When I first started as the CISO at the Port of Seattle in 2004, one of my first tasks -– besides building a security program –- was to work with our risk management organization to investigate the viability of purchasing cyber insurance for protection should our data be breached.
At that time there weren’t many insurance companies offering
Also of note is that actuarial data on the number and cost of data breaches was non-existent. Many state data breach laws were not in place, the first Verizon Data Breach Investigations Report had not yet been published, and there was little data on cost-per-record-breached.
Why would you want cyber insurance?
As an enterprise, you have data to protect. If that data includes credit card information, personal health information (PHI) and/or data that would be considered private by its owners, then the breach or loss of that information could result in substantial costs to the company, including remediation, compliance penalties and loss of business or corporate reputation damage. Even for organizations that keep a contingency fund, the costs can quickly become overwhelming.
Essentially, cyber insurance provides protection for the enterprise from the following types of specific costs:
- Cost per record breached: The Ponemon Institute calculated that a company can expect to
pay approximately $214 per breached
- Breach notification: Simple mailings to affected customers can run around $1 to $3
- Customer credit monitoring: Credit monitoring offered as a remedy to affected customers
can run around $20 to $100 per person per year.
- Post-breach forensics: Forensic examinations can result in extensive costs, from thousands to hundreds of thousands of dollars.
While each one of these actions has a cost, it's also important to remember that the costs associated with repairing a damaged reputation may be prohibitively expensive as well.
Therefore, a cyber insurance policy may be of superior benefit to a company susceptible to suffering a data breach both financially, as well as managerially, for the peace of mind it can offer the CEO and board of directors should a breach occur.
Who are the cyber insurance carriers?
Right now, the most well-known carriers/agencies as of 2011 include:
- ACE USA
- St. Paul Travelers
You can also work with Marsh McLennan Agency in its role as a broker to help you find the insurance you need.
Selecting a policy
When you finally narrow down the insurance companies from which you wish to obtain quotes, you will need to start with some time-consuming paperwork. Specifically, the potential insurance provider will require completion of a cybersecurity assessment application that is, essentially, a security audit checklist. Completion of this form will do a few things for you.
First, by filling out the application, you will have completed a comprehensive self-assessment of your information security program, which will also give you a sense of those areas needing attention and upgrade.
Second, by thoroughly completing the cyber insurance application form, you will give the potential insurer a sense of the risk incurred if it protects your company from data breach, thus impacting the total price for your policy. Hence, a more thorough and honest application that carefully details all your risks and corresponding mitigation strategies could potentially lower policy pricing.
Are there any other resources?
As part of your pursuit of cyber insurance, consider the following resources:
- Check each possible vendor for checklists, application forms, histories/reputational
- Talk to brokers to gain their insight into the pros and cons of different providers.
- Review the Forrester “Q&A:
Cyber insurance Fundamentals for Security and Risk Professionals” by Khalid Kark.
The good news is you have more choices today than I did seven years ago when looking for cyber insurance. However, be sure to do your homework and take time to understand your total risk by comparing the Ponemon data breach costs against your total data assets. Stacking this number up against the cost of the insurance, including the deductible, can help you more easily decide whether the policy is worth the cost.
About the author:
Ernest N. Hayden (Ernie), CISSP, CEH, is the founder and owner of 443 Consulting, LLC, an enterprise focused on providing quality thought leadership in the areas of information security, cybercrime/cyberwarfare, business continuity/disaster recovery planning, and research. Most recently, Ernie was Information Security Strategic Advisor in the Compliance Office at Seattle City Light. In this role he was the primary leader of utility-wide efforts focused on complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.
This was first published in May 2011