Category Archives: safety

Cyber Insurance – the New Black?

Cyber Insurance, the New Black?

by Sara Goldberger

Cyber attacks and cyber insurance, it’s on everybody’s lips and on the surface it seems relatively simple – a breach, there are victims, data is lost, and the insurance company pays up. It doesn’t seem that different from other insurances. With all of the reports of breaches over the past few years, some very alarming in terms of their scale, everyone wants cyber insurance coverage and believes this will protect them.

But there are many misconceptions about cyber insurance. For example, a UK Government survey last year showed that 52% of CEOs believe that they have coverage, yet less than 10% actually do. So what exactly is “cyber insurance,” what does it cover, and how does it cover cross-border crime?

Cyber-insurance protects businesses and individuals from Internet-based risks. Many insurers say that risks of this nature are typically excluded from traditional commercial, general liability policies. Coverage provided by cyber insurance policies may include:

  • First-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks;
  • Liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation;
  • Other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

There are several considerations to keep in mind when buying cyber insurance. Costs vary widely, but to purchase a $1M policy typically costs $5K to $25K per year for a medium-sized company. However, cyber policies might not pay out if your claim is delayed. Which raises the question: what happens if your organization suffers a breach during the coverage period but do not become aware for some time? An insurer may also not cover your claim based upon employee negligence or if your organisation failed to adhere to minimum required security practices specified in the policy.

And what happens if you suffer a cyber attack? Interestingly, 81% of US companies that have bought cyber insurance have never filed a claim. The median-sized claim is $76,984, though there are a few that are much bigger. It is those outliers that push the mean average claim up to $673,767. And what expenses does the claim cover? More than half of the claims that insurers pay out on cyber policies include the expense of legal and forensic specialists. Over 40% of claims recover the cost of notification to affected individuals and the cost of providing credit monitoring services.

In the Global Economic Crime Survey 2016 Report, cybercrime climbs to the second most reported economic crime affecting 32% of organisations, while at the same time close to 60% of the surveyed organisations do not even have a cyber incident response plan in place. Many companies also report feeling a lack of support and a notion of “not knowing what to do when an attack happens.” Organisations such as IT and auditing consultancies offer some help and support, but they rarely have a corporate-wide view. That’s an area where two recently formed organisations – Cyber Rescue Alliance and the Global Cyber Alliance can make a difference.

Cyber Rescue Alliance; is a Pan-European organisation aimed at helping the approximately 12,000 European SMEs that hold sensitive data on over 5,000 individuals. The organisation delivers a Comprehensive Business Response solution that includes instant, practical crisis management guidance and tiered response capability from pre-vetted organisations. In other words, the solution offers coordinated, tangible and practical business assistance across the full spectrum of challenges that follow a breach. In the event of an attack, Cyber Rescue Alliance will provide practical help and assistance to the many smaller businesses that can’t invest in a full-time CISO or PR Consultant with those services in order to mitigate the impact of a cyber-attack. In other words, it is the across-corporate, one-stop approach that makes Cyber Rescue Alliance unique.

Global Cyber Alliance (GCA) is unique as it partners across borders and sectors. Based on the organisation’s mantra “Do Something. Measure It.” GCA’s first effort is to tackle phishing, which is often the source of a breach. GCA is partnering with several organisations to implement two solutions:  to drive the deployment of DMARC and use of secure DNS services, and then to measure the effect — so that we all may accelerate eradication of phishing as a systemic cyber risk.

While addressing, and responding to, the needs of different sized organisations, Cyber Rescue Alliance and GCA are working together, thus ensuring that perhaps one of the biggest business problems of our time – cyber-attacks – are given the attention and solutions it needs. Only through this cooperation can we ensure that companies are implementing the best security practices available in order that cyber insurance policies will indeed insure them against these risks.

The author, Sara Goldberger, is the Head of Communications Global Operations and IT at Zurich Insurance Group and Board Member of GCA partner, Cyber Rescue Alliance. You can follow her on Twitter @saragoldberger.

Editor’s Note: The views expressed by the author are not necessarily those of the Global Cyber Alliance. 

Initially published on –


To geo-tag or not to geo-tag

In an interview Michalis Mavis voices concern about identity management on-line and it certainly is an issue that hasn’t been discussed enough. Personally I find it scary, but also realise that if I as a PR and communications practitioner wants to be found there is a certain need for me to give out information on myself. But I wonder: is it necessary to “check in” every time I stop at a street corner? Do I have to be found every second of the day? Must I allow my smart phone to let anyone with the necessary technical competence find where I am with a few simple clicks?

One simple step that we often tend to not think about is based on old fashion common sense. Of primary concern is protecting your personally identifying information. Use your judgement about what you post about yourself on Internet sites. When any site requests information about you, ask these questions:

  •  Who is asking?
  •  What information are they asking for?
  • Why do they need it?

Think about the amount and detail of information being requested. Does it correspond to what you think is needed to make a purchase, register for a new service, or conduct other business? Be sure you know why the information is being requested and how it will be used.

Other simple ways to keep your privacy is to Clam Up ‑ If a site requires registration, fill in only the required fields. Look closely for at any check boxes relating to sharing your information — depending on how they’re worded, you’ll need to check or un-check the box to deny sharing permission. If the registration isn’t part of an important ongoing business relationship, consider filling the required fields with, shall we say, truth-challenged data. Or get ready-made registration information from BugMeNot.

To be sure that you are surfing anonymously and really protect your on-line information the use of a solution like Relakks could help.

When it comes to location-based services, you need to think about the layers of information you leave on-line. As you use more on-line services, it becomes easier for people to connect the dots on your activities, which could lead to harm. Be aware of the location privacy settings on your phone, social networking sites, and the applications you use. For many people, social networking sites link everything together. Limit who you add to your social network location services, and choose not to make your location data publicly available or searchable. Only trusted friends should know your location.

There are a number of ideas to limit your exposure e.g. don’t “check in” on location-based social networking sites from home, or a friend’s house, or anywhere you might put others at risk. Don’t geo-tag photos of your house or your children. Make sure you don’t include GPS coordinates in your tweets, blogs or social networking accounts. In fact, think about disabling geo-tagging until you specifically need it. If you have contacts you don’t fully know or trust, it’s time to do a purge.

From a technical point of view – read developers – a few pointers: applications must not override or circumvent a user’s choice to disable location services on the mobile device. The application should also provide settings that allow the user to enable and disable applications access to and use of location. If the application publishes or makes available location data obtained from any other service or person, (including ad networks), application must enable a method to obtain opt-in consent. Applications must request location and retain and use location data only as necessary to deliver the location-aware features application provides to users. A privacy policy must be made available to users informing them about how location data is used and disclosed, and the controls users have over use and sharing of location data. Any application must adopt measures to protect against unauthorized access to, use and disclosure of location data.

As very often much of our interactions with others boil down to our own common sense e.g. I only accept friend requests on Facebook from people I know IRL, anyone wanting to connect with me on LinkedIn have to have a complete profile – or at least a photo for me to accept them. After all, with LinkedIn I don’t only connect with a new business contact – that person also gets access to my 500+ contacts and I feel have a responsibility towards them as well.

These self-imposed constraints might in some areas work against me. But then again it provides me with a high sense of trust and security and then it can’t all be wrong. Can it?

Article first published as To geo-tag, or not to geo-tag on Technorati.

Strictly business…??? Is your e-brand you or a professional version of you?

I was going through a friend’s book shelves – yes, there are still those of us that have books – and found the book “Never eat alone by Keith Ferrazzi.” On another note, I often find that many of these books are really talking about the Golden Rule, a more political correct term might be reciprocity: “Do unto others as you would have them do unto you.” Or as my great grandmother put it “a closed hand will not receive either.”

But I’m not going to go all philosophical, my issue lies elsewhere. Ferrazzi is talking about how to build long-lasting relationships and that those often start with you helping first. This is so obvious that one need to read; or hear it repetitious or it is forgotten. I have personally no issue with reaching out or to be reached out to, on the contrary I’m happy to help, and no I don’t keep score. And yes, I seriously believe that it is these interactions that make our world go around. In particular in a time when social media seems to transform us from simple PR:s to influencers of various ranges.

However; I have a feeling that it is never me “friend Sara” whom reach out (or very rarely) but the “professional Sara” in my role as PR/AR. Me “personal Sara” I don’t want to bother. As my ex-boyfriends can witness I’m a very private person, I don’t consider myself very interesting – but as a professional I have quite a lot to offer. And I dig in until projects are done or issues ironed out. This might be a question for a psychologist and whom might conclude that I need to work on my self-esteem, but I honestly don’t think I’m that unique. I mean who’d be interested in what I ate to dinner? Not even my most fervent fan, Mother, would consider that piece of news riveting.

Ferrazzi mentions the size of his Rolodex, a fantastic sum of 5000, people he can reach out to when in a pinch. I wish I could ask him personally how many of these that helps him personally, and how many that helps the super-CEO.

But on the other hand, does it matter? Am I putting too much emphasis on differentiating between “personal and private” and “public and official”? Today, when our digital footprint is an inherent part of our e-reputation or personal brand what is private and personal and what is not? Should we differentiate?

International Terrorist Alerts

I haven’t written this myself I readily admit – but it is still very funny…

  • The English are feeling the pinch in relation to recent terrorist threats and have raised their security level from ”Miffed” to ”Peeved.” Soon, though security levels may be raised yet again to ”Irritated” or even ”A Bit Cross” The English have not been ”A Bit Cross” since the blitz in 1940 when tea supplies all but ran out. Terrorists have been re-categorized from ”Tiresome” to a ”Bloody Nuisance.” The last time the British issued a ”Bloody Nuisance” warning level was during the great fire of 1666.
  • The Scots raised their threat level from ”Pissed Off” to ”Let’s get the Bastards”. They don’t have any other levels. This is the reason they have been used on the frontline in the British army for the last 300 years.
  • The Welsh are presently at the alert level of ”someone is out of key”.  Should things get more serious they’ll issue an injunction to bring back Aled Jones.  The highest level is a ”choral muster of Men of Harlech”.
  • The Irish remain at the long standing security level ”Provisional”.  The next step is to cordon off the Guinness brewery with armed Garda.  Assuming the Guinness holds out, the highest level is ”whoever you are you’re asking for a fight – begorrah”.
  • The French government announced yesterday that it has raised its terror alert level from ”Run” to ”Hide”. The only two higher levels in France are Collaborate” and ”Surrender.” The rise was precipitated by a recent fire that destroyed France’s white flag factory, effectively paralysing the country’s military capability. It’s not only the French who are on a heightened level of alert.
  • Italy has increased the alert level from ”Shout loudly and excitedly” to ”Elaborate Military Posturing.” Two more levels remain: ”Ineffective Combat Operations” and ”Change Sides.”
  • The Germans also increased their alert state from ”Disdainful Arrogance” to  ” Dress in Uniform and Sing Marching Songs.” They also have two higher levels: ”Invade a Neighbour” and ”Lose”.
  • Belgians, on the other hand, are all on holiday as usual, and the only threat they are worried about is NATO pulling out of Brussels.
  • The Spanish are all excited to see their new submarines ready to deploy. These beautifully designed subs have glass bottoms so the new Spanish navy can get a really good look at the old Spanish navy.
  • Americans meanwhile are carrying out pre-emptive strikes, on all of their allies, just in case.
  • The Canadians have been unable to define their threat levels for lack of agreement over the translations from English to French.  However, having already won two World Wars despite hindrance from their allies, they are not unduly concerned, and if necessary will bail out the Americans, British and French again regardless of sentiment in Quebec.
  • New Zealand has also raised its security levels – from ”baaa” to ”BAAAA!” Due to continuing defence cutbacks (the air force being a squadron of spotty teenagers flying paper aeroplanes and the navy some toy boats in the Prime Minister’s bath), New Zealand only has one more level of escalation, which is ”Shit, I hope Australia will come and rescue us”.
  • Australia, meanwhile, has raised its security level from ”No worries” to “She’ll be right, mate”. Three more escalation levels remain, ”Crikey!’, ”I think we’ll need to cancel the barbie this weekend” and ”The barbie is cancelled”. So far no situation has ever warranted use of the final escalation level.