Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cyber Security Practices Insurance Underwriters Demand
Newest First  |  Oldest First  |  Threaded View
Neilhb
50%
50%
Neilhb,
User Rank: Apprentice
1/8/2015 | 5:15:20 PM
Re: Cyber Insurance
Good article, many thanks. In addition to this good advice, I would like to make security professionals aware that actually they are unlikely to be anything other than important influencers in the evaluation of cyber insurance cover for their organisations and in some cases (although wrongly) they might not even be consulted. This is because if their organisation is large enough to warrant the valuable risk assessment advice given here, it will also be very likely to have a senior executive e.g. Chief Risk Officer, Company Secretary, CFO, General Counsel etc. , often on the Board, who is responsible for the insurance portfolio of cover for the business and the decision to purchase; and oftentimes the decision to even consider cyber insurance in the first place will be taken by them and heavily influenced by their insurance broker. Underwriters are of course a key part of the puzzle and many will be happy to speak to the client directly but usually always under the watchful eye of the intermediary. When it comes to cyber insurance, underwriters have historically been more involved because brokers have been slow to skill up to help the clients assess and provide the necessary information for the insurance cover to be agreed. This situation is gradually changing as brokers tune into the business potential but the complexities of cyber risk mitigation often leaves them less than confident when advising their clients. In order to become part of the process it is vitally important that Infosec professionals first understand how their organisations insurance cover is managed if they are to intervene in, or even initiate/preempt the process of evaluating and potentially acquiring suitable cyber insurance. Remember that just as Boards have often (unfortunately) paid little heed to their IT departments and Infosec team before, it is likely not to be messages from their own staff that eventually get cyber risk to their attention! Instead it will be the rising trend of breaches reported in the media, advice and discussions with their fellow executives and non-executives and interactions with their incumbent brokers chatting informally about the new 'cyber products' they have on offer over drinks at the 19th hole. Nevertheless, once politics and process are understood and navigated, the good news is that, for those Infosec professionals who are often frustrated that they don't get listened to at suitably high levels (and cyber risk is right up there now) then this truly is an opportunity to have their voice heard and surely it is one which is very worthwhile pursuing. There are a few truly independent cyber risk insurance specialists who are not brokers and who have a strong background in Infosec and I could not recommend Infosec professionals to seek such advice more highly given that many are (rightly or wrongly) a bit sceptical of insurance brokers. Such advice would also be vital if the Infosec professionals are to be able to understand both the risk profile(s) and response capability of their organisation and be able to speak with reasonable authority when informing their executives decisions on the ideal cyber insurance cover for their organisation.
TSCNLehr
50%
50%
TSCNLehr,
User Rank: Author
12/15/2014 | 5:26:47 PM
Re: Cyber Insurance
Thanks for your comment, Joe. 

I agree that cyber coverage should be comprehensive and multifaceted. Good policies do more than merely transfer asset value risk; they should also include coverage related to expenses and services that enable a speedy recovery. Asset value is one way of determining the value of coverage, but it should equally defend intangible assets. 

Cyber resiliency is a function of holistic business investments that together reduce the probability of compromise and accelerate a company's safe return to normal operations. Cyber assessments - as part of risk informed planning - help companies and underwriters identify areas of potential risk. Underwriters recognize they can create additional value for their clients by enabling more proactive security planning coverage in advance of a breach. Coverage dialogue can then center on obtaining the right product relative to their clients' specific security posture. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/15/2014 | 12:34:52 AM
Cyber Insurance
Of course, what you want covered can play a big part -- which is where this self-assessment can really help.  Retroactive coverage for as-of-yet-unknown breaches comes to mind.  Ditto for content injury liability.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Google Cloud Debuts Threat-Detection Service
Robert Lemos, Contributing Writer,  9/23/2020
Shopify's Employee Data Theft Underscores Risk of Rogue Insiders
Kelly Sheridan, Staff Editor, Dark Reading,  9/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25772
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25773
PUBLISHED: 2020-09-29
A vulnerability in the Trend Micro Apex One ServerMigrationTool component could allow an attacker to execute arbitrary code on affected products. User interaction is required to exploit this vulnerability in that the target must import a corrupted configuration file.