In the past few months, I have noticed an increase in the amount of chatter concerning cyber security insurance. Originally proposed in late 2012, this idea has started to gain momentum. On the surface, it makes sense. A cyber security breach can cost an organisation millions of dollars, and in some cases will force a business into bankruptcy.
But I can see a downside. Is this idea popular because large companies want to mitigate the risk by having someone else pay for the consequences of the breach, or is it something more sinister—a desire to buy an insurance policy instead of paying the costs of training their employees and upgrading their systems?
I remember 20 years ago, you could get home and contents insurance for your property. You could also decrease the premiums by having deadbolts on all external doors, locks on all the windows, a burglar alarm and a ferocious, underfed Doberman. Today this is all mandatory, assumed and part of the everyday policy—well, minus the dog.
We usually take physically secure premises as mandatory and important. We have fire alarms, swipe card access and locks and bars. But our digital assets are less protected. Often it’s little things that put them at risk, like the receptionist leaving the front desk with the computer logged on, or the sales team using free Wi-Fi in McDonald’s. This sort of practice exposes the digital assets to all forms of exploitation.
We need to treat cyber security as rigorously as we do physical security. The difference between an organisation that has done everything in their power to ensure that their systems are “digitally secure,” and an organisation that has just gone through the motions, has to be recognised—otherwise, insurance companies will end up paying out millions to incompetent or irresponsible companies.
The only way a cyber-security insurance system will work is if there is a high level of business compliance. If an organisation has done it all, has got the highest rating in compliance, and has a high-quality ongoing compliance process, then an insurance policy would be the next step. But insurance can never be a replacement for true protective measures.
Call me cynical, but I can see where this idea will fail. In our typically greed-driven society, board members will need to make sure that greed and high dividends do not override investing in business and digital security.
We will need to ensure that compliance audits are completed by qualified individuals who are above reproach. We also have to be aware of the other component, the insurance companies, who, like everyone else, are only interested in making money for themselves. They will need to develop criteria that accurately evaluate an organisation’s security practices, and pay out accordingly.
Is cyber security insurance a good idea? Yes, but only if it is done correctly. If not, it will be worse than nothing at all.