Every month, it seems that major breaking news provides details of a new hacking attack or breach affecting small and medium-sized businesses in the United States. Even as businesses seek to improve their IT security measures, they are also under pressure to meet increasingly high regulatory hurdles regarding their policies, procedures, and software so that personally identifying information will not be exposed to criminals or the public at large. Managers and business owners concerned about these twin forces are beginning to turn in greater numbers to a novel solution: cyber insurance.
Cyber insurance is a relatively new product. Events like fire and theft can be predicted over large geographic areas and spans of time with a degree of accuracy, but the online threat environment is much less well understood. For this reason, even companies that sell cyber insurance are not completely certain of the validity of their pricing models. This needs to be a concern to business managers and owners since the purpose of insurance, of course, is to be there to supply funds when a covered event occurs. If cyber insurance companies calculate risks inaccurately and a major breach affects many of their clients at once, the company might end up bankrupt and unable to pay all its claims.
According to current estimates from industry leaders, the average cost of $1 million worth of cyber insurance coverage ranges from $10,000 to more than $30,000; there are currently more than 20 companies offering some type of insurance. While purchasing a policy can certainly become an integral part of IT risk management in some companies, it is important for businesses purchasing policies to proceed with great care.
One potent danger is that with a policy in place, businesses may be tempted to feel that they are ‘covered’ and therefore do not need to be quite as vigilant in the future to prevent and mitigate IT risks. It is best for businesses, of course, if a breach never occurs at all, for reasons of reputation if nothing else. No amount of insurance can likely compensate a company for the loss of its good name should it come to light that IT security considerations were not being taken with all due seriousness.
Since the cyber insurance landscape is such uncharted territory, businesses that are considering it as a solution are advised to work closely with an IT consulting firm. Such firms can help businesses evaluate the pros and cons of various policies in their own individual tech and business circumstances.