Industry Focus
Seriously Cybersecurity Insurance
- By Ralph C. Jensen
- Apr 01, 2017
It wasn’t that long ago that cybersecurity
wasn’t even part of the physical security
dialog. The thought of a network
or individual cameras getting hacked
brought cybersecurity into the security
picture pretty quickly. Cyber questions also
arise when discussing cameras being manufactured
in China.
Pierre Racz, president and CEO of Genetec,
is very frank about his company dropping
VMS support for Chinese governmentowned
camera manufacturers.
“We have said very categorically, that we
don’t support [the cameras] out of the box.
You [end user] will need a special license and
for us to grant that license you need to sign a
waiver that you will hold us harmless if those
devices attack you or attack other people on
the network,” Racz said.
He also stated that the company is doing
everything possible to protect end users from
cyber-attacks. In fact, Racz said they have a
campaign underway, reaching out to consultants
as well as end users, telling them that
they should insist on cyber incompetence
insurance from manufacturers and from the
integrator.
If this concept seems a little far-fetched,
it’s not. Cyber and privacy insurance policies
have been around for about 10 years. It is not
a booming business model, but with so many
breaches, so often, perhaps it is a logical investment.
An insurance policy would cover a
business’ liability for a data breach in which
a customers’ personal information is exposed
or stolen by a hacker or criminal who gained
access to the network.
Cyber insurance underwriters lack
knowledge and data to make a policy effective
and secure. There are generally more
risks relating to IT infrastructure and activities,
so where does that place the physical security
network? Risks of this nature are typically
excluded from traditional commercial
general liability policies or at least are not
specifically defined in traditional insurance
products. Coverage provided by cyber-insurance
policies may include first-party coverage
against losses such as data destruction,
extortion, theft, hacking, and denial of service
attacks; liability coverage indemnifying
companies for losses to others caused, for
example, by errors and omissions, failure to
safeguard data, or defamation; and other
benefits including regular security-audit,
post-incident public relations and investigative
expenses and criminal reward funds.
Considering best practices for network
security, Fredrik Nilsson, general manager
at Americas for Axis Communications has
written that all network devices are subject to
threats. This most certainly includes network
cameras, which are always part of the larger
system where the network is the backbone.
“All parts are vulnerable, either as a system
or as individual devices, and the system
needs protection,” Nilsson has written in his
second edition of Intelligent Network Video.
“It is not, however, possible to create a system
that is 100 percent secure, at least not a
usable system. The system can only be made
more secure by reducing exposure areas and
mitigating risks, but there will always be
some level of risk that needs to be accepted.”
Cybersecurity is a weakness in firmware,
hardware, system interfaces and so forth
where a flaw can be exploited for a malicious
attack. That doesn’t mean it would be easy to
exploit that weakness.
Limit access to the network and those resources,
and when installing an IP camera system,
make sure there are no counterfeit parts,
and that the chip set does not have a backdoor,
allowing unwanted guests to creep inside.
This article originally appeared in the April 2017 issue of Security Today.
About the Author
Ralph C. Jensen is the Publisher/Editor in chief of Security Today magazine.