I recently called one of my healthcare providers and was greeted by an automated operator, where they offer a menu of options you can select from based on your needs. One option was for clients who had questions about a recent breach. When your healthcare provider’s phone greeting includes a cyber breach option, you know times have changed. Most of us have received that standard letter from Experian, letting you know that your personal information may have been stolen by an ‘unauthorized party’. Without a doubt, the heat is on and CEOs and CFOs are becoming increasingly interested in cyber security insurance.
I was reading the findings from the 2015 Cyber Security and Data Privacy Survey by Wells Fargo, and I must admit I was surprised to learn that 85 percent of large companies today purchase cyber security insurance. Even more surprising is that among those companies, 44 percent of them have actually filed a claim. It appears that an insurance product, once uncommon, has now become a routine part of running a business.
Cyber crime is more lucrative than drug trafficking
According to the global insurance company Lloyd’s, businesses are losing about $400 billion annually to cyber crime. B2C companies, particularly retailers, healthcare providers, and financial institutions, have enormous amounts of personally identifiable information (PII). A Ponemon Institute study found that the average total cost of a data breach is $3.79 million, or $154 per lost or stolen record. A different study from NetDiligence puts that number at nearly $1,000 per record.
As if that weren’t enough to get you on the insurance bandwagon, recent legal rulings make companies even more exposed to damage claims and lawsuits than ever before. This past summer, the Seventh Circuit U.S. Court of Appeals issued a ruling against Neiman Marcus that makes it easier for consumers to sue companies when customer data is hacked. Another ruling from the Third Circuit U.S. Court of Appeals against Wyndham Worldwide allows the Federal Trade Commission (FTC) to sue companies that are hacked if the FTC believes that the companies’ lax security practices violate users’ privacy agreements.
In this environment, having cyber security insurance may be in your company’s best interest. But no matter how much you pay into it or how good your coverage is, you’d still rather not have to make that call to file a claim. No different from homeowner’s insurance: you might receive money to cover stolen goods during a break-in, but there are psychological and other damages that can’t be recovered. For businesses, policy limits may not cover the total financial cost of a breach, and issues like damage to reputation, loss of intellectual property, and the cost of a legal defense can hurt the business for years to come. Take the recent VTech security breach that compromised personal information of 11.3 million children and adults. The manufacturer of learning toys had to shut down its education websites, including an app store, since November 29 as they investigate the breach. Could the timing be any worse?
Some insurance companies are fighting back. A current lawsuit filed by Columbia Insurance seeks to recover a $4 million cyber insurance claim payout from a former client based on allegations that the client did not maintain adequate security controls. As well, premiums for similar coverage next year will in most cases double to triple in cost.
Understand the cost and impact of a cyber breach against your business
Even if you have cyber security insurance, of course you want to do everything you can to prevent attacks against your high-value assets. Not every system has the same level of business-critical value or function, so part of establishing a sound security strategy is assessing the cost to the business if certain assets are breached. Then you can identify and prioritize those that warrant additional protection—with no compromises on security.
The Internet today remains a playground for hackers—recreational, professional, state-sponsored, you name it. We are facing a lack of accountability and trust, coupled with the ever growing available attack surface. If this status quo continues, the constant barrage of break-ins into corporate and public infrastructures will continue. The good news is that the security market has recently made extreme advancements; led by companies like Tempered Networks. We are hard at work building security and trust into the backbone of global commerce and communications. From my perspective, there’s no more excuses for inadequate security.