Is Your Company Cyber Insured?
Data in all forms is always vulnerable to security risks. In recent years, several organizations have faced one or multiple data breaches. A cyber-crime is unavoidable regardless of the business size. Most if not all organizations, have been targeted by hacker communities for sensitive data such as – client data, credit card information etc., that they hold.
A security breach which results in data leak can cause significant damage to a company. This could be in the form of:
- Cost of finding the breach and filtering out the affected customers
- Cost incurred in intimating the loss to affected customers
- Legal cost incurred to defend against claims
- Government fines
- Loss in brand value
- Loss of customer trust
- Data recovery cost
Data is interconnected through servers all around the world, and so are cyber thieves. There is no fool-proof workaround to stop these attacks. Anyone can be cyber attacked and there might be a situation where we may be mute spectators as our business data leaks. What organizations can do to protect themselves against cost incurred, is to buy liability insurance. An arrangement in which organizations are compensated for loss that they incur when sensitive information is leaked.
Various insurance companies provide different coverage modules to suit each insured. Here is a list of a few expenses that a cyber insurance can reimburse:
- First-Party and Third-Party coverage – Protection for both owner and affected customers who entrusted their data to the First-party.
- Enquiry Charges – Cost of detecting infected areas either using an in-house team or through third-party vendors.
- Notification Charges – Costs incurred to notify the customers whose data is been compromised and resulting customer support expenses.
- Business Interruption and Recovery Charges – Covers losses due to business slowdown and expenses incurred to make the organization continue normal operations.
- Fines and Legal coverage – Costs to defend claims and judicial proceedings.
The most important feature that is hard to quantify in a Cyber Insurance policy is the damage to the company’s reputation and its customer’s trust. Also, it does not cover for the loss in a company’s sales.
There is no predefined standard policy for cyber insurance. Every organization does have a unique risk profile attached to it. Many businesses use a General or Standard Liability insurance. This type of insurance covers only for physical damages, i.e., in case of loss or damage of company property, or copyright infringements, say, if a company’s brand name is promoted for a different purpose. This type of insurance does not cover cyber attacks. There is no proper indication that cyber insurance may be added to a standard business insurance anytime in the future too.
Who needs Cyber Insurance?
- Any organization that deals with sensitive data
- Organizations that entrust a third-party vendor to work on their data
- Businesses that have tie-ups with government organizations
- Companies which do not have a Crisis Management team
In 2013, the famous US Retailer giant Target Corporation had witnessed the largest data breach of that year, losing sensitive data of as many as 70 million people. Target Corporation continues to pay for its legal fines which currently accumulates to $291 million. Although the company had opted for a cyber insurance of $100 million, the company’s profit was halved. This case proves that larger companies must start to analyze the overall risk inclusive of the legal and regulatory coverage and choose a proper insurance policy that may cover most of its losses.
Insurance is not a means to protect against cyber attacks, but it is relief for the losses incurred after any data compromise.
Now, the basic question that pops up is – how big must a company be to get it insured. It is important that any small-scale and mid-sized business take cyber liability insurance. This will ensure that even if there is serious data loss, the company can tighten its emergency security measures using the insurance money until it is stable. Companies operating at a larger scale should first strengthen their security measures, chart out a risk assessment profile and then choose their policies. For companies that aid the Government, it is mandatory that they upgrade their data security control per norms before applying for a contract.
A cyber breach has its fair share of damage on the consumer side too. Customer data like emails, passwords, banking credentials etc., is compromised during this event. On top of it, consumers may not have any idea about it. Cyber insurance covers for notification charges during such breaches and losses incurred due to it.
While cyber insurance can protect companies against loss, who protects the loss of privacy of consumers? In the end, it is the consumer’s data that is lost and is now in malicious hands. Who will compensate consumers for the loss of their privacy? The big question is, “Who owns the consumer data that is stored by organizations?” Answers to this question will help us answer if organizations carry any liability for the loss of data towards their consumers.