Feb 28 2011

Does hacker insurance make your business a bigger liability?

Category: Cyber InsuranceDISC @ 11:44 am

by Davey Winder

It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?

The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.

“We all appreciate the need for car insurance” he told me. “No matter how careful a driver you may think you are. The simple fact is that you never know when a drunken idiot is going to crash into you”.

The argument being, as with all insurance policies, you are paying a premium to cover you for that worst-case scenario should it ever happen. “When it comes to online security,” Mr Insurance assured me, “the chances of the worst-case scenario becoming a reality are increasing day by day, as criminals develop ever more sophisticated methods of hacking your site. To not insure against the risk of being hacked is bad business, and that’s the bottom line”.

“Unlike driving a car, running a secure web business is pretty much about how safe you are, rather than how unsafe other people are”

To read the reamining article …..

How to manage the gaps of Cyber Insurance

Tags: hacker, Hacking, Insurance, Security, Small business

Jun 30 2010

Security glitch exposes WellPoint data again

Category: hipaa,pci dss,Security BreachDISC @ 11:53 am
WellPoint
Image via Wikipedia

By Tom Murphy

INDIANAPOLIS – WellPoint Inc. has notified 470,000 individual insurance customers that medical records, credit card numbers and other sensitive information may have been exposed in the latest security breach of the health insurer’s records.

The Indianapolis company said the problem stemmed from an online program customers can use to track the progress of their application for coverage. It was fixed in March.

Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer’s application tracker last October and told the insurer all security measures were back in place.

But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a Web site and password to track their applications.

WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.

“Within 12 hours of knowing the problem existed, we fixed it,” said Sanders, who declined to identify the outside vendor.

WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.

Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.

About 356 million records of U.S. residents have been compromised or exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, a consumer advocacy group that tracks such reports.

WellPoint’s security breach doesn’t crack the top 10 in terms of number of people who may have had information exposed, said Paul Stephens, the organization’s director of policy and advocacy. Even so, he labeled the breach “very serious” because it possibly involved both financial and medical information.

“There are obviously multiple concerns there for consumers,” he said.

Two years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

WellPoint’s latest breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance. Sanders said the company believes a “vast majority” of the unauthorized access of customer information came from the plaintiff and her attorneys.

The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.

WellPoint shares fell 69 cents to $50.10 in Tuesday afternoon trading, while broader trading indexes slid more than 2 percent.

Related articles and books

Tags: Anthem (insurance), Blue Cross and Blue Shield Association, Business, Insurance, Privacy Rights Clearinghouse, Security, WellPoint

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

[TABLE=12]

ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security