If your house is broken into you have insurance to cover the loss. If your car is damaged you have insurance to pay for it. If your business sets on fire you have insurance to cover the costs, but if systems get hacked and you lose a lot of valuable data do you have insurance? In most cases, the answer is no. However, more and more businesses are starting to understand the value of cyber-insurance but is the high cost of this almost invisible insurance policy really worth it?
Because of a number of high profile hacks more companies are purchasing cyber-insurance but as demand has increased, premiums and deductibles have also soared. As a result, the potential value of purchasing this type of insurance depends on your business size, the risk factor and the current security protocols in place.
As with home insurance, when taking out a cyber-insurance policy the insurer will ask a lot of questions to estimate the costs of a breach. These will focus on the type of data you have and the security systems already in place. In some cases, there can be more than 300 questions to tackle. This is not the most accurate way of calculating risk but the lack of cybersecurity professionals means insurers can’t afford an expert assessor. This can make the process of securing cover extremely drawn out and complicated.
What sector your business is in will have a strong relation to the cost of the insurance premium. AIG for instance only offer cyber-insurance to the top global banks, which are famed for having invested heavily in their cybersecurity departments. In the retail sector, prices have been hiked following attacks on Target and Home Depot in 2014. In the case of Home Depot, costs of $232 million were incurred in the attack but only $100 million is expected back from the insurers. The cost of insurance can clearly vary hugely between industries and those that have better security systems are more likely to get an affordable policy.
There is another key problem with cyber-insurance and that is the fact that most of the insurers are not cyber-security experts themselves and are therefore unaware of some of the risks. This has meant some companies face lengthy legal battles to force their insurer to pay out in the event of a breach. The California-based healthcare provider Cottage was the subject of a hack that exposed patient data. They paid over $4 million to victims but were forced to return the insurance pay out because their security system didn’t meet their insurer’s requirements. The devil is well and truly in the details with cyber-insurance.