The number of data breaches has continued to grow over the past two years, hitting a peak in 2014, which became known as “the year of the data breach.” Along with the major data breaches we saw in 2014, there was a spike in interest around a relatively new type of protection for businesses: cyber insurance. A recent article in The Hill estimated that the cyber insurance industry has seen double and even triple growth in the past few years, so that it’s rather suddenly become a $2 billion industry. But it’s no mystery why.
The Ponemon Institute’s 2014 “Cost of Cyber Crime” study (conducted in conjunction with HP) estimates that the average cost of a data breach to a company was $12.7 million in 2014 and that those numbers would continue to trend upwards alongside the number of breaches, which sent businesses scrambling to find ways to protect themselves. It’s estimated that 30-40 percent of companies currently carry some form of cyber insurance, but as data breaches continue to happen, now is the time to get the facts and determine if cyber insurance is really the best protection for your business.
What is cyber insurance?
Cyber insurance is a type of business insurance used to protect organizations and individuals from cyber threats, particularly to their IT infrastructure and content storage/collaboration behaviors. Early versions of cyber insurance focused on covering the obvious costs related to stolen credit card information (reimbursing customers for fraudulent charges, lost cards, etc.), but as businesses have watched Target, Home Depot, Sony, etc. deal with the legal troubles and longer-term implications of a breach, cyber insurance coverage has expanded. Now many businesses are opting for full-service packages that include legal assistance and cyber threat investigation. Today, most cyber insurance companies offer a wide range of products tailored to different kinds of businesses, for example: Travelers offers policies specific to public entities, small businesses, and even technology companies handling large amounts of data. Coverage typically will extend to everything from cyber attacks to employee error.
Should you consider getting cyber insurance?
In the Department of Homeland Security’s Cyber Insurance Workshop report, the executive summary points out that cyber insurance is merely a way of transferring risk from an organization onto an insurance carrier; it does not mitigate risk. In fact, the participants in the workshop (which included insurance carriers, corporate risk managers, IT/cyber experts, and academics) went on to state, “Risk managers recommend that risk transfer be pursued as the last step of a comprehensive risk management strategy.” In other words, cyber insurance is a Band-Aid; if your organization isn’t addressing the deeper threats associated with cybersecurity, you will still be at risk for a breach. And if a breach occurs, cyber insurance will do what every other type of insurance does – increase prices and lower coverage to mitigate its own risk.
Cyber insurance costs vary widely depending on the type of organization and associated risks – ranging from $120,000 premiums for data storage centers to $649 premiums for doctors’ offices. If your organization has the funds to allocate towards cyber insurance, then it is an excellent safety net in the event that something goes wrong. But without proper security policies in place and well-informed employees, the risks will remain and likely increase over time, as hackers become more sophisticated and new technologies present new opportunities for human error. So while it can’t hurt to be insured, it makes more sense to shore up internal defenses first and foremost. Human error is the most common cause of a data breach, so implement secure internal and external file-sharing tools, train employees on BYOD and network security policies, and allow only the minimal amount of access people need in order to perform job functions. These low-cost, basic security practices can provide immediate value to your business by mitigating risk, rather than simply transferring it onto a cyber insurance carrier.