If someone steals your credit card number, the issuer doesn't make you pay. They get their money back through user fees and insurance. When I first heard about Beazley's security breach insurance, I worried, because a breach costs more than money. Yes, insurance could pay fines and damages to monetarily take care of Adobe or JPMorgan Chase; these giands won't lose cash. But personal data for all affected individuals is still out there. Worse, having insurance might create a sense of complacency about actually hardening security. Thinking along those lines, I almost discarded Beazley's press release.
More than Money
As it turns out, there's a lot more to Beazley than restoring monetary losses. Katherine Keefe, head of Beazley Breach Response (BBR) Services, explained that "From start to finish, Beazley works with companies to both prepare for and react to breaches." Before anything bad has happened, the BBR team works with clients to set up protocols for incident and minimize "any financial or reputational damage." Having a plan in place definitely makes sense.
When a breach does occur, the team leaps in to connect the victim company with resources including legal counsel with relevant experience, forensic IT specialists, and experts in notification and compliance. This last group can help comply with state and local regulations, avoiding potentially huge fines. The company's partners include "top-flight lawyers, forensic experts, crisis communications professionals, notification experts and credit monitoring services."
You've Already Been Hacked
A recent study by NSS Labs, reported on just two boutique exploit providers, companies that sell information about as-yet-unreported security holes. The report concluded that just these two vendors would typically have well over 100 exploits for sale, at prices crooks can afford. Of course, there are plenty of other such vendors, so the real number is much higher. Researchers at NSS Labs concluded that you should assume your network has already been hacked. They advise preparing now for the inevitable breach.
Beazley's Keefe agrees. "Though breaches can never truly be prevented," she said, "Beazley recommends companies take a number of proactive measures. They include having a ready-made plan in the event of a breach; employee training regarding handling sensitive data; and using encryption services for both large-scale computer networks and mobile devices."
Beazley has just managed its 1,000th breach, so they must be doing something right. I'm reassured to know that data breach insurance can be a help to security, not a hindrance. On the other hand, the company claims it's "the only insurer in the industry with a dedicated in-house breach response team." If that's the case, it leaves me just slightly worried about the rest, the insurers that don't have a response team.
This article can be found at: https://securitywatch.pcmag.com/hacking/318741-data-breach-insurance-will-it-help-or-hurt-your-privacy