Zurich creates system to calculate losses and mitigate risks with hacker attacks
From this point it is also possible to define the appetite for retaining the risk internally and the appetite for transferring the risk to an insurance policy
The demand for insurance for cyber risks continues to grow after the Brazilian General Data Protection Law (LGPD) came into force on 18 September. But how to calculate the risk? What if the database used by the company was purchased from a third party? Does the insurance cover all risks? what changes with the new rules of the Superintendency of Private Insurance (SUSEP)? “Yes, Zurich Brasil Seguros is fully adapted to the determinations of the regulatory body”, says Fernando Saccon, superintendent of Financial Lines and Guarantee Insurance at Zurich in Brazil. Read how insurance can help companies mitigate the risk of cyber attacks in the interview given by the executive to the blog Sonho Seguro.
The losses in hacker attacks are incalculable. How to insure without predictability? Or how to have predictability?
Insurance is one of the items of cyber risk management; a successful management strategy involves knowing the risks that one has internally. Companies can use security risk analysis methodologies, such as NIST or ISO 27001, for example, or even a business impact analysis, in which each organizational risk is assessed as to the likelihood of occurring and the impact that could cause the company. But mapping all of this information is not always an easy task. With this in mind, Zurich, through its engineers specialized in Cyber Risks, performs a risk assessment with companies, helping them to identify them and proposing better management practices.
Zurich’s insurance, “Zurich Digital Protection”, also has a very effective tool for this. It is an application, the Zurich Risk Advisor (ZRA), which allows risk assessments to be carried out remotely, in real time and anywhere in the world. Recently, the ZRA app was increased with the addition of the Self Risk Assessment module, totally focused on cyber risks, which makes it even more efficient for this type of assessment.
The app enables a quick, simple and comprehensive assessment to identify risks to physical and software assets, as well as protection controls around organizational resources, cybersecurity detection systems, response planning and recovery processes and procedures of data.
How can the client know what part of the risk he can transfer to insurance and which part he will have to take?
Knowing your own risk and using respected tools and methodologies, it becomes easier to strategically address each vulnerability to mitigate and address each risk. From this point it is also possible to define the appetite for retaining the risk internally and the appetite for transferring the risk to an insurance policy. Thus, it is important to know the solutions and coverages available in the insurance market for cyber risk.
To do this, it is necessary to evaluate on which fronts the cyber risk insurance operates. There are two fronts on which Zurich insurance operates:
The first front is about issues of civil liability towards the affected people, whether customers or employees of companies, or institutions that represent them due to the improper leakage of their personal data. In this case, the insurance allows the payment of the costs of civil, collective or individual actions, including lawyers, for the defense of the institution and financial losses caused to the affected people, including moral damages. The second front is for the payment of costs and expenses to help the company deal with the crisis caused by the data leak. In this case, there is a need to hire specialists to determine the extent of the damage, whether in accounting, technical or even image aspects. The objective here is to reduce the negative effects on the company’s reputation.
Within Circular 621, will cyber be included in another coverage, such as fire?
Cyber risk insurance is a specific and segregated product; a data protection insurance that is designed to cover privacy, security and data dependency. This means that all coverings pass through this environment; no, they cover, therefore, material goods, related to property.
How to separate the indemnity amounts for each coverage within a single policy so that it is clear to the customer?
Today, cyber policies already respond with their indemnities, respecting the coverage and their respective maximum indemnity limits or sublimits for coverage. Thus, there are basic coverages (such as, for example, in the event of a data leak and the customer sues the company for this, the insurance will act on that front), as well as there are additional coverages. These are contracted by the customer according to their specific needs.
Virtually all companies buy data from other companies. If there is a leak, will the insurance cover whether the data was purchased from a third party? If not, is this clear in the policy?
Here it is important to remember that the General Personal Data Protection Act (LGPD) imposes duties on companies that collect personal data. Both with regard to the purpose of the collection, use and sharing and protection of this data. With this, companies should look for tools to manage this issue in an appropriate and efficient manner, seeking knowledge and protections in accordance with the legislation and with each business model.
A successful data security and privacy strategy involves creating awareness of risks within the institution and ensuring that senior management is engaged to ensure that the entire strategy is put into practice. A company can educate its employees and have the best firewalls and intrusion detection software, but at the end of the day there may still be an incident that affects your network and causes a data breach. In the event of an incident, it is necessary that it can quickly mitigate the damage caused to the company and the people who have had their data exposed.
In this sense, the insurance policy includes coverage for payment of costs and expenses to help the company deal with the crisis caused by this data leak and fulfill its responsibilities to the affected individuals. In such cases, there is a need to hire technicians to determine the extent of this damage, specialists to mitigate exposures and to assist the company in fulfilling its duty of transparency / notification with respect to individuals. The objective here is to reduce the negative effects of the leak.