Should Your Company Get Cybersecurity Insurance? by Will Yakowicz
The recent Sony breach was epic--more than 100 terabytes of data was compromised, including company employees' personal medical records, embarrassing email correspondence, and unreleased films.
To top it all off, the breach leaked Sony's internal IT assessment--a report that explained the company knew it was ignoring basic security protocols and had a large number of unmonitored devices that left the entire network vulnerable. According toWired, Sony kept unencrypted documents containing usernames and passwords, social security numbers, and other sensitive data.
This was even after Sony had been the target of other attacks in recent years where the data of millions of customers was stolen. On Monday, two former Sony employees filed a class-action lawsuit against Sony for not securing sensitive employee data.
This is not the first lawsuit against a company after a major security breach. Target was sued by its customers after its high-profile attack, but a judge threw out the suit. After the Adobe breach in 2013, customers sued for damages from an "increased risk of future harm by identity theft," according to corporate law blog Employer Law Report. Unfortunately for Adobe, in that instance the court decided the plaintiffs had a sufficient claim to pursue a case.
"The [Adobe] case signals that the courts are ready to start...recognizing new types of harm that security breaches and inadequate security measures cause or trigger," Princeton law professor Andrea Matwyshyn tells Wired. "We're seeing courts more willing to entertain these kinds of lawsuits because the problems are real--particularly if you have evidence of a history of known security flaws that went unfixed a court would be more likely to consider a suit by employees or other harmed parties."
To protect against data breaches--which 3,000 companies suffered in 2013, according to the Center for Strategic and International Studies--the best move is to hire a cybersecurity firm that knows how to shore up your network. Now, however, many companies are taking steps to protect themselves financially after an attack as well. The Washington Post reports that U.S. companies are expected to pay $2 billion worth of cybersecurity insurance premiums this year, a 67 percent increase from 2013.
Companies feel the need to take out a cyber-insurance policy because the financial cost of an attack can be devastating. Target's data breach cost the company $146 million and counting. Just the act of notifying customers of a breach affecting their credit card data starts at $500,000, Roberta D. Anderson, a partner at K&L Gates in the law firm's cybersecurity practice, tells the Washington Post.
While a cyber insurance policy can provide some peace of mind, one expert stresses that it's no substitute for having an in-house cybersecurity expert and following the best practices and protocols.
"I am concerned people are thinking, 'Oh good, I'm covered now because I have cyber insurance!' That's madness; the reality is that insurance will put some money back in the bank after the breach, but it will not restore consumer confidence [or] get the regulators to stop living in your organization for the next decade," Pat Peterson, the founder of San Mateo, California-based cyber security firm Agari, tells Inc. "People think cyber risk is completely a financial issue. They are completely missing the boat. If they care about the financial issue, do a cost-benefit analysis. No one says they have great health insurance and decides not to care about their health, so it's important we don't think about cyber insurance the same way."
Peterson adds that your primary concern should be protecting your customers and employees. Insurance policies will cover some of your company's financial problems after a breach, but it does nothing to protect your customers' data. At the end of the day, he says, cyber-insurance is just insurance.
"It is a worthwhile investment to get cyber insurance, but it is not the solution," Peterson says. "You're not covered [in terms of data protection], you just get some lost money back. The actual impact on your business is far greater than the financial costs--it's your brand, your reputation, government oversight, and your job if you get breached like Target. There's no CEO job insurance."