So you’ve put in some time into your infrastructure security, and you’ve reached the point of looking into cyber-security insurance. You figure you’ll buy some default package and be done with it right? Unfortunately, cyber security insurance is one of the types of insurance that requires customization to be tailored from company to company, and the costs for this form of protection are on the rise. Especially in an age with recent security breaches costing companies several million dollars each.
Take the 2014 breach of Home Depot. Insurance companies reimbursed Home Depot $15 million. While this quite a tidy sum, the company still had to pay $28 million over and above the insurance payout. An even larger cost came with the 2013 breach of Target. That one incident had the insurance cover $90 million in damages. A sum eclipsing the costs Home Depot paid, and should have covered a majority of the damages, right? Well, Target has reported a $105 million loss to date by the time both insurance and tax deductions came into play. If neither were there Target would have been out $252 million. In both instances, the insurance didn’t even cover half of the costs of the breach.
So how did such a large company manage to be covered so little in relation to their losses? Well, specifically in the Target case, the insurance didn’t quite go as far as it could have. In addition to investigating the breach and repairing the security weaknesses, the company had to look into multiple ways to deal with how the consumer base was affected. Complying with the breach notification requirements, offering credit monitoring service for breached customers, hiring a legal defense team for the lawsuits due to the breach, and covering the PR to minimize fallout of such a massive breach. All this culminated in so many costs that Target’s insurance couldn’t cover everything.
To figure out how to avoid a shortfall between insurance payouts and breach losses, as in the cases above, one needs to know how cyber security costs work. In most cases, the company looking to acquire cyber security insurance completes a questionnaire that the insurance company uses to determine premiums. Many times an IT manager is completing this ‘self assessment’ without full knowledge of the threat environment compared with security controls of their infrastructure. It can be just as easy to overpay due to one’s own lack of knowledge as to end up with insurance that is relatively cheap, and finding yourself having just the sort of breach you’re not covered for. It is quite important to always make sure you have all the facts straight when putting together a cyber-security insurance plan. You could save yourself millions, if not from avoiding a gap between breach losses and insurance payouts, to making sure you’re not overpaying for insurance.