Cyber insurance, lessons from the trenches
Cyber insurance should be seen more as part of a risk management strategy, a retainer if you would, says says Ryan van de Coolwijk, ITOO Special Risks: Product Head Cyber Insurance.
Information technologists are faced with an ongoing challenge to bring content and feature-rich solutions to business and clients at breakneck speeds, while ensuring security requirements are met. In fairness it's little wonder things slip through the cracks - and actually surprising that more doesn't!
With the best of intentions, IT strives to meet business needs and ensure security is upheld. But it takes just one missed configuration, not renaming one administration account, missing one patch or a typo in one firewall rule to bring things crashing down around IT's ears, says Ryan van de Coolwijk, ITOO Special Risks: Product Head Cyber Insurance.
With the benefit of hindsight it becomes easy to question why that patch wasn't applied, or why that weakness was missed. However, faced with the unenviable task of limiting downtime and getting solutions to market as fast as possible, it's a testament to dogged determination that more doesn't slip through the cracks, especially with changes normally having to happen in the early hours of the morning or over weekends. And let's not get started on that one employee who, despite endless training and awareness sessions, is still going to click on that link, open that attachment, browse to that site or provide their credentials on that dodgy form.
While we have seen and responded to cyber claims based on things slipping through the cracks, to add to the mix we have also seen and responded to cyber insurance claims where South African companies have been specifically targeted and compromised by more advanced attackers. We have clear evidence that although we sit at the southern tip of Africa, we are not out of sight in the world of cyber-criminals. It's definitely not just script kiddies you need to concern yourself with.
While called cyber insurance, the triggering events for the policy are a lot broader than the name implies, covering both internal and external threat actors. Responding to a network security or data privacy breach can be expensive. According to Ponemon Institute's latest Cost of a Data Breach survey, the average organisational cost of a network security breach in South Africa in 2016 was more than R32 million. Not an insignificant number. But when you consider how reliant most companies are on their data and systems, even a short disruption is likely to directly impact their bottom line. South Africa is one of only 13 geographies with its own specific Ponemon report in the study, highlighting the seriousness of cyber-crime in our country.
There is a misconception that business interruption and increased costs of working are covered under a company's general commercial policies. The reality is that these policies require physical or tangible damage in order to trigger. Something like a ransomware attack or disgruntled employee bringing down operations is not going to trigger these policies; this falls squarely in the domain of a cyber insurance policy.
Incident response costs should also not be overlooked. Ponemon attributed over R11 million of the R32 million cost to detection and escalation, which includes things like incident triage and forensic investigations. Make no mistake, these are specialised skills that are not generally found on most payrolls, in large part due to a shortage of skills in the market - not just in South Africa, but globally. In responding to an incident, you ideally want as much information as possible at your fingertips: how were we breached, what data has been compromised, how long were they on the network, what else did they do and how do we clean up? I would strongly advise against cutting costs to get to these answers; the adage "you get what you pay for" rings true.
There is a general yet amicable tendency within IT departments to try and fix everything in-house, but there are times when you need to allow specialists within a certain area to intervene, especially when the collection and preservation of forensic evidence is concerned. One inadvertent, well-intentioned action could easily compromise the ability to gather the evidence to answer the abovementioned questions or the admissibility of the evidence if required in court, which could have legal ramifications down the line.
As we have seen from responding to cyber insurance claims in the South African market, a cyber insurance policy is by no means a replacement to good security practices. Indeed, the better these are - and more prepared a company is to respond to an incident by having defined incident response plans etc. - the faster the response process will be, and the less the ultimate damages and disruption to a company.
In fact, while sold as an insurance policy, I would argue that cyber insurance should be seen more as part of a risk management strategy, a retainer if you would for incident triage and forensic services, crisis communications and public relations, affected party notifications, remediation and legal services - with the added benefit that business interruption, increased cost of working and settlement of legal defence and settlement costs are also provided.