As data breaches become more common, we tend to pay less attention when we hear about hackers stealing millions of records containing sensitive personal and financial information. It’s becoming just another news story.
Make no mistake, the consequences of data breaches can be devastating. Identity theft leading to financial fraud costs consumers billions of dollars every year and countless wasted hours spent setting things right. Businesses also end up spending millions to restore systems, fix security weaknesses, notify victims and settle lawsuits.
However, analysis by Forbes.com in March suggests that businesses actually paid much less than expected. Why? The combination of insurance reimbursements and tax deductions.
Target reportedly incurred $252 million in gross data breach expenses related to its 2013 hack, but with insurance reimbursements of $90 million and tax deductions offsets, its net loss was closer to $105 million. Other large companies have realized the benefit of insurance coverage as a major component in offsetting the final costs and managing risk.
The cybersecurity insurance market is expected to grow significantly over the next few years. It might be time for small businesses to seriously evaluate insurance coverage for cybersecurity breaches. This is particularly relevant to businesses operating in regulated industries such as finance and health care. Businesses should evaluate the risk and the cost of mitigating that risk with insurance.
As an example, in 2015 the Ponemon Institute estimated that the cost of a data breach was approximately $154 per record. Therefore, if the Social Security numbers of 500 customers were in a database that was breached by hackers, the potential cost to investigate, recover and compensate victims for the breach would be $77,000. This is a rudimentary example, as you must evaluate all risks, but it’s a starting point.
It’s important to proceed with caution. New cybersecurity insurance products are popping up, so evaluate them carefully to make sure the premium costs are reasonable compared with the potential liability and that the coverage is directly applicable to that liability. You don’t want to spend $10,000 to cover a potential liability of $2,000.
Finally, be advised that most cybersecurity insurance applications will have a list of questions about the type of cybersecurity controls you have implemented on your systems to help determine your level of risk and eventual insurance costs. These questions resemble those asked by consultants conducting a cybersecurity assessment using best practices and regulations as guides. Therefore, you might want to consider having an initial assessment done to understand your base line, reduce your risk and position you for reasonable cybersecurity insurance coverage.
The cybersecurity risks of data breaches and operational disruptions are being better quantified. Businesses should take advantage of this information and the insurance coverage opportunities to reduce their overall risk.
Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at michael.miranda@hawaiiantel.com.