News about the damage associated with the Sony breach keep coming, and is most likely going to reach new heights over the Christmas break. Meanwhile, criminals keep conducting immensely successful hack attacks against huge brands that should have the financial assets and talent to protect against breaches. Has this risk management gone very wrong — accepting the occasional hack attack as a cost of doing business — or are we fighting a war we can’t win? We know that data/networks can and should be secured more effectively. While no security system will ever be 100% bulletproof, there are glaring bad practice issues in all of the recent high-profile breaches. We’ll look at why this might be happening in a follow-up post this week. In this post we’ll focus on the costs of recovery after a breach. The forensic investigation and remediation process following a breach is costly and time consuming. Confronting the facts about how long hackers may have been in the system and what they might have done while they were there is also painful for those charged with securing that system. Addressing the legal and regulatory concerns following a breach is challenging, even if you happen to have a battalion of attorneys on call — Target had to deal with over 100 putative class action suits, shareholder litigation and regulatory investigations. Auditors can impose sanctions, restrictions and auditing demands that will remain in place long after the hackers’ presence is purged from the network. Investors’ loss of confidence, brand damage and loss of intellectual property can deeply dent profits over the short term and may even fatally impact a small or midsize business’ long-term viability. Factor all the above into the equation, and even companies who are dedicated to good security practices — who invest time, money and effort into doing the right things — start looking with deep concern at the possibility of being a victim of a hack attack. The idea of insuring against potential damages becomes more compelling. It may even become a requirement for some industries, such as financial services, in the not too distant future. Financial services companies plan to increase their cybersecurity spending by some $2 billion over the next two years, according to a recent PricewaterhouseCoopers survey. And they’re buying insurance to offset the costs of attacks. A number of sources indicate that at least 75% of businesses with more than $1 billion in annual revenue will have cybersecurity insurance by 2018. Smaller and midsize firms are starting to look for protection as well. Whether a company purchases cybersecurity insurance is a choice that must be made internally, based on in-depth risk management analysis. Conducting that analysis should also reveal any security gaps in the company’s security profile. Companies may also wish to consider bringing in independent experts to conduct the audit, as they may be more likely to spot issues that have been overlooked or could be strengthened with adaptations to policies and procedures. It’s increasingly important to look at cybersecurity through a holistic, risk management lens. We’ve all known for a long time that a business whose culture is grounded in good data security practices will be less likely to fall victim to a hack attack than one that simply throws money at the problem. Make 2015 the year that you conduct a thorough audit of your system security profile, revise policies if necessary, implement good training across the company, and develop breach rapid response procedures. And as for insurance? Your general liability coverage policies probably won’t cover these incidents, so it may be worth looking into separate cyber coverage if your company collects processes or stores data that is monetizable. You may also want extra protection if you work in a company — or contract with third-party partners — that could become a target for hackers with political or technical grievances.