| | 1.3 Finance
05. Cyber Insurance | |
|---|
| 1.3.05 Cyber Insurance: | | 1. Internet, Cloud and Cyber Insurance exists to mitigate the unexpected financial burden that may be created by a data breach or cyber attack. The 1st, 2nd and 3rd line of defence is to ensure that a data breach cannot happen and any cyber insurance in a required investment to help insurance companies to help others who are less fortunate. | | 2. As a precursor to any cyber insurance agreement, due diligence is undertaken to prove that cyber insurance is not needed. When any risk is identified that needs to be insured, then ten-times that price is invested to circumvent the risk. |
| 2. Risk Management: | | 1. Investigation: the cost of contracting cyber forensic consultants to analyse log files to determine the scope of a data breach is considerable and avoidable. Tools are used on a daily basis to continually monitor and stop any data breach the instant such an attack begins so forensic historical analysis is not needed. Continual monitoring using artificial intelligence will detect and stop any criminal activity before any data can be accessed. While a company like Tesco discovered on Monday that they had been under attack since Friday and Yahoo discovered that many months earlier, criminals stole millions of personal records, a more effective solution is continual monitoring to stop criminal behaviour the instant it happens. | | 2. Remediation: the cost of contracting security consultants to put in place the security controls that were missing to permit a cyber crime to happen is very expensive and it is better to make the same investment in advance. The whole remedial cost is avoidable by simply putting in place excessive security controls in the first place. The threat is that the existence of the business is at risk if a data breach was permitted to happen - the cost of preventing any security breach is a mandatory part of staying in business. | | 3. Regulatory Penalties: may be up to four percent of the business turnover, but compensation to people impacted by a data breach may be ten-times that amount. The risk to the survival of the business is too great to permit a data breach to happen so every possible control must be put in place to ensure that no matter what criminals do, a data breach cannot happen. This is not an option, its a basic business survival strategy. | | 4. Due diligence: is a long and difficult negotiation where the business must prove to the insurer that nothing is at risk and the insurer must accumulate all risks to identify the insured liabilities. The amount of documentation and time that needs to be spent on doing due diligence is better spent putting in place more security and privacy controls to ensure that insurance is not needed. At the end of a long and protracted negotiation, cyber insurance is purchased in the certain knowledge of both parties that no claim will ever be made - its just business. | | 5. Professional Negligence: is a risk that is hard to mitigate because people do business with people and people will make mistakes. People in our business have earned the right to make mistakes 0 if they never make a mistake they are not trying hard enough. Procedures must be able to mitigate any mistake and ensure that no one person has absolute control over any critical resource. Fall-back, Back-Up, Recovery and Restart procedures ensure that when one person makes their mistake, others follow up and ensure business continuity. By running your application service in more than ten data centers in parallel, it is hard to imagine how any one failure could impact on any application service from an end user point of view. |
| 3. Encrypted Replicated Data: | | 1. The single most important reason that cyber insurance serves no purpose is because your application service is running in parallel in more than ten remote data centers. In the event that any one data center fails or is attacked, other data centers continue to provide application services to end users as if the attack or failure had not happened. Encrypted data is replicated to a swarm of remote databases and the possibility of all databases failing at the same time is beyond calculation. | | 2. The second reason is excessive levels of encryption are used to make all data meaningless, unreadable and worthless to a criminal. A data breach is not possible when all data is unreadable and has a very large number of encryption keys so a criminal would never decrypt any valuable data. While any one encryption method will be cracked, the use of many thousands of different encryption methods is still beyond the most powerful computers in the world to decrypt, even if they could guess what methods had been used. | | 3. Criminal attacks have great success stealing unprotected backup (email) data - replicated data does not have any backup data sets to be copied. Criminal attacks have great success with vulnerable software from Adobe and Microsoft - application services are knowledgebases and do not have any software to attack. Criminal attacks have great success with phishing email and phone attacks - application services have eliminated email and telephone interfaces so people cannot be impersonated or intimidated. |
| Document Control: | | 1. Document Title: Cyber Insurance. | | 2. Reference: 161305. | | 3. Keywords: Cyber Insurance. | | 4. Description: Cyber Insurance. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 11 Nov 2016. | | 7. Edition: 1.2. |
|
|