In this month’s debate, experts discuss whether or not companies should be obligated to sign up for cyber insurance.
David Navetta, partner, InfoLawGroup LLP
Data breaches are systemic in nature and now almost inevitable over time for most businesses. The high cost of responding to these attacks is beyond what many businesses can afford to pay, and we are now at a point where cyber insurance is more than an optional add-on for businesses holding personally identifiable information – it’s a critical must for risk management. However, only one-third of companies have a cyber insurance policy and, due to potential “adverse selection” in the insurance market, available insurance options may decrease. With so much at stake for consumers, investors and the business owners themselves, it is important for cyber insurance to be a mandated requirement for certain types of businesses (i.e., payment card, health care, financial). A mandatory system is the only way to spread the risk of a data breach across wide segments of the economy, as well as to ensure that all companies are properly accounting for their own level of risk, provide funds to compensate victims of data breaches and keep the cyber insurance market itself sustainable.
John Michener, chief scientist, Casaba
Cyber insurance is a valuable resource for businesses to use, but mandates are a potentially destructive way to go about it. Cyber threats are not uniform and different businesses face different threats. A business handling credit card processing has different issues than one handling medical records. Contractors handling classified data fall under different regulatory authority than banks – although both report to the U.S. government about their security. Right now, companies can shop around for a wide range of cyber insurance policies that are appropriate to their individual needs. A governmental mandate to have “appropriate” insurance would be effectively unenforceable and a regulatory approach would soon result in the imposition of relatively rigid security and compliance controls that could have significant impact on business operations. Rather than mandating insurance, companies should be liable for the cost of their compromises and let them manage the ensuing risk by some combination of internal security investments, cost acceptance and insurance.
For more about cyber insurance, check out this month’s cover story, Insuring success.