Cyber Insurance Is Good to Have but It Won't Protect a Company (or a CISO)

Cyber insurance is good to have, but it won't protect a company against a breach. Insurance should be viewed as one aspect of a more comprehensive strategy.

23 November 2015

Cyber Insurance Is Good to Have but It Won't Protect a Company (or a CISO)

I recently attended a conference for CISOs where they put their heads together to address some of their common problems. One of their big topics of discussion was cyber insurance. I was surprised to learn that a majority of these security executives are hedging their organization's data loss bets with cyber insurance policies.

Interest in this type of corporate insurance has been rising over the years, right along with the increase in serious data breaches. It's a way for companies to recoup a portion of the financial costs they sustain when sensitive data is stolen or otherwise exposed. The Target Corporation breach in 2013 really drove home the value of having cyber liability insurance. To date, Target's breach-related costs have exceeded $250 million, and the company has recovered $90 million through its insurance coverage.

While certainly helpful, cyber insurance isn't the panacea CISOs might be hoping for. Premiums are going up — sometimes by more than 30% — as are the policy conditions and exclusions. What's more, insurers are raising deductibles and setting limits on coverage. Reuters reports that premiums for retailers and health insurers are escalating more so than for other industries, largely due to the number of recent costly breaches in those business sectors.

Depending on the industry and mandated requirements for breach disclosure and notifications, the costs of a data breach can run into the tens or hundreds of millions of dollars. Reuters reports that some insurers are capping coverage at $100 million for risky customers. Thus, insurance payout may only cover a portion of the costs which often include:

  • Breach notifications to affected customers
  • Voluntary or mandatory credit monitoring services
  • PR and communications services
  • Forensic investigations
  • Lawsuits
  • IT remediation
  • Fines and other penalties
  • Brand and reputation damage
  • Loss of business
  • Loss in market capitalization

This is not to say that cyber liability insurance doesn't have a place in the corporate quiver; it does. However, insurance should be viewed as only one aspect of a more comprehensive strategy to protect the organization against a breach. Insurance can't protect against brand damage and loss of customer trust, which can last for years, and it can't save a CISO's job if a major breach does occur.

A legal hedge against a data breach is not the best way to go. Companies need to take the time to implement the proper defenses to prevent a breach in the first place, or at least limit the effects of it. This is best accomplished the tried and true way: identify the critical data assets, restrict access to them, apply a layered defense approach, monitor the data assets for unwanted access or activity, and respond promptly when something looks suspicious. No insurance policy in the world can do that.

Daren Glenister

Daren Glenister

Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.