As data becomes increasingly valuable, organizations are inclined to collect and sell the personal information of customers and employees. As these collections of data grow larger, the odds of a data breach occurring grow larger as well. TechTarget defines a data breach as:
“… an incident in which sensitive, protected, or confidential data has potentially been viewed, stolen, or used by an individual unauthorized to do so. Data breaches may involve payment card information (PCI), personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property.”
The Identity Theft and Resource Center reports that 668 breaches consisting of 22,408,258 records occurred between January 1st and July 2nd, 2018. These breaches can be the result of a variety of incidents. In their Breach Portal, for instance, The U.S. Department of Health and Human Services separates these into 5 distinct categories:
- Hacking/IT Incident
- Improper Disposal
- Unauthorized Access / Disclosure
Regardless of whether a data breach is the result of an insider threat or external malicious actor, cyber liability insurance – also called cyber risk insurance – can cover a wide variety of financial expenses associated with an incident. Contrary to popular belief, this particular type of coverage isn’t just for large enterprises and governments. In fact, Verizon’s Data Breach Investigations Report (DBIR) summarized that 61% of 2017 breach victims were businesses with under 1000 employees. Any organization that collects or handles Personally Identifiable Information (PII) can become the victim of a data breach. PII includes but is not limited to information such as names, dates of birth, social security number, and home address.
While every incident is different, cyber liability insurance generally covers the cost of:
- Business Interruption
- Credit Monitoring
- Defending Claims by Regulators
- Fines & Penalties
- Data Loss / Destruction
- Forensics Investigations
- Cyber Extortion (Ransomware) Reimbursement for credible threats
- Cyber Terrorism
- Crisis Management / Public Relations
One item not covered by liability insurance is the inevitable reputation damage that occurs in the aftermath of a cyber incident. Often difficult to predict, this can take many forms, including a loss of trust on the part of consumers and investors, as well as a drop in stock price. As it is still a relatively new concept, it’s difficult to determine accurately what role cyber liability insurance will play in the information security landscape. Insurance is simply another resource available when data breaches occur, and should not be used as a substitute for following best practices.
If you’re interested in learning more about cyber liability insurance and getting a quote, our friends at CoverWallet have you covered.
Gotham Sharma is a cybersecurity advisor, educator, mentor, speaker, and trainer. He presently serves as the Managing Director of the Exeltek Consulting Group, and has been nominated for the ‘Cybersecurity Educator of the Year’ award. If you enjoyed this article and others like it, you can vote here.