Buying Cyber Insurance
We’ve all read articles about companies that had a lot of costs associated with a data breach but in the same paragraph we see that the company had data breach insurance that offset some portion of the cost. Risk is bad for business. When it comes to risk, business take two approaches—mitigate and transfer. Buying insurance is risk transfer to an insurance company. Actuary tables have been around since the 1700s. Data breach insurance has only recently been added to the insurance company product portfolio. This automatically leads to a lot of questions given the relative newness of the product.
How much should I buy—or should I buy at all?
When it comes to cyber insurance the product has only been offered for a very short period of time. No one is an expert, so companies are doing exactly what they are told by the insurance company. There is no way to assess how much you should be spending. Think about it like car insurance at the rental car counter, people are nervous and buy more.
What exclusions are there?
There are items that are just not insurable. For example, intellectual property, projected revenue loss/potential revenue loss (you can’t tell your insurance agency, “If I hadn’t been breached I would have made X dollars.”), and finally you can’t be reimbursed for a damaged brand. In fact, some components are simply un-insurable. What is the real value of your software code and intellectual property? What is the value of your customer’s data that you hold to provide your valuable services to them? Insurance companies hesitate to put a number on those, and for a good reason.
Some companies have tried to put a value on a breached record, which is very difficult to do. It can never be accurate. Ponemon tried to value a breached record at $201 dollars, but you never really know the extent. It depends on too many factors.
Is it worth it for companies to get cyber insurance?
It depends. You have to assess what you are buying it for. Businesses need to mitigate risks and it is another necessary insurance product. You buy your anti-virus to mitigate the risk of viruses; you buy cyber insurance to deal with the unknown. Given that the company spends a certain amount of money on being PCI compliant, what you’re paying for is this: “If I have done everything I should have done, and still get breached, how will I recuperate some of my losses and lower my risk?”
Think about a car rental counter – they will try and sway you toward a more expensive purchase. Cyber insurance decisions are fear based. All companies should look at cyber insurance from a liability standpoint. Companies with cyber insurance can add transference to their risk mitigation strategies.
Most insurance companies will start with an assessment of your environment and any cyber incidents your company has had in the past. Based an assessment an organization’s security defenses, IT hygiene (patching), IT processes (change management, incident response) and IT architecture an organization can get some level of coverage based on the amount of money you wish to spend.
Having a strategy for detecting attackers that get past initial defenses using account take-over and user impersonation will be a consideration when calculating the cost of a policy covering data breaches. One could argue that the largest insurance payouts were due to a lack visibility into attackers using stolen credentials and impersonating legitimate users. Policy costs should be lower over all for those companies that adopt an identity based detection strategy.
Want to see a solution that may lower your insurance costs?