Target, Home Depot, JPMorgan Chase — the list of high-profile data breaches in the past year stretches ever onward. It’s hard not to reach the conclusion that IT has entered an era where this is the new norm. Large data breaches are now one of the costs of doing business. After setting all the technology and drilling coworkers on email security best practices, what’s a CISO to do? Maybe it’s time to consider a cyberinsurance policy.
As recently reported by Kelly Jackson Higgins on Dark Reading, research from the Ponemon Institute reveals that the number of cyberinsurance policies purchased by companies has more than doubled in 2014. Also, U.S. premiums are estimated at about $1 billion today.
The topic came up during a panel discussion last month at SC Congress Chicago, a conference and expo for public- and private-sector information security professionals. One of the panelists, John D. Johnson, Ph.D., global security strategist at John Deere, laid out the case for the value of a cyberinsurance policy.
“There have been many cases where companies were PCI compliant but still have breaches — they did their due diligence,” Johnson explained. “Cyberinsurance helps mitigate some of that risk.”
Cyberinsurance works like other types of insurance: When an enterprise purchases a policy, the cyberinsurers work with the company to ensure that its security policies comply with industry best practices. Depending on the level of risk management that is maintained, the business may qualify for reductions in the premium it pays for the policy. A cost savings on the premium serves as a significant incentive for the enterprise to maintain high levels of security.
Cyberinsurance has the added bonus of offering a benchmark to better explain the business value of security. “As a security professional, it’s very much a challenge to communicate our value to the business,” Johnson said. “If we can save potentially millions of dollars on our cyberinsurance policy because we are certifying ourselves to certain standards, that’s huge.”
This type of insurance may see continued growth as connected devices become more commonplace within enterprises with the Internet of Things. With no security standards in place for these devices, they present a degree of risk that companies can’t ignore and that warrant a cyberinsurance policy.
“When we have an area of risk that really isn’t being adequately addressed today, like IoT, that needs to be an area where there are assessments and risk management is applied,” said Johnson. “And if the company is compliant with policy standards, then they should get a reduction on their premium.”