Guidelines for protection against internet risks


In their interview, Mr. E. Koutroubezi, Head of the Special Risks Undertakings Department/Fire and Other General Branches Undertakings Division at Ethniki Insurance and G. Tsinos, Information Security Officer (CISO) at Ethniki Insurance.

Today the functioning of the private and public sector is largely dependent on the internet. Are the state and individuals insured for online risks?

E. Koutroubezi: States do not insure against electronic risks, however, more and more public legal entities seek protection against cyber risks by purchasing cyber insurance to cover both the same losses and their liability to third parties (supervisory authorities, customers due to leakage of personal their data etc.). For private individuals there are special insurance packages that provide effective insurance protection in case of fraud due to online shopping, electronic fraud (such as phishing, pharming, social engineering), theft of their digital identity, digital data restoration / recovery costs as well as for cases of online bullying or blackmail.

What are the right steps – the rules in a cybercriminal attack?

G. Tsinos: “If you want peace, prepare for war”, states a Latin saying. In this case, cyberwarfare exists and proactive actions are required to effectively deal with an impending security incident. The risk is real, not only for companies, but also for every internet user. Our preparation will play a key role in the moment of crisis, reducing dispersion, impact, tensions and response time.

For ordinary users, basic preventive precautions, such as the existence of backups (on an external device, detached from the system or in the cloud), a cyber-insurance policy, safeguarding classified data (e.g. VAT) with encryption, etc. will reduce effects of the attack.

For companies, where many areas are involved, preparation and instructions (playbook) are imperative, as follows:

  • Before the attack, the governance framework must be defined. The roles and people of the security incident management team (IR team), the contact details of colleagues and external partners who support critical services and systems, the escalation (CISO / Management) for further decision-making, Authorities, customers – partners, cyber-insurance provider (which we need to have in place to cover financial losses), etc. The speed and accuracy of detecting a potential incident is crucial to reducing the impact. Detection mechanisms and continuous monitoring service (SOC 24*7) are required, which will alert ODPA. Restoring systems from off-site backups must be systematically tested, since it is the “unplug” when there is data encryption (ransomware).
  • During the attack, the type and scope of the attack is determined, the operational functions that have been affected, the systems that have been attacked, which data (amount and type) have been breached, if there are any unauthorized entry points (accounts / passwords), etc. In collaboration with the appropriate areas (Data owners, IT, DPO, Administration, etc.). both technical and non-technical restoration tasks are activated (authority updates, customer updates, etc.).
  • After the attack, a technical and organizational review is carried out to assess the mistakes that may have been made, the security gaps that have emerged and what needs to be improved (playbook feedback).

Are attacks involving states insured?

E. Koutroubezi: Attacks involving states are not insurable risks. Damages suffered by businesses and/or individuals resulting from cyber war or cyber attack are an exception to the coverage provided. However, given that the product is dynamic and the market is evolving, some new products have been launched and are being developed specifically for cyber war insurance on a standalone basis by foreign insurers.

In general, what exceptions do the contracts provide for?

E. Koutroubezi: Common exclusions for legal entity contracts are infringements of unfair competition / antitrust laws, penalties and fines (with the exception of administrative fines for personal data matters which are often covered with some sub-limit), professional liability, while common exclusions for both coverages natural and legal persons are bodily injuries and material damage, fraud, war, acts of terrorism, defective equipment, normal wear and tear, any problems in the infrastructure (power outages, outages of utility infrastructure, etc.) and natural phenomena, however caused.

Can you name one or more instances of online risk that you have been called upon to manage?

G. Tsinos: Emerging risks from new security gaps and how to exploit them are coming to light every day. Our Organization has designed indicative playbooks, has acquired the necessary tools and is updated by the SOC provider 24*7 immediately for potential malicious actions detected. ODPA confirms the possible incident, proceeds to further search for evidence and the method of violation, whether the technical countermeasures worked, etc. It performs both immediate restoration actions and eradication of the problem on the compromised machine or on adjacent machines, while activating mechanisms of enhanced supervision for some time. The feedback from each new incident leads us to improve our technical and organizational measures, team expertise, services of our providers, etc., to secure our customers’ data.

Leave a Comment