Most organizations have been and continue to allocate substantial funding and resources to protect their information assets. As the risk of a breach continues to escalate, the adage we've heard for years, “It's not if, but when,” really hits home. Every day we read about another organization that has been hacked, and it causes us to ponder, “When will it be my company?” It doesn't matter if you're in the public or private sector or what state or city you're in – we're all targets.
We recognize all breaches cannot be stopped. Monitoring and being prepared to respond are equally important to the safeguards we have in place. Despite all those precautions, training and best intentions, there is no guarantee – the environment is just too dynamic. Bad actors are using more sophisticated methods, we're watching as data drifts off to the cloud, folks want to use their own mobile device(s) for business, and we know our weakest link remains “the human factor.”
So, what's a CISO to do? If no one can guarantee an organization is hack-proof, then perhaps it's time for a more practical approach – cyber liability insurance. This is a relatively new line of business for insurance companies and it continues to evolve. It's not quite as straightforward as purchasing fire or flood insurance. There are a number of factors to consider, and it's wise to research and be prepared for some interesting negotiations. We all know insurance cost is based on risk, but it's more straightforward to evaluate risk in the physical realm where you can see and touch it. Also, insurance companies don't have a long history of data on which to base rates, and that makes them very cautious – translation. It's a higher risk, therefore, higher costs.
The key is to be prepared with factual risk data about your organization. The more effectively you can make your case, the lower your insurance coverage costs could be. Insurance companies understand no organization is bullet-proof, but demonstrating what your company is doing to reduce cyber risks will be critical. Ensure you know and understand the laws affecting your organization, including applicable state, federal and other regulations. If your organization is compliant, you'll need to prove it, so consider using your audit results to demonstrate that.
The takeaway is: Start to explore if some aspect of cyber liability insurance makes sense for your firm. At a minimum, it will demonstrate to your senior management you are thinking about risk from a broad range of perspectives. The concept of cyber liability insurance is new to the C-suite, so some education is definitely in order. It's a great opportunity to take a leadership role.
»Lock in the details
As with all insurance, says Masse, it's important to understand what's excluded in the plan, as well as what's included. This requires a lot of discussion with your carrier about specifics.
»Taking their chances
A recent survey by Zurich North America revealed that only 36 percent of companies with more than $1 billion in annual revenue have cyber insurance coverage.
Cyber is dynamic, so the playing field continues to change and morph. Talk to your peers in other organizations to learn what they're doing and gain from their experience.
Recent reports indicate costs for a breach average about $194 per record, and costs can soar quickly, says Masse. So, there is good reason to get insurance on your radar screen.