I believe that Cyber Insurance (CI) will be the driving force behind information security over the next three to five years. CI will have the same kind of effect that car insurance has had on car safety and security, or that life insurance has had in changing the types of lifestyles most of us lead.
When comparing CI to other insurance, it is possible that as more data on breaches is gathered the ability to reduce your premium based on having lower risk factors will increase. If we take a look at car insurance, lowered premiums can be had because of car alarms, steering locks and trackers. All of these have since either been options or part of the standard specifications of new cars for some time. Life insurance provides lower premiums for people who don’t smoke or are of a healthy body mass index. One of my health insurers even provided me with annual cash back if you could prove that you regularly used the gym (as opposed to just paying for gym membership). In home insurance, the premium can be lowered by creating a disaster resistant home (e.x. adding impact-resistant windows) and improving home security (e.x. smoke detector, window locks). When looking at CI, premiums could be lowered by having a more comprehensive cyber security program and reducing the amount of information the company stores. I think this will truly show our industry what really are the things that will minimize either the chances of a breach or at least the losses caused.
In order to offer the ability to lower premiums, insurance companies first have to learn what is considered to be a risk. I believe CI companies have been insuring businesses and taking losses just to build the actuarial tables needed to provide coverage. The companies they insure then give them in depth a
ccess to the information regarding the breach, which has historically been hard to get.
Target and Home Depot are two high-profile companies that have experienced well publicized breaches in the recent past. The Target hack of 2013 resulted in the theft of 40 million credit and debit card records, along with 70 million other records containing customer’s personal information, according to Reuters. The loss of customer payment information resulted in reparations totaling to $264 million out of pocket. Target reports that insurance paid for $90 million of the $264 million. The 2014 hack of Home Depot affected 26 million card holders. Home Depot said it expects insurance to cover $100 million toward the $232 million in expenses from its breach. Large companies like Target and Home Depot have given CI’s a lot of data and foresight into how these issues happen, and provide possible preventative measures. It’s this type of data that will help move our industry forward over the coming years.
My advice to CISO’s of companies that already have an insurance policy, is to ensure that someone who has a comprehensive understanding of insurance has had a look at what your coverage is based on. Then sit down with them to check that it matches your program. Your firm needs to be doing everything they say they are doing in the policy, one slip and you could find you are not covered.
Those who don’t currently hold CI should speak to a broker specializing in this area and if it fits your security plans perhaps take advantage of the current market to get yourself the coverage you need. Whether insurance is part of your security program or not, it’s still the Wild West out there and I think CI could well be the new Sheriff in town.
Tiro Security is a specialist staffing and professional services firm that focuses on helping small to medium size businesses inexpensively improve their security posture and lower their premiums. If you would like more information, please feel free to connect with me.