For many businesses, especially small to medium sized businesses, cybersecurity is an afterthought. The department is either understaffed or nonexistent, likely because small to medium sized businesses do not think they will be targeted. The truth is, hackers are beginning to attack businesses indiscriminately. They don’t care what size your business is, how much revenue you generate or what your product is. They only care about data and information. The more they can get, the better. Cybersecurity insurance? Not a consideration.
While all businesses should have cybersecurity on the front of their minds, it often is not. And when a breach inevitably occurs (because it will), it has the potential to put smaller operations out of business. However, there is a way to avoid having to shell out potentially thousands of dollars in damages to customers. The solution is cybersecurity insurance.
This is complicated territory. Most of the time, it is cheaper, and it’s always more efficient, to have cybersecurity protocols in place to prevent a breach. Obviously, you can’t protect against everything. No one is perfect and hackers tactics change on a regular basis, so keeping up is difficult. However, having a cybersecurity department is generally a better plan than having an insurance policy for clean up.
Still, most businesses should have a rider on their general liability or errors and omissions insurance. Now, in the most egregious circumstances, that type of a policy is not going to be effective because the damage will exceed the limits, which is why it is important to have cybersecurity protocols in place, as well as proper incident response. Breaches occur every day and the thought that your business won’t be impacted is both naïve and off-base. However, cybersecurity insurance is a way to mitigate risk, which is what security is all about.
The downside is that in a major breach when you need the most, one which will cost millions of dollars because it exposes millions of people’s information, your rider on your insurance isn’t likely to cover the cost at all. This is largely due to a breach like that being caused by negligence, intentional or not. Unless you get had by a true zero day vulnerability, which is unlikely.
If you’re going to get cybersecurity insurance, it can be difficult to know how much to buy. Generally, you need to transfer or mitigate risk, so you have to determine what is at risk of happening. What would the cost be for those events? If you cannot reduce the risk of those events, you should insure against them.
For example, having personnel social security numbers stolen from an HR department or a bank by an insider threat is very hard to stop. There’s a limit to how much you can mitigate that risk because, despite all of your best efforts, if someone wants to come in and do that to you, preventing it is going to be almost impossible. Therefore, insurance can mitigate or transfer that risk away. Still, while you can insure against breaches, you should be attempting to mitigate these risks through technology first. Ensure that those exposures cannot or at least should not happen.
At he end of the day, risk analysis is a budgeting exercise. If the insurance premium and deductible to insure the intellectual property you store, or any personal customer data you store, is significantly cheaper than some part of fixing any insecurity around the way it’s handled, insurance may be a better way to protect your self temporarily. And you when make a trade off like that, be sure you have an insurer who you are confident will insure you in all circumstances and still be there 3 years from now if you need to file a claim.
Some practical math to illustrate when to make that trade off. Let’s say that you find a policy you have confidence in. You purchase the insurance, and you know you need it for 10 years. It costs $10,000 per year, so you end up paying $100,000 by the time it’s done. But to fix the system, it will cost you $300,000. You definitely buy the insurance because you just saved $200,000. And until you have the $300K to spare you are at least covered.
Be aware, though, that finding an insurer who will insure under any and all circumstances is unheard of. Which is why mitigating risk from the technology side is more effective. At the end of the day, when dealing with risk analysis, your job is to mitigate or transfer risk. In this case, you transfer it to the insurance company. The goal is not necessarily to stop all risks because the only way to do that is to essentially lock everything in a lead box, and you can’t run a business that way.
Remember that there are also intangible factors and additional losses that occur during a breach, things that insurance cannot fix or pay out. There will be a loss of trust and damage to your business reputation. It doesn’t matter how much you are willing and able to pay out to stay in business, and that you can cover your legal fees, if that business is ultimately going to crumble because now you’ve lost all of your customers.
Breaches and data theft happen on a regular basis, every day. Cybersecurity insurance is something you should have as a business, especially if you’re not going to have a department that handles info sec. But you must understand the pros and cons of having insurance in place of a dedicated cybersecurity team. Prevention and preparedness are always the best methods for mitigating risk. Insurance should merely be a backup plan. Remember insurance can cover costs, but it can’t fix your reputation.