from such risks is greater. This avoids potentially dangerous concentration of risk while also preventing free-riding.
 

Future Landscape

With cyber insurance premiums expected to grow from around $2 billion in 2015 to an estimated $20 billion or more by 2025, insurers and reinsurers are continuing to refine underwriting requirements. Market immaturity and lack of standardization for this segment of insurance are two major reasons why underwriting cyber products make it an interesting place in the insurance world.
 
Authored By - Disha Pandit
TCS Cyber Security Practice
 
Rate this article: 
0
No votes yet
Article category: 
Keywords: