We’ve all heard of health insurance, travel insurance, car insurance and life insurance, but how about cybersecurity insurance? It’s not aimed at organizations rather than individuals, and it’s becoming a hot topic at the CSO water cooler.
Cybersecurity coverage dates back to the 1990s, when companies used to purchase errors & omissions (E&O) insurance. This was extended to cover things like network failures due to software errors, destruction of data and even computer viruses.
Today, however, a failure in network security doesn’t damage just one computer; it can potentially expose an entire organization to the loss of valuable data such as customers’ personally identifiable information. In recent weeks we’ve even seen cases of cyber extortion, or ransomware, affecting hospitals. In the case of Hollywood Presbyterian hospital, which paid $17,000 to regain access to its computer systems, the monetary cost may have been low, but it has set off alarm bells throughout the security industry. Every organization stores a variety of data on their networks, ranging from employee and customer information to patent applications, product roadmaps and trade secrets, making them natural targets for cyber attack or blackmail.
One of Voxus PR’s clients, Savvius, posted an eye-opening blog about the costs associated with cyber attacks. The facts are startling. We often presume that breaches are caught and stopped within a day or two, but not so. Most breaches go undetected for months, but by that time it is extremely difficult, time-consuming and expensive for investigators to piece together the extent of the damage unless they have the original packet data as a source. That’s why delving into a large attack can be like peeling back the layers of an onion. Companies like Target, Home Depot and Sony Pictures all went through embarrassing, public scrutiny as they issued statement after statement to reveal additional details of their attacks – and the news always went from bad to worse. It cost those companies millions of dollars in lost revenue, damaged reputation and more.
And that leads us to a big question. If cybersecurity insurance is the new ‘must have’ for organizations today, how big is the market? It’s actually pretty hard to determine. While insurers like AIG do state they they offer cybersecurity insurance, most companies (understandably) prefer not to share details about their security practices in public. Unfortunately, that silence can create a false sense of confidence in the ability of those companies to keep data out of hackers’ hands. All we know for sure is that cybersecurity insurance is a growing fact of life, and I think that’s a good thing because with insurance come rules, compliance and a better understanding of risk. With compliance and risk management comes best practices, and with industry best practices comes more open dialog. For that reason, I think that cybersecurity insurance will be a great catalyst for better organizational security.