|
These bulletins are emailed to clients and friends prior to being posted online. If you would like to be on our mailing list, please send us a request via email. Thank you. COMPUTER SECURITY IS NOT A BLACK HOLE "Can you give us a guarantee?" The need for computer security isn't going away - in fact it is intensifying. Technology is facilitating more efficient and faster ways to commit old crimes, and the sophistication of the tools means a criminal needs fewer skills. It's relentless and complex . It might seem that your alternatives are:
What's so hard about this? Why not simply hire a security firm and implement the recommendations? Because there are so many areas of vulnerability that the cost can become almost infinite, and while we work on one particular threat, a new, more serious one will present itself. Add to that the fact that no security firm (as of now) will take responsibility for a security failure, i.e. remove the limitation of liability from its contract. There is, though, a process that works. A LOGICAL APPROACH The only viable method is one that involves focus. That is, security funding can't be wasted on a scattershot approach -- the funds will be exhausted and multiple holes will remain. The system can be defined by two simple rules: 1) go where the insurance isn't; and 2) don't mitigate the insurer's risk. This can be titled the "CFO Approach" or the "Risk Management Approach." Computer security risk is like other risk the firm faces. It is amenable to risk management techniques: identify, transfer and finance the risk. The fourth component is loss control which is the work of the security firm. Look at risk from the top down, rather than from the bottom up. Identify the risk -- consultation with a security firm will be of help. The risk then needs to be funded (usually by insurance). If the loss could be absolutely prevented, insurance would not be necessary. Get an ABSOLUTE GUARANTEE from a deep- pocketed security firm before you count on this (it's not going to happen). The serious answer is to use the security service to protect where you cannot get insurance coverage, and to negotiate a better deal with the insurer. GO WHERE THE INSURANCE ISN'T Where the potential loss is covered by insurance, security can be set at a lower priority. What is the higher priority? -- where we are bare. Example: most security firms will tell you that the internal threat - your own employees - is greater than the external threat. They will then of course suggest you need to spend a good percentage of your security dollar on that exposure. The problem (or solution) is that most "Employee Dishonesty" insurance does not exclude loss carried out through the use of computers or networks. Most businesses have been carrying (and still do carry) employee dishonesty coverage to protect against the old fashioned embezzlement scheme. So, though the internal threat is a big exposure, it may be fully covered. The prioritization process will allow you to more effectively allocate your security spending to other areas. Is it black and white? Of course not! Employee dishonesty covers theft, not malicious damage. There is still need to protect against, say, intentional destruction of data by an employee. Here are other examples from the field:
DON'T MITIGATE THE INSURER'S RISK This would be better titled "Don't mitigate the insurer's risk without being paid for it." In other words, it may be necessary or even desirable to secure an area that is in fact insured, but this should result in a premium reduction or an improvement in coverage terms. This is a delicate negotiation with the insurer. Some of them don't want to know too much . They are "class underwriters." Their underwriting process is based on spread of risk - large numbers of homogeneous exposures. Given a big enough pool, the individual characteristics of insureds fade in importance. These insurers are usually involved in the smaller accounts. Other insurers are more sophisticated and more suitable for a true partnership: "We will buy the insurance from you, you will make security recommendations, we will execute them, you will give us a large premium reduction," and so on. So security and insurance are closely intertwined. The most effective approach involves the following steps:
Give and take, back and forth; it's is a continual process. This is a dynamic area. Given the inevitability of losses, you'll be judged not by whether you were the victim of an event, but by how well you planned for it. (C) 2002 Licata Kelleher Risk and Insurance Advisers, Inc. Permission granted for distribution as is (with full attribution). Contact us for risk management strategy and implementation. Licata Kelleher is a risk management and insurance advisory firm. The firm does not sell insurance, but does counsel clients on the effectiveness of insurance, on reducing the cost of insurance and on the risk management process. The above is intended to be general information, and should not be construed as specific recommendations. Other Articles: INSURANCE
BROKER SUED BY NEW YORK ATTORNEY GENERAL UNDERSTANDING
THE DYNAMICS OF THE INSURANCE MARKET- WORLD TRADE CASE UNVEILS INNER WORKINGS OF INSURANCE BROKER-Winter 2004 A RISK MANAGEMENT APPROACH CFOs (AND THEIR ACCOUNTANTS) CAN LOVE-Fall 2003 PRESERVING COVERAGE FOR INNOCENT INSUREDS-Summer 2003 LEAVING TERRORISM COVERAGE ON THE TABLE -Spring 2003 COMPUTER SECURITY IS NOT A BLACK HOLE -Winter 2003 "LET'S BE CAREFUL OUT THERE" -Fall 2002 WHAT
WARREN BUFFET KNOWS ABOUT OPPORTUNITIES
ABOUND IN DEVELOPMENT "YOU
CAN'T PAY US THIS MONTH? WORLD
TRADE TERRORISM -- ENERGY
AVAILABILITY: CURRENT REALITY OR FOND MEMORY? "HOLD THAT BALLOT UP TO THE LIGHT" -Spring 2001
|