It’s normal to become pessimistic when you attempt to protect your company from cybercrime. After all, nearly every expert says it’s not a matter of if you’ll get hacked, but when. No matter what efforts you make to secure your data, these experts claim that a persistent attacker will inevitably succeed. It’s no wonder, then, that more and more companies are turning to cyber insurance to protect their data. It is estimated that cyber insurance sales are up about 30% this year and are predicted to increase even more as stories about security breaches continue to hit the headlines.
But before you dig into your pockets and start shelling out money for your policy, there are a few things you need to consider.
First of all, what exactly is it that you’re trying to protect? If you have customer information that you need to secure, a cyber insurance company could probably give you some idea of what your insurance would cost based on historic data. But what about sensitive company information such as details on new technology or future plans? What’s this information worth to you? How much would it cost your company if this information got into the wrong hands? Somehow, an insurance company must reach a decision about the value of your data. To be honest, at this point in time, they really have no idea how to do this. They would probably have to have experts in your field come in to assess the value. That is, people you don’t know, but who probably have connections in your field, would now have access to your company’s most sensitive information. Hopefully, you could trust them…hopefully.
Then there’s the problem of the ‘terrorist’ or ‘war’ exclusion. Insurance companies have to protect themselves from exposure to too much risk. If an attack takes down a large part of the internet, it could leave them exposed to huge losses. Thus, attacks from nations, such as China, which are the leaders in trying to get company data, may fall into this nebulous exclusion zone. You could lose your sensitive data and not get any compensation for that loss. Then again, how would the insurance company actually be able to conclusively prove where the attack came from? Cyber insurance is so new that answers to such questions are only beginning to be addressed.
There are other intangible losses that are hard to quantify. How would an insurance company determine the financial loss caused by damage to your company’s reputation following a widely publicized hack? Some say that Target lost millions because of damage to their reputation after being hacked while other experts give just as compelling arguments that such losses are nonexistent or simply short-lived.
After a breach, many companies have to take their sites offline as they upgrade their security. It is difficult to say how much business is lost during this downtime. Companies may claim great losses while insurance companies may counter with the argument that those who truly want to buy products will simply wait a few days. In addition, a DDoS attack, that may put your site offline, is considered , by some insurers, a terrorist attack that may not be covered at all.
Even to qualify for cyber insurance, your company will have to reduce its security risk to an acceptable level. This will likely mean that some investment in security will have to be made to at least lower the price of the insurance. This is not to say that you will not need cyber insurance for some problems arising from an attack. You may want to be protected from lawsuits related to the hack, get help with PR expenses to rebuild your company image, or be protected from extortionist demands which may make you pay a ransom to return your network or data. As the nature of cyber attacks change, so will the assessment of your company’s security. This may force you to make constant upgrades to keep your insurance costs within acceptable limits and your policy valid. Unfortunately, this does not change the basic fact that you will still be vulnerable to a cyber attack and cyber insurance can only help with cleaning up the damage.
It is unfortunate that all software-based security has been found wanting. No matter what you may have heard, attackers have found ways around all methods of software protection. Containerization, cloud-based security, whatever, they are all ultimately vulnerable. Knowing this software weakness, some have claimed they have a hardware-based solution when, in fact, they really have not. This is because it is well-known that a good hardware solution to security would go a long way towards insuring complete protection and eliminating the need for cyber insurance altogether. If you want to see a true hardware-based security solution, take a look at what Inzero Systems has put together before you begin investing in expensive cyber insurance.