This hasn’t been a great year for data protection — just ask Sony or Lockheed Martin or anybody on Anonymous’s hit list. Of course, it isn’t just large corporations that need to worry. As the Verizon 2011 Breach Report pointed out, small- and medium-sized businesses are at even greater risk for a hack attack. As an article at Fox Business stated:
Organized crime views such companies as high-reward and low-risk targets, and with automated means for stealing data, they can steal as much (or more) data as from larger organizations.
No matter the size of the company, getting hacked is costly. For this reason, a growing number of companies are turning to cyber insurance as added protection. That’s a good start, but you have to be careful. According to a Reuters investigation, there are a surprising number of businesses that are seeking cyber liability insurance that may end up over-protecting themselves and land with a deductible in the millions of dollars in hopes of keeping premiums down. The average breach, according to a Ponemon Institute study, cost $7.2 million last year. That in mind, a small business probably doesn’t need to have an insurance policy worth $25 million.
In an email, Brian Lapidus, chief operating officer for Kroll’s Fraud Solutions told me that it’s important to understand the nuances of cyber insurance coverage, particularly if the main goal is covering risks associated with a data breach. He added:
“Crisis management” (which would cover the cost of a data breach) is generally one small portion of the overall policy and typically comes with a cap on coverage, which means that many crisis management costs — including breach notification, data forensics and investigation – may not be covered. For this reason, it’s important that you take a holistic approach to risk management – even when you think insurance has your back.
I suspect having cyber liability insurance is going to be as important to a business as any other type of enterprise-related insurance, but insurance can only do so much. Just like protecting your vehicle requires being a safe driver as well as having an insurance policy, enterprise needs to minimize security risks as well. Lapidus provided the following tips for minimizing financial risks in a data breach:
- Utilize an ongoing breach preparedness program.
- Engage outside counsel for advice on regulatory requirements.
- Plan to conduct a forensic investigation.
- Employ delivery optimization techniques to cut your notification costs.