One of the biggest questions we get asked is whether or not cyber insurance is a good idea or if it's worth the cost. There are numerous breaches in the news lately, like Home Depot, Target, or the latest with Sony, that point to a good reason for getting cyber insurance.
Will cyber insurance help you repair your reputation after a breach? Absolutely not. It will help with the financial costs associated with the hack or compromise. The cost for hiring lawyers, hiring computer forensics experts, and potentially replacing compromised hardware are just some of the costs associated with a breach. Target has spent $146 million dollars so far since their security breach. Imagine how much Sony will spend because of their breach. They had to cancel one of their movies from being released, pay for security experts to track down how the breach occurred, try to repair their reputation, and try to protect the information of the people they employ.
Cyber insurance is a good idea for most businesses but one thing most people don't realize is that there are exclusions in insurance policies that can leave you up a creek. The majority of cyber insurance does not cover 3rd party vendors which the majority of all businesses use now days. With more and more businesses relying on the cloud for critical business functions, cyber insurance will not cover any stolen or lost data while in the hands of a 3rd party. This is the main area where cyber insurance can fall short.
Knowing the shortcomings of cyber insurance, it's imperative to know what data your vendor has and how critical that data is. We rely on vendors to provide self assessments regarding their security posture and as part of a good vendor management program we review SSAE16, SOC reports, and PCI compliance reports but these are only a start. Just because a company is PCI compliant doesn't mean they are the most secure they can be. Businesses should be diligent in their vendor selection process and perform security testing on that vendor and their software at least annually. The vendor is then responsible for patching any vulnerabilities found during testing.
So, is cyber insurance a good idea? Overall yes, however, there are exclusions in policies to be aware of. With 3rd party vendors, additional security testing should be performed on those vendors whenever possible. Contact us online to learn more about possible holes in your security and how we can help.