Is it time for cyber liability insurance?

Cyber liability insurance can provide a new layer of security in data breach or exploit situations, study finds.

A new cyber security study, Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age, conducted independently by the Ponemon Institute and sponsored by Experian Data Breach Resolution, found that companies now view cyber security risks as outweighing natural disasters and other major business risks.

Data breaches have become such an enormous liability that nearly 31% of the companies surveyed already have cyber liability policies, while another 39% are reportedly exploring purchasing a policy to get a level of protection in place to help manage the financial burden of breaches.

In fact, the survey pegged the cost of security exploits and data breaches at an average of $9.4 million, based on input from senior privacy and compliance professionals in the public sector; retail, health and pharmaceuticals industries; and the financial services industries.

This $9.4 million hit includes consultant and legal fees, indirect business fees such as productivity losses, diminished revenues, legal actions, customer turnover and repairing a tarnished reputation. It doesn't include intellectual property losses, which can make the actual loss much more financially devastating.

Of the survey's respondents, 56% had suffered a cyber attack that infiltrated their network or enterprise systems or a breach that resulted in the loss of 1,000 or more records.

Data breaches have become such an enormous liability that nearly 31% of the companies surveyed already have cyber liability policies, while another 39% are reportedly exploring purchasing a policy to get a level of protection in place to help manage the financial burden of breaches.

"Obtaining cyber liability insurance has changed quite a bit the past two years," said Andrew Rose, principal analyst of security and risk at Forrester Research, providing some perspective unaffiliated with the study. "Companies fill out questionnaires to assess their internal risk, and then insurers base their premiums on that. But this is relatively uncharted territory for insurers -- quantifying your risk of getting hacked is challenging."

Obviously, if you encrypt your data, are ISO 27001-certified and conduct regular audits, your cyber liability premium should reflect it. Likewise, if you don't encrypt your data and allow anyone free access to your network, you can probably still get a cyber liability insurance policy, but the greater risk involved will mean a high premium.

What sort of coverage is included in cyber liability policies? "Responding to requirements to give all of your customers credit rating checks so they can ensure their identity hasn't been stolen, as well as repairing your reputation, dealing with the technical issues that occurred and patching your network -- these should be included in your insurance and aren't terribly difficult to quantify," Rose said. "But there are other aspects that are the real killers, such as loss of intellectual property worth millions, and I'm not sure insurers cover that yet."

One big value-added service many insurers are providing is access to lawyers, incident experts and PR agencies when something goes horribly wrong, Rose pointed out.

"When you have a breach, you're thrown into an incredibly vulnerable position because everyone knows you've been breached and will try to charge you a fortune to help you repair the damage. Having your insurer ready to provide some value-added types of services is a really good thing," Rose said.

The adoption of cyber liability insurance is expected to continue to gain traction, but slowly. "Given the choice between investing in insurance or an essential internal data control you don't already have, such as data loss prevention or identity access management, most chief information security officers would prefer to prevent the incident rather than try to recover from it," Rose said. "But if you have all the key controls in place, the next thing to do might be to prepare for the scenario when your controls fail."

One of the biggest drivers Rose sees for cyber liability policies is cloud adoption. "But cloud doesn't give you much liability cover," he said. "If your service is down for three days, your vendor is likely to give you three days' service credit. While this may work for some contracts, if your infrastructure and company are dead in the water for three days, it might cost you millions of dollars. This is a case to consider, whether cyber insurance can address this sort of shortfall."

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close