Businesses around the globe are making cyber risk among their highest priorities. Insuring companies against data breaches is becoming an enormous industry, even as its promising role and impact in security operations continues to unfold. While North American policyholders dominate the market, Europe and Asia are expected to grow swiftly over the next five years as a result of new laws and significant increases in targeted attacks, such as ransomware.
While the average cost of a data breach declined by 10% from $4 million in 2016 to $3.62 million in 2017 worldwide, the United States experienced a 5% increase, according to an IBM Security and Ponemon Institute study. Health care is the most expensive industry for data breaches for the seventh consecutive year, costing health care organizations $380 per record, more than 2.5 times the global average of $141 per record across industries. The high likelihood of experiencing a significant breach is especially disturbing: in the two years following a recent study, the likelihood of a “material breach involving 10,000 lost or stolen records” stood at 26%.
Deciding how much cyber insurance to buy is no trivial matter, and the responsibility rests directly with the Board of Directors and in particular with the CFO. Directors and executives should have the highest-level view of cyber risk across the organization, and are best positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure, and external factors. Not all breaches are limited to data exposure: ransomware, advanced persistent threat, and distributed denial of service attacks can also interrupt operations.
So, how much does your organization stand to lose from a supply chain shutdown, website outage, or loss of service?
Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout, since related costs and losses are often incurred for years afterward as a result of customer and market response as well as legal and regulatory enforcement actions.
In late 2013, Target Corporation suffered a very public breach that resulted in the 2014 resignation of their CEO, who had been with the company for 35 years. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled nearly $300 million, with some lawsuits still open.
Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers, the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach related expenses of $161 million, including a consumer-driven class action settlement of $20 million.
These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable, and can rise quickly as a result of the cascading effects of an attack. Cases in point: the bizarre events surrounding the 2014 Sony breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.
Companies need to review their security posture and threat environment on a regular basis and implement mechanisms for unceasing improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve, while the targets, motives, and schemes of hackers shift unpredictably. Directors and executives may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.
Most policy premiums are currently based on self-assessments. The more accurate the information provided on a company’s application, the more protected it will be. Since most policies stipulate obligations the insured must meet in order to qualify for full coverage, be sure to read the fine print and seek expert advisement.
It’s also essential to review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and criminal exploits on the dark web. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.
You should also assess your IT security carefully. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented, or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.
As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market that CFOs and boards need to keep an eye on. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies, and purchasing security software isn’t sufficient.
CFOs need to make sure risk assessments are thorough and up-to-date, corporate policies are communicated and enforced, and security technology is properly configured, patched, and monitored.
Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. While cyber insurance may soften the financial blows, however, it only works in conjunction with an enterprise-wide commitment to security fundamentals and ongoing risk management.
Greg Reber is the founder and CEO of AsTech Consulting, an information security consulting firm.