The risks of hedging your security bets on cyberinsurance

1790

Data breaches are expensive. Gross costs stemming from Target’s infamous 2013 breach totaled $252 million. And the Ponemon Institute’s annual Cost of a Data Breach survey saw the cost for each compromised record had risen for the eighth consecutive year to approximately $150. Coupled with the number of data breaches reaching an all-time high in 2014 (a short-lived record likely to be beaten in 2015), it’s no surprise that cyberinsurance is in high demand. However, cyberinsurance should be viewed only as a safety net to protect financial interest, and not the foundation of a cybersecurity architecture.

Interest in cyberinsurance has risen alongside the increase in serious data breaches as a means for companies to recoup a portion of the financial losses they sustain when sensitive data is stolen or otherwise exposed. Target recovered $90 million of its $250 million loss thanks to insurance, so there’s a very obvious benefit to having it. But at a recent conference for CISOs where experts put their heads together to address some of their common problems, I was surprised by how many executives were hedging their company’s data loss bets with cyberinsurance policies.

A changing landscape

While certainly helpful, cyberinsurance isn’t the panacea CISOs might be hoping for. Data breaches have reached near-daily frequency, and the costs continue to climb. As such, cyberinsurance premiums are going up – sometimes by more than 30% – as are the policy conditions and exclusions. Insurers are also raising deductibles and setting limits on coverage. This has impacted retailers and health insurers more severely, due in large part to the number of recent costly breaches in those business sectors.

Other factors also affect the cost of cyberinsurance, such as the mandated requirements for breach disclosure and notifications, which varies by industry. This can significantly run up the costs of a data breach well into the tens or hundreds of millions of dollars, driving some insurers to cap coverage at $100 million for risky customers. Thus, insurance payouts may only cover a portion of the costs, which typically include:

  • Breach notifications to affected customers
  • Voluntary or mandatory credit monitoring services
  • PR and communications services
  • Forensic investigations
  • Lawsuits
  • IT remediation
  • Fines and other penalties
  • Brand and reputation damage
  • Loss of business
  • Loss in market capitalization

The long-term repercussions

Beyond the cost of the data lost, there are other factors to consider, such as damage to brand reputation and loss of customer trust, which can last for years and are much harder to quantify. And the general public isn’t going to care that the business saved money when their personal data was compromised. They’re going to want to know how it happened, when it happened, and what the company is going to do to prevent it from happening again. If customers don’t feel secure doing business, they’ll go elsewhere. Having cyberinsurance won’t change that, nor will it save a CISO’s job should a data breach occur.

This is not to say that cyber liabilitity insurance doesn’t have a place in the corporate quiver; it does. However, a legal hedge against a data breach is not the best way to go as it’s a reactive, not proactive, strategy. Cyberinsurance should only be viewed as one component in a more comprehensive cybersecurity strategy to protect the organization against a breach. Companies still need to build a proper defense to prevent a data breach from happening in the first place – or at least minimize its effects. This is best accomplished by following cybersecurity best practices, such as identifying the critical data assets, restricting or limiting access to them, applying a layered defense approach, monitoring the data assets for unapproved access or activity, and responding promptly to any suspicious activity. No insurance policy in the world is that multi-talented.

About Daren Glenister
Daren GlenisterDaren Glenister is the Field CTO for Intralinks® Holdings, Inc. (NYSE: IL), a leading global SaaS provider of content management and collaboration solutions. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product roadmap and the evolving secure collaboration market. Glenister brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions. In the past, he has led technical and consulting businesses for CA Technologies, Symantec (Bindview), BMC Software Intellinet and Sterling Software. Follow him on Twitter: @DarenGlenister.
In this article