If you’re a Target shopper, as I am, you were probably disturbed to learn about the significant data breach the company suffered during the last holiday season. Now, insurance exists for many different kinds of risk—there is even terrorism insurance—so of course there is such a thing as cyber insurance. But how useful and economically feasible is it for major retailers such as Target and other companies?
An interesting article in InformationWeek tells us:
Companies ranging from single-site firms to multinationals generally deploy a wide array of techniques in an effort to thwart cyber attacks. However, not all techniques are effective, and not all companies implement those techniques in a manner that achieves optimal results. Even when a company does have a strong risk management program, most insurers don’t have an objective, evidence-based method to assess its risk profile. This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions.
Questionnaires used in cyber insurance underwriting as part of the application process can be broad and subjective, as well. They give an indication of security policies and procedures that may be in place at a given company, but not how effectively those policies and procedures are implemented.
Cyber insurance is still a relatively new product. Since hackers are constantly modifying their methods and thinking of more ingenious ways to steal and deceive, it is difficult for an insurance company to judge to what extent a company is equipped to handle the latest threats. This, of course, translates to high premiums. Moreover, the true cost of a breach is often so high—as this article notes, in Target’s case the cyber attack might have cost them over $1 billion—insurance won’t cover all the losses.
Below the article, a shrewd commenter notes that cyber insurance is ultimately unsustainable, since “there isn’t a low risk group to offset the losses of the high risk group.” Another way of saying this is that everyone is a member of the high risk group. Hackers target small firms, large firms, individuals—everyone. Put in terms of medical insurance, imagine if there were no young, healthy people to offset the cost of covering older people. Imagine further that there were no objective way to tell whether these older, sicker people were prone to or at risk for any type of major illness—whether they were smokers, etc. Premiums would have to rise across the board for everyone.