Who pays for cybercrime?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2988588/project-manager/who-pays-for-cybercrime.html

Cybercrime is becoming such a common occurrence. Too many of us have to
hear about and become familiar with the Deep Web sooner than I ever dreamed
we would. I heard Charlie Miller and Chris Valasek – the presenters at
Black Hat who hacked a 2014 Jeep Cherokee’s onboard computer sparking a
massive vehicle recall – say that “everything is hackable.” And it is. If
you think you’re safe then you’re likely next if you have anything of
valuable personally or professionally.

What are the costs of cybercrime?

With all these cybercrimes that include database breaches of government
personnel identities, big box store credit card numbers and customer data,
and fingerprint databases that number in the millions, who pays? What costs
are incurred?

> From a high-level, the costs – at a minimum – are:

Lost customers for the big box stores that were hit in the past 1-2 years
Lawsuits and settlements for those customers affected by the breaches on
these stores’ databases
Individuals who have to fix identities and get new cards and personal
information issued
Corporations paying large dollars for cybercrime insurance (more on this
below)
Corporations paying handsomely for risk and cybercrime prevention planning
and consulting

Cybercrime insurance – an interesting new twist

There are always opportunists out there looking to capitalize on the latest
victims and cybercrime is no exception. Cybersecurity insurance seems to be
the rage these days. Lloyds of London – those insurers who cover Keith
Richards’ fingers and your favorite college quarterback’s arm who decides
to stay in college one more year – are big into cybersecurity insurance.
The problem is, they are insuring the loss - insurance against data loss,
malware and service attacks, data breached and cybercrime – not helping
prevent cybercrime in anyway.

Focusing on the consequences, not the causes

So, who pays? Well, consumers pay, I guess. Chubb – a leading provider of
insurance coverage – also offers insurance against cybercrime…as do most
large carriers and many smaller insurers popping up and entering the
lucrative cybercrime insurance market. Companies seeking out insurance
against cybercrimes are focusing on the consequences of cybercrime, not the
causes, by purchasing liability and errors-and-omissions insurance.

As Chubb states, “Unfortunately, many companies don’t realize that whether
they experience a data security breach isn’t as much a matter of if it will
happen as when. When a security breach happens, you’ll need comprehensive
protection from an insurer that specializes in handling cyber risks, offers
a full suite of integrated insurance solutions to help minimize gaps in
coverage, and understands how to tailor coverage to your business.” Chubb’s
insurance covers direct loss, legal liability, and consequential loss
resulting from cyber security breaches.

As the cost of cybercrime losses rises and the frequency of cybercrime
events also rises, the costs of those payouts will be passed on to
consumers of all insurance policies with companies like Chubb. It’s called
free enterprise. One such insurer - Marsh & Mclennan - which offers cyber
insurance, has estimated that the market for cybercrime insurance doubled
last year to as much as $2 billion.

Is C-level representation the answer?

I personally propose a C-level cybersecurity representation now in
organizations of any notable size handling any sensitive data and
information and running any projects with sensitive data for important
clients that they want to keep long term. After all, it only takes one
breach for you to lose many customers and gain a certain reputation that
you really don’t want to have. And if you’re one of those corporations and
you haven’t been hit yet…don’t worry…you will. Given the prevalence of
digital terrorism, cyber attacks are a question of when, not if.

Summary / call for input?

What are your experiences with cybercrime? Has your organization been
affected? What risk or avoidance measures are you taking or planning to
take to guard against cybercrime? Has there been a consideration to make a
cybersecurity position a C-level representation?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!