IT managers, CEOs – and nearly everybody in between – now understand that the unemployment line is as close as the next leakage of sensitive corporate data or customer information. Millions of consumers, their digital identities a hack away from the hands of increasingly sophisticated cybercriminals, live in fear of emptied savings accounts and single-digit credit scores.
For cyber insurance providers, though, the current climate of concern has left them anything but anxious. In fact, business is booming, for at least for one broker, according to this July 6 Entrepreneur online article:
“Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, a unit of Marsh & McLennan, told CNBC that on the heels of a 21 percent increase in Marsh’s cyber insurance sales in 2013, sales for the first half of 2014 are double what they were for the same time last year.”
Cyber insurance policies, offered by an increasing number of underwriters, including Travelers, AIG, Chubb, ACE Limited and CNA, vary significantly in coverage packages. Most policies, though, will cover an incident investigation, customer notifications, reputational and crisis management, lost business and the cost of credit monitoring, according to Entrepreneur.
Despite what seems to be fairly comprehensive coverage, enterprises are discovering that cyber insurance payoffs, depending on the extent of the breach, are falling short of actual costs.
The New York Times recently estimated that even large organizations are only able to string together policies that cover roughly $300 million in losses, which only begins to replenish potential revenue declines businesses might suffer in the wake of high-profile privacy violations. Until cyber insurance providers have a better handle on the frequency and nature of cybercrimes, a process the article says is hampered by the failure of most companies to detect or report breaches, underwriters will be reluctant to offer larger coverage packages.
Soaring Legal Fees
More bad news for businesses looking to lessen financial fallout from security breaches through cyber insurance is that legal expenses are also on the rise.
Lawyers involved in cyber security litigation were no doubt licking their collective chops following a recent settlement between health insurance provider AvMed Inc. and plaintiffs suing for damages related to the theft of two laptops containing the personal information of 1.2 million customers. According to a May 8 article on the Winston & Strawn LLP website, the health insurer agreed to pay a total of $3 million to settle the class action lawsuit. Though the reward was not large, the resulting precedent may have a severe financial impact on businesses that violate customer privacy in the future. A court ruled for the first time, according to Winston & Strawn, that plaintiffs were entitled to compensation despite the lack of evidence they had suffered actual financial losses or other damages due to the security breach.
The court’s departure from a “no harm, no foul” approach to privacy litigation could significantly drive up legal costs in the future. Financial organizations with tens of millions of customers could be on the hook for massive payouts following a data leak – even if the exposed information is never used for identity theft.
The frequency of incidents similar to the AvMed breach is also likely to increase. Enterprises are empowering workforces to conduct more and more business from mobile devices, making tablets and smartphones — many of which do not support data encryption – common receptacles for sensitive customer information.
In the white paper Mitigating Security and Compliance Risk with EMM, market research firm Heavy Reading suggests that personal mobile devices used for work but only loosely managed by an enterprise mobility management (EMM) platform are particularly porous defenses against cyber-attacks and data theft.
“Mobile devices are arguably the weakest links in any enterprise security framework,” says the report. “Accelerated BYOD adoption is producing a litany of security and legal risks, and consequently a long list of impending sources of financial loss.”
A recent US Supreme Court ruling could also raise the price tag of future security breaches. By bolstering the protection of personal information, the decision may signal an elevation in penalties for digital privacy violations.
Cyber insurance is a good idea, a smart choice for lessening the impact of the unforeseen. But it’s no substitute for an end-to-end mobile security strategy that protects your data – and the CIO or IT manager’s job.
Even if there’s no such thing as 100% security, organizations of all sizes should still strive to encase their corporate and customer data — stored on behind-the-firewall servers or mobile end points – in ironclad security.