Distributed Denial of Service (DDoS) attacks are certainly causing many sleepless nights for CIOs and CSOs across the world. In fact, Arbor research reveals DDoS attack sizes have grown by an astonishing 1,233 percent, at a compound growth rate of 68 percent, just over the past few years.
“We’re also seeing a tipping-point in the migration to cloud-based architectures and services,” notes Darren Anstee, chief security technologist at Arbor Networks, “which has dynamic effects on business agility, but can also potentially widen the threat surface.”
In this regard, Arbor’s latest Worldwide Infrastructure Security Report revealed that DDoS attacks targeting cloud-based services have grown from 19 percent of respondents two years ago, to 29 percent last year, and 33 percent this year.
Whatever your level of cloud adoption, DDoS poses a number of risks to businesses:
- Brand damage and loss of consumer trust
- Direct revenue loss
- Data loss
- Costs to recover from an attack
- Loss of competitive advantage
- Regulatory fines from compliance breaches
- SLA penalties
- Fraud losses
- Supply chain disruption
So, with more of a business’ overall value found within its ‘digital assets’, and ever-more so in cloud-based architectures, just how can one go about insuring these assets as we would do the more physical assets (such as property, plant, machinery, and so on)?
What is cybercrime insurance?
“Standard property policies generally won’t cover the loss of non-physical digital assets and data,” advises Anstee. “To guarantee protection from cybercrime, a dedicated and comprehensive cybercrime insurance policy is required,” he adds.
As actuaries start to learn from case history and build models to define and underwrite various types of cybercrime, organisations are now able to purchase various flavours of cybercrime insurance, to mitigate the losses incurred in the case of a security breach.
Anstee advises that companies insure themselves against a wide spectrum of cybercrime events – including coverage for data and privacy breaches, multimedia liability coverage (websites, media and intellectual property rights), extortion liability coverage to protect against ransomware, and network security liability coverage (which includes DDoS).
In fact, when it comes to DDoS cybercrime more specifically, global legal experts Reed Smith offer excellent advice on their website:
“It is important to ensure that the types of breaches expressly covered by your company’s [Cyberliability insurance] policy broadly include DDoS attacks, as well as intrusions by hacking, malicious acts by ‘rogue’ insiders, and negligent acts, such as the loss of hardware or disclosure of passwords or credentials.”
Augment and not replace
But Anstee cautions that insurance should augment, and certainly not replace, one’s security architecture: “Cybercrime insurance should provide another layer of protection – guarding you from the impact of a rapidly-evolving and very broad threat landscape. One should still have in place dedicated security solutions for DDoS attacks and all other known attack vectors.
“Having professional security solutions in place is important when engaging with insurers to correctly price cybercrime policies. The stronger the defence set-up, the lower the overall cybercrime insurance premium should be.”