The unlikely heroes of cyber security: viruses, privacy breaches, and other malicious cyber activity regularly threaten organizations' vital information. Cyber insurance providers hope to control the damage risk.A customer's confidential account information is broadcast over the Internet without his bank's knowledge. An unknown computer hacker, whose future plans may shut down the bank's e-business network for days or even weeks, causes the breach. This scenario, while fictitious, sounds all too familiar given today's headlines. Malicious cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. activities, including hacking, viruses, and denial-of-service attacks "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. leave destructive, and often costly, scars on vital e-business operations. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Computer Security Institute's 2002 Computer Crime and Security Survey, 90 percent of respondents--503 computer security practitioners primarily in large U.S. corporations and government agencies--had detected computer security breaches within the previous year, and 80 percent reported financial losses because of them. Nearly half the respondents reported combined financial losses of more than $455 million. Some risk management analysts predicted that the insurance industry would neglect cyber insurance, also known as e-risk insurance, after dealing with enormous post-September 11 (9/11) insurance claims. However, as companies take a closer look at protecting their information assets from probable cyber attacks, demand for this form of insurance is growing. "The insurance industry does play an important role in securing cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. ," says John Sacia, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Sacia Risk Solutions LLC (Logical Link Control) See "LANs" under data link protocol. LLC - Logical Link Control , a Seattle-based e-business risk coverage provider. "Fortunately, there are a few companies ... that are committing risk capital to this class of business, which, given the state of the insurance industry and the substantial losses arising from 9/11, asbestosis asbestosis Lung disease caused by long-term inhalation of asbestos fibres. A pneumoconiosis found primarily in asbestos workers, asbestosis is also seen in people living near asbestos industries. , and corporate wrongdoing wrong·do·er n. One who does wrong, especially morally or ethically. wrong  do , is commendable." Companies offering cyber risk coverage report that it is gaining new attention in retail, financial, medical, and communications companies Communications Company is a communications unit of the United States Marine Corps. They are part of Combat Logistics Regiment 37 , 3rd Marine Logistics Group (3MLG) and III Marine Expeditionary Force (III MEF). The unit is based out of the Marine Corps Base Camp Smedley D. because these industries want to protect their bottom line: the computer-networked information assets that make up their infrastructures. "The insurance industry has done a good job of educating clients about the value of e-business insurance policies," says David O'Neill, vice president of e-business solutions for Zurich North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. Financial Enterprises in Baltimore, Maryland "Baltimore" redirects here. For the surrounding county, see Baltimore County, Maryland. For other uses, see Baltimore (disambiguation). Baltimore is an independent city located in the state of Maryland in the United States. . "People are also making a more educated decision about it. They're asking, 'What is the benefit? What's in it for me? What's it for? Maybe I ought to look into it.'" Targeting common threats that affect organizations helps cyber insurance providers define where coverage is needed. According to Mark Greisiger, founder of NetDiligence, existing and emerging cyber hazards include virus/worm damage, hackers, cyber extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with , Internet liability, Web vandals, denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. , Web site disability access discrimination (universal access), computer/server malfunctions, intellectual property infringement, rogue administrators, application service provider (ASP) service outages, Internet service provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. ) outages, malicious code transmission, Unix and Windows operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. flaws, privacy breaches, and human mistakes. "In the five years since [cyber] insurance has emerged, there has been a more traditional [insurance-based] risk management appreciation and approach to protecting information and helping customers eliminate risks," Greisiger says. "Companies will be required to demonstrate vigilance, a 'security mentality,' and solid daily practices involving the use of some industry-recognized safeguard processes and technologies, all of which is verified with an e-risk assessment ... in order to qualify for this insurance." A common misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. among businesses is that traditional insurance covers cyber liabilities. The insurance industry is starting to make it clear that basic brick-and-mortar insurance coverage plans are different than the plans covering information loss and business interruption resulting from cyber attacks. "Frankly, this has taken some time, and the insurance industry needs to do a better job of articulating those uninsured exposures," Sacia says. "Ultimately, companies will determine that they cannot rely on traditional insurance policies to protect their business, and when this occurs, companies are inclined to consider their options, including better risk management and security and the purchase of cyber insurance." Cyber Security Guidelines Cyber insurance has gained considerable public attention with the publication of the U.S. Department of Homeland Security's (DHS DHS Department of Homeland Security (USA) DHS Department of Human Services DHS Department of Health Services DHS Demographic and Health Surveys DHS Dirhams (Morocco national currency) ) National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 . The 76-page document, released in February, enforces a national cyberspace security response system for improving the U.S. government's response to cyber incidents and outlines programs to prevent future cyber attacks and related damage within the public and private sectors. "Because the National Strategy document explicitly mentions cyber insurance, I believe this will have a positive impact on the insurance market," says Rick Davis
ISO (1) See ISO speed. (2) (International Organization for Standardization, Geneva, Switzerland, www.iso.ch) An organization that sets international standards, founded in 1946. The U.S. member body is ANSI. 17799, which was created in 2000 and superseded British Standard (BS) 7799, is highly regarded as the most-recognized standard for managing information security. ISO 17799 defines information security as the process of protecting "information from a wide range of threats in order to ensure business continuity, minimize business damage, and maximize return on investments and business opportunities." Information security, it concludes, comes from protective technology, management, and procedures supported by all employees of an organization. Participation from suppliers, customers, shareholders, and specialists from outside organizations also may be needed. ISO 17799 identifies as crucial to organizations several information security management practices, including * creating an information security policy document * allocating information security responsibilities * providing information security education and training * reporting security incidents * establishing a business continuity management plan Some insurance providers regard ISO 17799 as the most important tool organizations have for meeting cyber insurance coverage requirements. Michael Lamprecht, a national practice leader in e-insurance for Chicago's Gallagher CyberRisk Services, notes that from his consulting experience with Fortune 500 companies, organizations need to be better coached on the standard's, requirements; however, many of them are trying to be as compliant as they can. "Insurance companies require a minimum level of compliance with ISO 17799. The average company is 65 to 75 percent compliant, and the best companies are over 80 percent compliant," Lamprecht says. "Information security consultants could be brought in to help companies understand the ISO standard. It typically takes about six months for companies to understand it and to comply." Changing Attitudes While cyber insurance providers require ISO 17799 compliance--a process Greisiger likens to getting "pre-approved for a home loan"--the reality is that few organizations are willing to fully adopt the standard's stringent requirements. Instead, organizations often select elements of the standard that they consider most important for information security. Some companies, for instance, regard having the best firewalls and security technology more important than enforcing company-wide privacy guidelines. The ideal scenario, cyber insurance experts say, is that companies achieve a balance between the technological and procedural aspects of their information security management. In the early days of cyber insurance, Davis saw the underwriting risk assessment process as an uphill struggle, particularly when evaluating high-security firms that regularly passed government inspections. "It was very difficult to get insurance applicants to understand why paying attention Noun 1. paying attention - paying particular notice (as to children or helpless people); "his attentiveness to her wishes"; "he spends without heed to the consequences" attentiveness, heed, regard to security management and operations was just as important as getting the technical aspects right," he says. "Whenever we talked about the non-technical risk management issues like policy, procedure, personnel, and physical security, nearly all of the security managers would glaze over glaze over Verb to become dull through boredom or inattention: the listener's eyes glaze over Verb 1. until we returned to the bits, bytes, and firewall conversation." With the possibility of corporate information assets being lost to privacy breaches or unintentional employee errors, however, companies and cyber insurance providers are starting to give the human element more focus when implementing protective information security initiatives. As Davis notes, "The world of digital risk management is first and foremost about managing people." Protecting the Bottom lane Vital information assets, including content, knowledge, and business intelligence, are closely tied to an organization's financial health, and cyber insurance providers are emphasizing this fact in their consultations with customers. They say organizations often fail to realize that exposure to cyber liabilities affects the bottom line, as well as relationships with customers, vendors, and partners. An example Greisiger gives is a hacking incident that results in customer information being stolen; what would likely turn the company's attention toward improving its cyber security posture is a class-action lawsuit brought by the customers against the company that failed to protect their privacy. Without security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security in place for their cyber systems, organizations--and the customers and vendors they do business with--are at risk. In the article "Countering Cyber War," Pittsburgh-based Computer Emergency Response Team (CERT) Analysis Center experts Timothy Shimeall, Phil Williams Professor Philip James Stradling Williams (January 11, 1939 – June 10,2003) was a Welsh politician for Plaid Cymru and scientist. Background Williams was born in Tredegar in the industrial valleys of south Wales and grew up in Bargoed, another industrial town. , and Casey Dunlevy paint an even harsher reality of cyber vulnerabilities. "Advanced, post-industrial societies "Post-industrial" redirects here. For the grouping of music genres, see post-industrial (music). A post-industrial society is a society in which an economic transition has occurred from a manufacturing based economy to a service based economy, a diffusion of national and and economies are critically dependent on linked computer information and communication systems," they write. "Sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. has itself become a form of vulnerability for enemies to exploit." In addition to financial consequences, organizations that do not adequately protect their information assets from cyber hazards face risks to their reputations. In the event that an organization's reputation is harmed by a cyber attack, the insured's cyber insurance policy would reimburse public relations public relations, activities and policies used to create public interest in a person, idea, product, institution, or business establishment. By its nature, public relations is devoted to serving particular interests by presenting them to the public in the most expenses. "As they say in business, reputation is hard to win but easy to lose," Sacia says. "Our economic growth or stagnation Stagnation A period of little or no growth in the economy. Economic growth of less than 2-3% is considered stagnation. Sometimes used to describe low trading volume or inactive trading in securities. Notes: A good example of stagnation was the U.S. economy in the 1970s. is dependent on confidence that transactions will not be repudiated, and productivity gains are clearly based on efficiencies arising from the Internet and technology to a great part." Information Security: A Collaborative Effort ISO 17799 suggests developing a "cross-functional forum of management representatives from relevant parts of the organization" as a precursor to effectively implementing a company-wide information security management program. While not specifically stated in the standard, those with vested interests vested interest n. 1. Law A right or title, as to present or future possession of an estate, that can be conveyed to another. 2. A fixed right granted to an employee under a pension plan. 3. in information security, including information technology, risk management, and information management professionals, could participate. The forum would map out specific responsibilities, methodologies, and processes for company-wide information security, support a security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. program within the organization, and review information security occurrences. An effective information security program, Sacia says, would combine "physical security, employee training and procedures, and technology in the form of firewalls, intrusion detection See IDS and IPS. , virus protection, and legal review to eliminate Internet provider Internet provider - Internet Service Provider (IP) infringement and content litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. , plus contingency planning coupled with a comprehensive cyber insurance product." An Opportunity for Information Managers Because information management professionals work with their companies' information retention programs, they have an opportunity to collaborate with IT and risk managers in assessing what information needs protection. Greisiger describes a typical collaboration scenario within a company, based on his work in security consulting. "My firm would meet individually with one to six people in the client company, including the CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. , IT manager, information manager, privacy officer, and legal counsel. It would be like a 'network blood test,' a sampling approach of the key areas that are not only important to the company but also to the underwriter. "By taking a panoramic sampling approach," Greisiger continues, "we would focus on a '90-10 rule': make sure you can mitigate the risk by 90 percent and that the company implements, at least, a baseline standard of care." Companies that involve information managers in this process are better able to inform security consultants or underwriters about information practices. Information managers also can assist in developing the corporation's written policies necessary to protect information assets. These include a records retention policy, e-mail usage policy, and general security/privacy policies, according to Greisiger. ISO 17799 explicitly outlines what measures a company should take with its information assets in a security program and recognizes that such measures require an information management background. "It is important that an appropriate set of procedures are defined for information labeling and handling in accordance with the classification scheme adopted by the organization" ISO 17799 reads. "These procedures need to cover information assets in physical and electronic formats." Among the procedures to define, the standard notes, are * information copying practices * storage * transmission by post, fax, and electronic mail * transmission by spoken word, including mobile phone, voicemail, and answering machines * information destruction Finally, ISO 17799 recommends that an organization be able to identify the value and importance of its information assets through an inventory. Lamprecht sees opportunities for information managers to help conduct "a comprehensive inventory of physical assets before the company seeks insurance," he says. "First of all, find out what are we going to insure here? What are we trying to protect? If the network is down, how much will the company suffer per hour? Per day?" Collaborating with Other Organizations When creating a security plan, ISO 17799 strongly suggests that companies seek the guidance of appropriate outside agencies and organizations. These contacts include law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). , regulatory bodies, information service providers, and telecommunications operators to "ensure that appropriate action can be quickly taken, and advice obtained, in the event of a security incident." Hiring a Security Consultant Consulting firms Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a that specialize in security and risk management often are brought in to assess a company's practices before cyber insurance is provided. Security consultants may be hired by the client company and, in an increasing number of cases, by the insurer, Greisiger says. "Having security consulting streamlines the [insurer's] loss- control assessment process and can actually test or confirm whether, for instance, the [client] company really has the firewall and hardened servers it says it has." Insurers that use security consultants gain greater insight into the client's compliance with cyber insurance requirements. An added benefit is that consultants can do their assessments at a cost that is "borne by the underwriters," Sacia says. Pricing Cyber Insurance Budgeting for information security initiatives requires researching the costs of cyber insurance plans. According to Greisiger, based on the coverage type and policy limits sought by the client company, annual premiums range from $10,000-$50,000 on a $1 million policy coverage limit, (depending on a variety of factors associated with e-risk exposures facing a particular business model and their networks), to $200,000-$500,000 annually on coverage limits of $10 million. "Often, the insured has a dollar deductible or a self-insured retention that must be eroded before coverage is triggered," Greisiger notes. "Example deductible ranges would be $20,000$200,000 and up into the millions. For business interruption coverage, the 'deductible' might be an hourly waiting period, such as the first 12 hours of a network outage A network outage is an interruption in availability of a system due to the communication failure of the network. Network outages cost money directly to the organisation (for example Banks, Airlines, Online Transaction companies); or cost money indirectly to customers ISP, ." Cyber Insurance at Work Although reviewing cyber insurance options and deciding on a coverage plan can be a lengthy process, these efforts are minor compared to the work that takes place once an organization submits a cyber loss claim. Only then can the organization clearly see the benefits of this type of insurance. In his article "Investigating Cyber Claims" for Claims magazine, Greisiger wrote that the cyber insurer will ask the organization many questions to investigate the facts of the cyber liability incident, including: * Was there really an occurrence (as defined in the insurance policy)? * Did the hacker event really cause damage? * When did this event occur (date, time, place, machine, file)? * What was the hourly duration of the server outage out·age n. 1. A quantity or portion of something lacking after delivery or storage. 2. A temporary suspension of operation, especially of electric power. ? * Who is the culprit and where did the attack originate? * What loss prevention or compliance process failed? * Which network security feature was defeated? Then the investigation gets more involved. The company's computer hardware, software, and e-mails are analyzed. To prove or disprove disprove, v to refute or to prove false by affirmative evidence to the contrary. an allegation, the insurer uses legal procedures to obtain this vital evidence, Greisiger wrote. "Part of the investigation is an audit function possibly involving forensic analysis, backward tracing, attack route hypothesis, and possibly attack re-creation." Future Opportunities and Challenges While cyber insurance providers are betting this type of coverage will gain greater acceptance and exposure in the next five years, they are realistic about the current challenges facing the insurance industry and the economy in general. "Overall, the insurance industry is in a difficult financial situation due to the largest-ever September 11 WTC WTC World Trade Center, see there claims, hard hits in the stock market, and the dramatic decrease in investment income," Davis says. "This relative financial hardship has led to a hardening of the insurance market where each risk/reward decision comes under severe scrutiny like nothing our generation has ever seen. Under the dark clouds of war and continued global uncertainty, times are tough for the insurance industry and conservation of precious capital is the key to survival." Others view cyber insurance as an evolving industry that can significantly benefit companies in their continued quest to conduct global business transactions. Says O'Neill, "I think the industry is going to experience some good growth [just as] the issue of electronic commerce is going to continue to grow." Greisiger goes even further by suggesting that company utilization of cyber insurance could be "standard fare in a couple of years." He predicts that brokers will take more of an active role in a company's pre-assessment for cyber insurance and will strive to become more educated about general cyber security protection. In the same respect, organizations will likely work more at collaborating internally on cyber security initiatives. "We're seeing a trend now, particularly in Fortune 100 companies, that a risk manager will be placed in a technology department," Lamprecht says. "We found that, to begin with, risk management departments didn't really communicate with technology departments. Now they are starting to come together ... and, from my personal experience, Fortune 500 companies are far more likely to have an active dialogue." As for future cyber insurance policies, Sacia predicts a greater demand for business interruption coverage and a need for expense coverage with huge limits. Convincing more organizations to justify the cost of cyber insurance because it is a valuable asset, however, is the current challenge. "We need to encourage companies to fund this cost, prearrange pre·ar·range tr.v. pre·ar·ranged, pre·ar·rang·ing, pre·ar·rang·es To arrange in advance. pre for those professional services (job) professional services - A department of a supplier providing consultancy and programming manpower for the supplier's products. , and mitigate further damage, plus pay for the cost of investigation, so that the root cause or source of the security breach or malicious code can be found," Sacia says. "By providing the funds to pay for this contingency, having those resources arranged for before they are needed is simply good business, and good for cyberspace." At the Core This article * examines cyber insurance, its costs, and its benefits * explains how organizations can use ISO 17799 to meet cyber insurance coverage requirements * explains why organizations must protect their information assets from cyber hazards Tying in Records Management Soon, records management practices will also be part of the risk assessment conducted by insurers writing cyber insurance. ARMA International is working with Net Diligence to incorporate elements of ISO 15489, the international standard on records management, into the risk assessment tool used by Net Diligence. This is a major step toward acknowledging the importance of a quality records management program in protecting companies' information assets. References British Standards British Standards are the national standards of the UK. The standards body which produces them is BSI British Standards, a division of BSI Group. It is incorporated under a Royal Charter and is formally designated as the National Standards Body (NSB) for the UK. Institution. BS ISO/IEC ISO/IEC International Organization for Standardization/International Electrotechnical Commission (ITU-T M 3000) 17799:2000 Information Technology. Code of Practice for Information Security Management. London: British Standards Publishing LTD LTD 1 Laron-type dwarfism 2 Leukotriene D 3 Long-term depression, see there 4. Long-term disability , 2000. Available at www.bsi-global.com/index.xalter# (accessed 6 March 2003). Computer Security Institute. "Cyber Crime Bleeds U.S. Corporations, Survey Shows." Available at www.gocsi.com/press/20020407.html (accessed 6 March 2003). Davis, Rick. "Risk Management in the Digital Age." The CEO Refresher. Etobicoke, Ontario Etobicoke (pronounced IPA: /əˈtoʊbɨkoʊ/ listen , Canada:Refresher Publications, 2001. Available at www.refresher.com/!digitalage.html (accessed 6 March 2003). Friedman, Ted. "How Secure Is Your Business Intelligence Environment?" Gartner Research. 28 August 2002. Available at www4.gartner.com/DisplayDocument?id=367264&ref=g_search (accessed 6 March 2003). Greisiger, Mark. "Investigating Cyber Crimes." Claims. September 2002. Available at www.claimsmag.com/Issues/SeptO2/investigating.asp (accessed 6 March 2003). --. "Cyber Risk & Internet Liability." NetDiligence, 2002. Available at www.netdiligence.com (accessed 6 March 2003). Power, Richard. "what's the Role of Insurance in Cyber Security?" Computer Security ALERT. December 2001. Available at www.gocsi.com/pdfs/alert1201a.pdf (accessed 6 March 2003). Shimeall, Timothy, Phil Williams, and Casey Dunlevy. "Countering Cyber War." NATO NATO: see North Atlantic Treaty Organization. NATO in full North Atlantic Treaty Organization International military alliance created to defend western Europe against a possible Soviet invasion. Review. Winter 2001/2002. Available at http://www.cert.org/archive/pdf/counter_cyberwar Refers to hostile attacks and illegal invasions of computer systems and networks. See information warfare. .pdf (accessed 6 March 2003). U.S. Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States . "The National Strategy to Secure Cyberspace." February 2003. Available at www.whitehouse.gov/pcipb/cyberspace_strategy.pdf (accessed 6 March 2003). Shanna Groves is a former associate editor of The Information Management Journal and a freelance writer based in Kansas. She may be contacted at sgrovesuss@msn.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion