Reading this article (extract below) in the Insurance Post brought back memories of from almost 20 years ago when I used to talk at events and train security teams around the world. The first question then, and now: “What do you want to protect?”. Without an understanding of the assets you’re trying to protect your security controls, remediation, and risk mitigation will have no linkage to your business needs.
Even though it’s focused on information about ‘Human Persons’, GDPR brings an opportunity to conduct a full data audit as part of your Data Privacy Impact Assessment. Don’t just look at personal data. Identify ALL your data assets then put the controls in place to detect them, systems to identify a breach, and mitigate the risk through appropriate insurance.
Thus far, the cyber insurance market has been focussed on personal data. Understandably so, given the costs that have been incurred in data breaches in the US and the fines that can be levied under the upcoming General Data Protection Regulation.
Nevertheless, personal data, while valuable to criminals, is not where the real value sits for companies – it is the value of patents, know-how and technical acumen, its intellectual property.
Currently, the majority of cyber insurance policies provide business interruption cover for the time taken to restore normal operations in the company’s IT network. Some also provide cover for an additional period for recovery of the business, usually around 90 days.
However, cyber policies usually require there to be some interruption or degradation in the performance of the IT network for a BI loss to be covered. In the event of a data breach, this network interruption or degradation usually doesn’t occur, as the hackers are in and out of the network before the breach is discovered.
Even if the hackers stole IP and there was interruption to the IT network, when will this result in a BIloss? Given the time required to review and utilise illegally acquired IP to generate revenue, it is unlikely that this loss will crystallise before the end of any indemnity period available under a cyber policy. Which means that these losses are likely to be uninsured.
To address this risk, companies may wish to consider segregating those parts of the network where this IP is stored. This process of segregating sections of the network may already have started after last year’s Wanna Cry and Not Petya attacks, as companies seek to ensure that an attack on one part of the network does not cripple the entire global infrastructure. However, by extending this process to consider business critical data will help to ensure that all key IP is appropriately protected.
However, it is unlikely that the risk of a data breach resulting in the loss of IP and a subsequent loss of profit can ever be completely removed. While there are a number of insurers that write IP cover, the take-up of these policies is low, with some commentators suggesting that less than one per cent of insurable IP assets are actually covered.
In addition, in 2016, Accenture reported that one-third of targeted cyber-attacks succeed. The same report also stated that 75% of corporate executives were confident in their security strategies. There is clearly a disconnect, therefore, between the understanding of the cyber risk and the response to it. Given this disconnect, the risk that companies have already suffered, or are about to suffer, a cyber-attack resulting in a loss of IP must be significant.