Many people believe there are only two types of companies: those that have been hacked, and those that will be hacked in future. It doesn't matter what industry or the size of an organisation, no company is immune to data breaches.
So said Jake Kouns, CISO of security company Risk Based Security, speaking at the ITWeb Security Summit 2016 at Vodacom World yesterday. Kouns explained more businesses are coming to the conclusion that they are not immune to data breaches and have started to purchase cyber liability insurance to mitigate against this.
"Last year we saw the worst statistics regarding the number of breaches which took place. There were 4 000 breaches which took place globally and 745 million lost records.
"This was still better than the previous two years where we saw over one billion records lost each year," he revealed.
In 2015, there were around 14 000 unique vulnerabilities in software which was downloaded by organisations, he pointed out. Many of these vulnerabilities, he added, are embarrassing, as they are stuff that vendors should no longer be offering as a product and should be classified as outdated.
"Many people believe that no matter how many security measures they take by spending money on protection services and products, chances are they're likely to get hacked or experience a breach at some point. Risk is a reality that we're all hoping to avoid, hopefully more people can try to understand this cyber risk," he asserted.
There is a way to transfer risk to another party, he added. This is mainly done through three methods: the first is through outsourcing services, the second is by signing contracts and agreements and the third is through insurance.
"Insurance is purchased for numerous reasons, either to reduce liability, recover loss, or for peace of mind, and it's typically purchased for most valuable assets.
"No denying it, it's an industry a lot of people love to hate, but cyber insurance can bring a lot to the table when it comes to dealing with the financial fallout of a security breach."
He explained because it's a commercial policy, cyber insurance isn't quite the same thing as auto or homeowners insurance, but there are some similarities.
"Similar in a sense that these policies can respond to both first and third party exposures arising out of a security event, including a data compromise.
"Cyber insurance means organisations can buy a policy that can cover both security event recovery costs and protection from lawsuits arising out of a data compromise."
The primary focus of these policies, he continued, is responding to the legal obligations these events can present to the organisation - on the "first party" side, that's paying for notification or customer care services when personal information is compromised.
On the "third party" side, that's covering the cost of lawsuits, and depending on your point of view, cost of defending regulatory investigations, noted Kouns.
"Cyber policies can take on a lot of the financial burden of a security breach as they can contribute to softening the financial blow of a security event.
"Cyber insurance therefore becomes an attractive method for offsetting the risk and the cost can be surprisingly low," he concluded.
Share