Public agencies and businesses around the world are making cyber risk a top priority. Insuring companies against data breaches is becoming a huge industry even as its nascent role and impact in security operations continue to unfold. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws (e.g., EU data privacy regulations) and significant increases in targeted attacks like ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three-, or even four-fold by 2020.
The Ponemon Institute’s 2016 study pegs the average cost of a data breach at $4 million, with per record costs rising slightly to $158. For healthcare firms, the cost per leaked record reached $402 in 2016. The Ponemon study covers breaches in which 3,000 to 100,000 records were lost. Data breaches at larger companies often expose much higher numbers of records. The high probability of experiencing a significant breach is especially alarming: in the two years following the study, the likelihood of a “material breach involving 10,000 lost or stolen records” stood at 26 percent.
Deciding how much cyber insurance to buy is no trivial matter, and the responsibility rests squarely with the Board of Directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure, and external factors. Not all breaches are limited to data exposure: ransomware, APTs, and DDoS attacks can also interrupt operations. How much does your organization stand to lose from a supply chain shut down, a website outage, or service downtime?
Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high profile breaches, it would be prudent to make sure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.
In late 2013, Target Corporation suffered a very public breach that resulted in the resignation of their CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.
Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.
These cases illustrate the need for thoughtful deliberation when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable, and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.
Companies need to review their security posture and threat environment on a regular basis and implement mechanisms for continual improvement. The technology behind cybersecurity threats and countermeasures is on a steep growth curve; targets, motives, and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.
Currently, most policy premiums are based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet in order to qualify for full coverage; be sure to read the fine print and seek expert advisement.
A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented, or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.
Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.
As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies, and purchasing security software isn’t sufficient.
Lead from the top: ensure risk assessments are thorough and up-to-date, policies are communicated and enforced, and security technology is properly configured, patched, and monitored. Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and ongoing risk management.
About the Author:
Greg Reber is the Founder and CEO of AsTech Consulting, a leading information security consulting firm. As an early pioneer in the information security field, Reber was among the first to recognize and address the risks presented by consumer-facing applications. He launched AsTech Consulting in 1997 and has established AsTech Consulting as the premier firm that many financial services companies, retail service providers and other Fortune 1000 companies turn to for real-world, effective information security solutions.
