Cyber-Insurance: Is it necessary? Should it be mandatory?

Insurance: I remember the “olden days” when many/most people didn’t have any.  For much of my parents’ adult life (and during my childhood), insurance of all types was completely voluntary.  The law didn’t require you to buy liability insurance in order to drive. Now if you get caught on the road without it, you pay a big fine. Homeowner’s insurance was something that some folks had and others didn’t. Now not only mortgage companies require it to get a loan, but many HOAs have rules that require you to have it even if your house is paid off. Health insurance, up until recently, was a nice employment benefit and those whose companies didn’t offer it often didn’t have any. As of this year, the federal government mandates that you buy coverage whether you want (or can afford) it or not.

It comes as no surprise, then, that in the wake of multiple high profile data breaches affecting popular retailers such as Target, Home Depot and Neiman Marcus, health care providers, and government agencies, there are rumblings calling for mandatory cyber insurance for large companies that are most likely to be targeted.

There’s no denying that the costs of a significant data breach can be massive. Ponemon Institute’s report, 2014 Cost of Data Breach Study: Global Analysis, pegs the average cost for U.S. companies at $201 per record. Even using Ponemon’s numbers for 2013 ($188 per record), the Target breach a year ago that affected 70 million to 110 million customers would have an estimated cost in the billions.  Target itself reported a cost of $148 million in a quarter.  Of course, the direct cost of compensating customers, increasing security, etc. is only part of the story. The company also expected a drop in earnings resulting in a dip in stock value.

Ponemon’s analysis calculates both direct and indirect costs of breaches. The indirect costs include the extrapolated value of customer loss and diminished customer acquisition rates. An interesting factoid from this year’s Ponemon study is that having a strong security posture and incident response strategy decreases the cost of data breaches when they do occur.

Insurance providers have already seen the silver lining of opportunity in this cloud of data breaches, and both established insurance companies and new “specialty” companies have rushed to offer cyber insurance to protect organizations from the crushing cost of a major breach.  The market is not yet mature, though, and the products can vary tremendously since there’s a lack of real standardization at this point. As with the purchase of any insurance, it’s wise to do a risk assessment and a cost/benefits analysis to determine whether it’s worth it for your particular organization.

If you decide to purchase insurance, you’re taking on an extra cost that’s a certainty, for something you might or might not ever use. If you choose not to purchase insurance, you’re taking on the possibility of a much larger cost if you get unlucky.  The question is whether it makes more sense to gamble that your company won’t experience a breach, or to pay in year after year for the peace of mind that if it does happen, you’ll be covered. The irony of insurance in general is that those who need it most – the ones who least can afford the expense of a loss – are usually also the ones who are operating without much extra cash and hence may not be able to afford the insurance.

The possibility of laws mandating cyber insurance coverage would raise many issues. The added cost to companies would most likely trickle down to their customers, raising prices. The government mandates would inevitably include additional rules aimed at protecting the insurance companies that cover the risk (the insurance industry has a huge lobby in the national and state capitals), which could work to the detriment of the companies.

The question has been raised as to whether mandatory cyber insurance would drive improvements in security, or whether it will have the opposite effect, allowing organizations to be more lax because after all, they aren’t the ones who’ll have to pay if a breach occurs.  Looking at how people respond to having other types of insurance, there seems to be evidence on both sides.  Whereas insurance might take away some of the financial incentive to avoid having motor vehicle accidents or to take measures to prevent home fires and other damage, it adds back another monetary incentive: we know that if we make a claim, our insurance premiums will go up and if we make too many claims, our policies might even be cancelled.

Another aspect of the cyber insurance issue is the reputation factor. Even if companies don’t have to worry about paying for the consequences of a breach, there is no way the insurance company can fully compensate them for the loss of customer trust that results when the news that their data has been exposed goes public.

Perhaps the more troubling thing about legislating mandates to buy insurance is that this is a case where equal treatment may not be the most “fair” solution. That is, different businesses have different needs when it comes to insurance, because of the types of data and transactions they handle. Creating laws that addressed every different industry or field would make for an incredibly complex statute. Taking the easy way and applying the same rules to everyone would place an unfair burden on some companies that are at very low risk.

In addition, a government mandate means a burden on the taxpayers who will have to finance one more big layer of administrative personnel to monitor for violations and take enforcement action, in an era where government spending and debt are already out of control. A middle of the road solution might be to mandate insurance only in certain industries, such as health care and financial services – in the same way regulatory compliance acts apply only to certain industries – but this still extends the “slippery slope” of government control.  It’s almost a sure thing that more and more industries will be included as time goes on. Will we reach the point where even individuals who want to connect to the Internet must buy insurance first, “just in case?”

This idea is sure to be debated both in the press and in the halls of government, for some time to come. In the meantime, buying cyber insurance on a voluntary basis is something that many businesses should at least be considering.