Data Breach Insurance: Is It Necessary?


We know that data/networks can and should be secured more effectively. While no security system will ever be 100% bulletproof, there are glaring issues with bad practice in all of the recent high-profile breaches. We’ll look at why this might be happening in a follow-up post this week, but in this post we’ll focus on the costs of recovery after a breach.

The forensic investigation and remediation process following a breach is costly and time consuming. Confronting the facts about how long hackers may have been in the system and what they might have done while they were there is also painful for those charged with securing that system.

Addressing the legal and regulatory concerns following a breach is challenging, even if you happen to have a battalion of attorneys on call. Auditors can impose sanctions, restrictions, and auditing demands that will remain in place long after the hackers’ presence is purged from the network.

Investors’ loss of confidence, brand damage, and loss of intellectual property can deeply dent profits over the short term and may even fatally impact a small or midsize business’ long-term viability.

Factor all the above into the equation, and even companies who are dedicated to good security practices — who invest time, money, and effort into doing the right things — start looking with deep concern at the possibility of being a victim of a hack attack. The idea of insuring against potential damages becomes more compelling. It may even become a requirement for some industries, such as financial services, in the not too distant future.

Financial services companies plan to increase their cybersecurity spending by some $2 billion over the next two years, according to a recent PricewaterhouseCoopers survey. And they’re buying insurance to offset the costs of attacks. A number of sources indicate that at least 75% of businesses with more than $1 billion in annual revenue will have cybersecurity insurance by 2018. Smaller and midsize firms are starting to look for protection as well.

Whether a company purchases cybersecurity insurance is a choice that must be made internally, based on in-depth risk management analysis. Conducting that analysis should also reveal any security gaps in the company’s security profile. Companies may also wish to consider bringing in independent experts to conduct the audit, as they may be more likely to spot issues that have been overlooked or could be strengthened with adaptations to policies and procedures.

It’s increasingly important to look at cybersecurity through a holistic lens that is focused on risk management. We’ve all known for a long time that a business whose culture is grounded in good data security practices will be less likely to fall victim to a hack attack than one that simply throws money at the problem.

The best protection is best practices: conduct a thorough audit of your system security profile, revise policies if necessary, implement good training across the company, and develop breach rapid response procedures.

And as for insurance? Your general liability coverage policies probably won’t cover these incidents, so it may be worth looking into separate cyber coverage if your company collects, processes, or stores data that is monetizable. You may also want extra protection if you work in a company — or contract with third-party partners — that could become a target for hackers with political or technical grievances.