Cyberinsurance Polices Are Available
For years Cybersecurity insurance has been hard to impossible to actually come by for consumers. The problem arises from the variability of the risk, as well as the cost. Insurance is driven by massive data collection and pattern mapping, it requires hundreds of incidents to provide an accurate map of the potential risk. Cybercrime can vary wildly in what it accomplishes. A DDOS attack could knock a website down for a time, causing the owner to lose business or exposure. That sort of incident is easy enough for insurance to quantify, there is already lost insurance income for businesses.
But what if your customer information gets hacked? How valuable is the name, location, and age of every customer of yours? What about their credit card information, Social Security Number or birth certificate? Those things could all have wildly different values, depending on what your business is and the nature of your clients. If your business has to pay for the data lost, then the insurance could cover it but that amount can be variable.
The other problems is nailing down what exactly constitutes a successful data breach. If potential hackers make it through your defenses and safeguards, but their connection is terminated, is that a breach? Insurance lives and dies on easily defined states. Whether or not something is a loss is clearly defined, and easy to figure out for physical problems. If your building burns down, that’s a loss. If the fire is contained to one room and is put out by the sprinklers, that’s a loss. In both cases, there is a definite loss of physical goods with known values.
Companies like Pure offered individual Cyberinsurance policies, to the tune of $3,000 a month to monitor your network for intrusions. This insurance is offered to individuals looking to protect themselves against the fallout of a data breach. Muncih Re’s America division is working on rolling out the first commercially available enterprise cybersecurity insurance, which will cost around $100 for $25,000 to $50,000 of coverage. The question then becomes: Is it worth it to get a cyberinsurance policy?
The US Department of Justice estimates that the individual cost of a data breach, in this case identity theft, costs an individual about $1,343. Therefore it isn’t worth it for the average individual to get a policy, as their cost per month is nearly triple the expected cost of their low-frequency loss. However, for businesses, it may be worth it to get the policy. businesses that suffer a data breach not only risk losing money through the remuneration of their customers but from lost business. An IBM study showed that the average cost of a data breach for a large enterprise hovers round $4 million, with each lost document costing ~$156.
So for businesses, especially large ones, the insurance policy would make an excellent damage control mechanism. Though the insurers would have to seriously increase the cost of the premium to cover that large of a loss. As more data breaches occur insurance companies will be able to offer better and better plans and prices, resulting in more effective protection against future breaches. This move towards insurance could also coincide with a move towards pursuing best practices in cybersecurity from the insured companies.
Max is a Legal Assistant and author residing in the Philadelphia area He has been writing for AskCyberSecurity.com since early 2017.