As organizations struggle with cyber attacks and their after effects, more and more are looking to insurance policies to cover the damage. And that really begs the question of just what do a get with a cyber insurance policy? After all, we are bombarded with news stories of stolen customer information where the biggest cost, which some cyber insurance policies cover, is credit monitoring, a service that does not fix the problem and quite often does little to mitigate the damages. For example, the State of South Carolina recently spent $750,000 for a contractor to investigate a breach, do some initial cleanup, and obtain advice on fixing the cause of the breach. The notification costs were $1.3 million, which by law, the state was required to spend. Finally, it estimated it would cost $5.6 million to encrypt the data to prevent future breaches from being successful. But all those costs were dwarfed by the $12 million it was expected to spend for credit monitoring. While the state (or more appropriately its taxpayers) is self-insuring, many companies with various types of insurances covering data breaches get insurance payments to cover such payments. And so the well-worn path of breach investigation, notification, and credit monitoring is followed for each breach.
But that raises another question. Is the data that organizations consider most valuable to be the data about someone else or, more specifically, personally identifiable information? And is the worst outcome identity theft, or is it something worse? Arguably, intellectual property and critical infrastructures have a greater bearing on our economic success and ultimately our survival as a civilization. And yet, we hear little about insurance payouts for loss of intellectual property or damage to critical infrastructure such as power lines, generators, or water systems. In the case of the former, such theft happens all the time, but it is not reported publicly because most state breach laws only require it for loss of personally identifiable information and because the Securities and Exchange Commission requirements mandating disclosure of material breaches are interpreted rather creatively. For the latter, we just haven’t had that many incidents of a cyber attacks successfully compromising critical infrastructure and causing physical damage. In most cases, outages or physical damages were due to a combination of human error and equipment failure.
Nonetheless, we can expect harm from cyber attacks to only get worse, and that means insurance must meet those needs. Where human life and company solvency are at risk, insurance will be needed to provide real stability. During the RSA Security Conference next February, I’ll be moderating a panel of experts on issues like this. The session entitled “Everything You Wanted to Know about Cyber Insurance but Were Afraid to Ask” will be held at 9:20 am on February 28. Additionally, stay tuned for a podcast on the RSA web site previewing the session.