Data breaches are expensive. Gross costs stemming from Target’s infamous 2013 breach totaled $252 million. And the Ponemon Institute’s annual Cost of a Data Breach survey saw the cost for each compromised record had risen for the eighth consecutive year to approximately $150. Coupled with the number of data breaches reaching an all-time high in 2014 (a short-lived record likely to be beaten in 2015), it’s no surprise that cyberinsurance is in high demand. However, cyberinsurance should be viewed only as a safety net to protect financial interest, and not the foundation of a cybersecurity architecture.
Interest in cyberinsurance has risen alongside the increase in serious data breaches as a means for companies to recoup a portion of the financial losses they sustain when sensitive data is stolen or otherwise exposed. Target recovered $90 million of its $250 million loss thanks to insurance, so there’s a very obvious benefit to having it. But at a recent conference for CISOs where experts put their heads together to address some of their common problems, I was surprised by how many executives were hedging their company’s data loss bets with cyberinsurance policies.
A changing landscape
While certainly helpful, cyberinsurance isn’t the panacea CISOs might be hoping for. Data breaches have reached near-daily frequency, and the costs continue to climb. As such, cyberinsurance premiums are going up – sometimes by more than 30% – as are the policy conditions and exclusions. Insurers are also raising deductibles and setting limits on coverage. This has impacted retailers and health insurers more severely, due in large part to the number of recent costly breaches in those business sectors.
Other factors also affect the cost of cyberinsurance, such as the mandated requirements for breach disclosure and notifications, which varies by industry. This can significantly run up the costs of a data breach well into the tens or hundreds of millions of dollars, driving some insurers to cap coverage at $100 million for risky customers. Thus, insurance payouts may only cover a portion of the costs, which typically include:
- Breach notifications to affected customers
- Voluntary or mandatory credit monitoring services
- PR and communications services
- Forensic investigations
- Lawsuits
- IT remediation
- Fines and other penalties
- Brand and reputation damage
- Loss of business
- Loss in market capitalization
The long-term repercussions
Beyond the cost of the data lost, there are other factors to consider, such as damage to brand reputation and loss of customer trust, which can last for years and are much harder to quantify. And the general public isn’t going to care that the business saved money when their personal data was compromised. They’re going to want to know how it happened, when it happened, and what the company is going to do to prevent it from happening again. If customers don’t feel secure doing business, they’ll go elsewhere. Having cyberinsurance won’t change that, nor will it save a CISO’s job should a data breach occur.
This is not to say that cyber liabilitity insurance doesn’t have a place in the corporate quiver; it does. However, a legal hedge against a data breach is not the best way to go as it’s a reactive, not proactive, strategy. Cyberinsurance should only be viewed as one component in a more comprehensive cybersecurity strategy to protect the organization against a breach. Companies still need to build a proper defense to prevent a data breach from happening in the first place – or at least minimize its effects. This is best accomplished by following cybersecurity best practices, such as identifying the critical data assets, restricting or limiting access to them, applying a layered defense approach, monitoring the data assets for unapproved access or activity, and responding promptly to any suspicious activity. No insurance policy in the world is that multi-talented.
[su_box title=”About Daren Glenister” style=”noise” box_color=”#336588″][short_info id=’60253′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.