Mandatory cyber insurance: Driving improved security or passing the buck?
Target, Neiman Marcus, and other big time data breaches have highlighted a recent trend of corporate imprudence with customer data – putting both their businesses and their customers at risk. The cost of these breaches has already reached millions of dollars and we have yet to see the full effect as credit card issuers will surely try to recoup their re-issue expenses. Astonishing as they may be, these breaches are not the first and most certainly will not be the last.
The costs of data breaches have been astronomical and continue to go up. According to a recent study by the Ponemon Institute, the cost for each record lost is $136, up from $130 in 2012. The cost for U.S. and Germany is significantly higher at $188 and $199, respectively.
These breaches, their ramifications, and the resulting clean up expenses have provided discussion fodder calling for mandatory third-party cyber insurance. This would help ensure that they can cover the financial liabilities for damages caused to others (i.e. customers and other organizations) whereas first-party cyber insurance only covers losses only to the targeted organization (compensation for downtime, recovery costs, etc.). Although we have seen an increase in both the cost and frequency of large-scale data breaches, a recent study reported that only about 30 percent of companies in the study actually carry a cyber insurance policy.
We have seen another example where liability insurance is mandatory – vehicle insurance. Vehicle liability insurance protects against the default of payment by liable parties. My coverage ensures that I can provide compensation for any damage I may cause with my vehicle and protects me from going bankrupt in the process. In the U.S., vehicle insurance is governed by individual states and is mandatory (with a couple exceptions). Proof of insurance is required before a car can be registered or, in some cases, before a drivers license can be issued. There are similar directives in Europe mandating liability insurance.
Vehicle insurance companies determine premium rates based upon several factors such as the riskiness/history of the driver, the type of the vehicle insured, and the amount usage (miles driven / year). Safe drivers, driving in safe cars, have lower premiums than risky drivers (history of crashes) driving high-risk cars.
Cyber insurance premiums (both first- and third-party), in many ways, are determined like vehicle premiums. Insurers determine the premium costs based upon the cyber “riskiness” of the insured. For example, if an e-commerce organization collects and maintains sensitive data – such as credit cards or personal information, the insurance premiums, in particular for third-party coverage, could be higher than organizations that do not. How and where this information is stored also factors into the coverage rates.
Mandating cyber liability insurance could be the stick needed to get organizations to focus more on improving their security posture – as opposed to simply ticking compliance checkboxes (both Target and Neiman Marcus claim to have met PCI DSS requirements). Investments in security technology, such as data encryption and anomaly detection, could significantly reduce cyber insurance premiums – resulting in justifiable ROI. Or, maybe mandating cyber insurance enables organizations to simply pass on liability to the insurers without owning responsibility.I am leaning towards enforcing liability insurance for organizations at high risk for attack. Recently it was reported how Liberty Mutual Insurance helped to thwart a cyber attack against one of its customers. In the last year, we have also seen that both the U.S. and the EU have taken a particular interest in the impact of cyber insurance. It would not be surprising if we see some action on this front in the near future.