According to former NSA director Keith Alexander, cybercrime is the greatest transfer of wealth in history. With the rapid increase in the frequency of cyberattacks year after year, it’s no wonder many companies are turning to cyber insurance (also called cybercrime insurance or cyber coverage) to help mitigate losses from cyberattacks, fraud, espionage and other cyber threats. However, cybercrime insurance is still relatively new, making it risky for both the insurer and the insured. There are also several expenses related to cybercrime that insurance will not cover. Be sure to consider the following before making the decision to begin policy shopping.
Cybercrime Insurance Is in Its Infancy
It wasn’t until the late 90s that cyber insurance started to become a risk management option for companies. Underwriters of traditional forms of insurance have several decades of data at their disposal when assessing risk. Life insurance data goes back several centuries. Lack of historical data makes it difficult for insurance companies to develop and price cyber insurance policies. There is more guesswork involved in estimating the probability and costs of particular cybercrimes. For this reason, some companies opt to set money aside to deal with such matters instead of paying an insurance premium.
Insurance Won’t Cover all Expenses
The case for cybercrime insurance is made based on the impossibility that security technologies can prevent all possible cybercrimes, including online scams, business disruption, industrial espionage, theft, fraud and extortion. However, it is also impossible to obtain cybercrime insurance that will cover every expense of every possible cybercrime.
For instance, cyber insurance won’t cover the costs of damage to your company’s reputation after a data breach, and reputational damage can cost a company significantly more than direct costs. Target’s famous data breach in 2013 cost the company approximately $148 million in direct costs. However, Forrester estimated that total losses would be over $1 billion if indirect costs such as loss of consumer trust and drop in the company’s share price were included. Although some cyber insurance policies will cover PR costs under crisis management, it’s important to consider how much your company could potentially lose from loss of consumer trust.
Insurance Is Not a Substitute for Prevention
This brings us to the next point – insurance is not a substitute for prevention. Some companies opt to put prevention tools aside and rely on insurance as a solution to the problem. This is like saying “I won’t put locks on my doors because I have insurance.” This approach will likely contribute to the proliferation of cybercrime and make your company a target.
Cyber Insurance Should Come Last
Insurance can help cover the cost of damages from cybercrime for both large and small organizations. Before budgeting for cybercrime insurance, ensure that you have proper prevention tools in place and someone on staff to proactively manage cybersecurity tools and policy. If you choose to add cybercrime insurance, be sure to review the specifics of the policy and understand exactly what expenses will be covered. In a future post, we will discuss the items to consider when purchasing a cyber insurance policy.
Data Foundry offers a variety of security tools and services such as Managed Firewalls, WAF, IDS, DDoS Mitigation and more to protect our colocation customers and their networks.