The value of breach response services in cyber covers
By Joel Pridmore, Head of Financial Lines and Business Development, Asia Pacific at Munich Re Syndicate
Would you know what to do in the event your organization suffered a data breach? While many CIO’s, CISO’s and even CRO’s may think they have the tools and expertise to handle what is today’s most serious threat to any organization, the truth is the majority may be overlooking some valuable solutions.
Cyber attacks are real and, as the former FBI Director Robert Mueller was famously quoted as saying,“There are only two types of companies - those that have been hacked and those that will be hacked”. With this in mind, why do so many organizations still disregard the impact a major cyber attack could have on their operations? Frankly, it appears to be a misguided perception that their information security controls make them immune from exposure or they believe their industry simply isn’t a “target” for this type of malfeasance.
Yet, as the NotPetya malware attack showed, no one is immune, and you don’t even have to be the “target” of cyber criminals but could be exposed vicariously through the generic software applications you use to run your business. In the case of NotPetya, this was simple bookkeeping software which was infected with a virus that caused an estimatedUS$10bn in financial loss globally and left one of the world’s largest freight and logistics companies crippled by its wrath.
Is investment in best in class information and cyber security risk management important in containing this perverse global threat? Of course. Is it enough? No way!
The global cyber insurance industry has developed rapidly in recent years as the world comes to grips with a risk that wreakshavoc on global organizations without discrimination. Many individuals responsible for procuring cyber insurance on their companies behalf, dismiss it as a just another insurance policy that can’t be trusted to pay when it matters. Verywell-known and experienced cyber security experts have even been witnessed dismissing cyber insurance as a “scam” which encourages firmsto become complacent in their approach to cyber security risk management and mitigation. Views like this are sometimes understandable and all boil down to the way this class of insurance is advised upon and sold. You really do get what you pay for in this space, both from an advisor (insurance broker/risk advisor) perspective but also from the provider side (insurance company).
Treating any sophisticated financial instrument like insurance without due respect is dangerous for both the end purchaser but also the industry as a whole. For those who doubt the value of cyber insurance,it is encouraged for them to learn more about the breach response services upon which all good cyber insurance solutions are built. In fact, without these solutions,the policy isn’t fit for purpose is an agreeable sentiment.
Breach response solutions take cyber insurance into the realm of “Insurance as a Service” (IaaS) and, in fact,it is argued that Cyber Insurance as a Service (CIaaS) is where the industry should be heading as this is where insureds really experience tangible value from their purchase. Which is why knowing what breach response solutions are and understanding their value is paramount.
In a nutshell,a cyber breach response solution provides you with IT forensic experts, cyber law experts and public relations experts to help guide you through the Armageddon scenario which is a cyber breach. Having 24/7 access to these experts to provide technical advice, assistance and guidance to triage the disaster and then manage the rectification of the entire catastrophe is a godsend and a service that is truly worth its weight in gold. Let’s examine a few aspects:
1) When disaster strikes, the key management personnel still have a business to run. Breach response experts take this burden from the management and allow them to focus on what they are best at.
2) Cyber breaches can cause massive reputational fallout. Having experts engaged from minute one to manage the situation and provide management with advice on how to respond legally and corporately can mean the difference between life and death for some organizations.
3) Many companies don’t have designatedteams dedicated to information security and as such, when a breach occurs, those tasked with managing it can find themselves completely out of their depth.
As the above highlights, the disaster management aspect of a solid cyber breach response solution provided under a cyber insurance policy provides companies and individuals access to services that are sorely needed in atime of crisis. Individuals in all areas of the organization need to be aware that these services exist and are paid for as part of their cyber insurance procurement. If a trained mechanic turns up at your disposal when your car breaks down in the middle of nowhere and in your time of need, the value of one’s roadside assist policy comes into its own and no one ever questions the value of that purchase. Cyber breach response services should be viewed in exactly the same manner.