Is cyberinsurance an effective tool to protect against the costs of a cyberattack?

July 31, 2014 CyberCecurity

An article at Investors.com made a number of good points, but I have a bone to pick about one point.

First the good points –

One of the many changes that the Internet brought about is that it is easier than ever to steal someone’s data. You don’t have to break in to someone’s house or office — you can be thousands of miles away – which means that the odds of getting caught are very low.

People are buying more and more cyberinsurance. It seems like a good thing. Have a risk? Insure against it. The attacks are endless and mindnumbing – Target, eBay, Boeing, Lockheed. The list seems to go on for ever. Attacks are more prevalent and harder to detect.

The industry has been writing fire insurance for over a hundred years. They have been writing cyber insurance for less than ten years. Do you think the insurers have this figured out? Do YOU know what is covered in your cyber liability policy and what is not covered?

The article points out that we don’t even know what percentage of companies have cyberinsurance. Three different studies reported very different results – from 52% to 33% to only 6%. Even if you are very optimistic, it means that half of the companies don’t have cyber insurance. That’s probably not a good plan today.

Now the bone –

The article says “Yet challenges remain to raise awareness that cyberinsurance can be an effective tool to protect against the costs of repairing and defending against cyberattacks.”

Far be it from me to suggest that people should not buy cyberinsurance. I think most companies should have some cyberinsurance, BUT, all that will do is help defray some of the costs – after the fact.

While Target is not the typical breach, it is representative. It has been reported that Target had $100 million in cyber insurance. I don’t know if that is true, but that has been reported. It has also been reported that Target will likely spend more than a billion dollars mitigating the attack. That includes everything from PR to lawsuits. Of course it depends on the outcome of the 50 lawsuits that have been filed against Target, but the cost might be several billion dollars.

So, if you are optimistic, Target’s insurance will cover 10% of the cost of mitigation. If you are pessimistic, it might only cover 1%. Ignoring for the moment the purely financial impact of paying to mitigate the breach, Target has been the recipient of an awful lot bad publicity and their sales fell significantly after the breach as well.

What companies really need to do – besides making sure that they do have cyberinsurance – is to take some positive action to reduce their own risk of being the victim of a cyberattack. What most companies do is install anti virus software and a firewall and call it good. Tomorrow I will write a post on the downside to anti virus software – check that out.

What companies need to do today is way more than that. To start with, do you have a Chief Risk Officer (not someone who does 10 things plus risk management)? Do you have a chief data security officer? If you a small to medium size company, these could be part time or they could be fulfilled by a contractor, but these need to be well defined jobs. AND, they need to brief the board of directors on a regular basis. Ultimately, this is a bet the company issue. Studies report that somewhere around two thirds of companies that suffer a data breach go out of business. Whether that number really is 66% or 40% or even 33%, the number is significant and as a result, this issue needs real ongoing visibility at the board level. What this likely means is spending money, changing processes, dealing with people complaining about change and a whole lot of other things.

Alternatively, be prepared to be the next Target. At Target, the CEO, CIO and CISO all lost their jobs. Among other people.

Choose!