A recent study by global email security firm Mimecast indicates that about 45% of cyber policy holders are uncertain as to how up to date their policies are, but with threats changing daily it is hard to imagine how any policy is completely up to date at any given time.
In fact, in commentary released with the study, Mimecast said that “with the rapidly evolving threat landscape, many cyber insurance policies are out of date the minute they’re signed.”
Steve Malone, director of security product management for Mimecast, said it is common for companies to not know all the details about their coverage, even with traditional policies, “but the thing that is dangerous about cyber insurance is that it is trying to provide coverage against a very fast moving target. Traditional insurance provides coverage of known situations, scenarios and risks, a car crash for instance.
“But cyber provides coverage of evolving risk, with threats that change and evolve daily. How can a policy taken out today provide coverage in six months or even tomorrow?” he asks.
Malone said Mimecast provides organizations with email security through cloud-based services designed to help organizations secure their emails from data loss--accidental or intentional--and from inbound attacks, spam, viruses and more advanced attacks. He said a recent study by Verizon found that 95% of corporate security breaches were through email. “Email is absolutely the frontline for security,” he said.
Mimecast has about 600 employees and 18,000 clients in more than 100 countries.
He said most cyber policies spell out steps that companies need to take in order for the policy to be in force. “When you read policy terms and what they are covering and what they require you to do, many of them are very dated. They require you to install antivirus software, but that is almost a 1980s approach to security.”
He said companies and their insurance agents need to be really clear when selecting a policy. “People need to ask what exactly are you covering me for? How will the coverage evolve in reponse to the changing threat landscape. Ask the insurance companies whether you will be covered for W2s or business plans that are stolen through social engineering.”
“My concern is that policies are very static. Insurance is a very traditional product and it covers only what it says it covers, but the things that need to be covered change on a daily basis,” he said.
With social engineering, Malone said having good technical security is not enough, organizations need to teach employees what to look for, and to be suspicious anytime another employee asks for data that could compromise the company if it got into the wrong hands. They need to call the person or otherwise confirm that the request is legitimate.
“You have to make your people part of the solution,” he said.