Cyber insurance should remain a last line of defence and cannot replace proper security of an organisation’s digital assets, according to a panel of experts.
The panel spoke at the International Exhibition of National Security and Resilience (ISNR) 2018 in Abu Dhabi, UAE, on Thursday. The discussion focused on best practices for organisations in anticipating, preparing for, and responding to a cyber breach incident, reported Tahawul Tech.
Eddie Schwartz, executive vice president of cyber services at cybersecurity firm Dark Matter, said that while he cannot disclose specific incidents due to confidentiality matters, he observed that breaches were happening on a “weekly basis” in the Gulf Cooperation Council (GCC) region, with both private and public entities being targeted.
“The perpetrators of such attacks range from organised criminal groups, to just some guys that will throw in some ransomware they’ve happened to get hold of,” Schwartz said.
Experts noted that many organisations make the mistake of assuming that having cyber insurance alone is sufficient to protect them from cyber risks.
Simon Bell, vice president at Marsh Middle East, said that while it is encouraging to see a wider range of organisations showing interest in cyber insurance, more needs to be done.
“When cyber insurance first came to the market, purchases initially came from financial institutions who were concerned about their data vulnerability,” he said. “However, what we’re seeing now is telcos and organisations in oil and gas moving into this space, and looking at their core business systems that could see severe financial loss by cyber breaches.”
However, Schwartz said that while cyber insurance covers the financial costs of cyber breach events, the fact remains that the business is still vulnerable.
“Incident response investigations could take anywhere from five minutes to five weeks – if not more,” he said. “Depending on the vastness of a business’s infrastructure, this could cost up to a million dollars, therefore having a policy in place is obviously very useful. But having this cost covered should not act as a replacement for investing in high-end security in the first place, and this is crucial for organisations in the region to remember.”