No one is immune to data breaches

It’s been noted that there are two types of organizations – those that have suffered a data breach, and those that will fall victim to a data breach sooner than later (most likely sooner). 

The hard truth of this statement is reflected in the fact that according to some sources 97% of networks will experience a security compromise over any given six-month period.

And with a staggering 9.7 billion data records having been breached since 2013, these numbers are only rising. Destructive attacks on data and networks are up 102% since last year and ransomware is up 90%.

Whether the attack comes from an external source or is the result of employee error or a technical failure, and whether the incident comes from a distributed denial of service (DDoS) attack or phishing and ransomware – when there’s a data breach there is great financial loss. Where, the average cost of a data breach comes in at $3.86 billion, and the annual global cost of cybercrime is expected to reach $6.1 trillion in 2021.

Mitigating loss

In the goal to reduce the cost penalties of a data breach, many organizations turn to data breach insurance – which, just like it sounds, is insurance that is designed to cover the cost incurred by an organization in the event of a data breach.

And with the number of hits and resulting losses increasing every year, it’s no surprise that the global cyber insurance market is expected to reach $20.4 billion by 2025.

Data breach insurance vs. cyber liability insurance

Data breach insurance is also sometimes equated with cyber liability insurance. But are they really the same thing? The answer is no and understanding why and how is important to making the right decision on which option to is best for your organization. 

In the simplest terms, data breach insurance protects the organization’s financial interests. It entails first-party coverages only and aims to help the organization minimize the financial damages that result from a breach.

Cyber liability insurance, on the other hand, covers not only monetary losses from the breach itself but also data forensic expenses, business interruption coverage, extortion, notification costs, public relations (required to recoup the blow to brand equity), and legal services.

Moreover, cyber liability insurance is primarily required for organizations whose operations include gaining access to personally identifiable information (PII), personal health information (PHI), or payment card information (PCI), and includes both first- and third-party coverages.

First-party vs. third-party coverage

As we have seen, data breach insurance provides only first-party coverage, where cyber liability insurance covers both first and third. Accordingly, when determining which type of insurance is best for you, it is also important to understand the significance of this.

First-party coverage will help you respond to data breaches on your own network or systems, where the policy covers:

• Notifying the third party that their data was exposed
• Investigating the potential source of the breach
• Executing a crisis management campaign to help restore brand equity
• Reimbursement for business disruption and revenue loss
• Paying ransom to a cybercriminal who is holding data hostage

Third-party cyber covers all this but will also help pay for lawsuits caused by data breaches on a third-party’s network or systems, including attorney's fees, court costs, and damages.

What isn’t covered by data breach insurance?

While both data breach insurance and cyber liability insurance do offer attractive policies for companies, they don’t cover everything.

The damage of a breach goes beyond that which can be quantified by dollars. There is also the damage to systems, customer trust, and brand reputation.

As such, the insurance, won’t cover you for the:

• Costs of improving technology systems following the cyber incident
• Loss of value caused by the theft of intellectual property 
• Future revenues and profits that could have been gained had the incident not occurred

Be aware of insurance exemptions

Moreover, companies must be aware of exemptions that may exist in the policy. For example, a common exemption in such insurance policies is “acts of war”. If not aware, the organization will be at risk of not being covered should there be an attack in such a circumstance.

For example, Merck, the US pharmaceutical giant was denied a $1.3 billion insurance pay-out, after it was hit by a major cyberattack. The attack crippled over 30,000 laptop and desktops, as well as 7,500 servers. The company suffered from significant downtime losses, and by the end of 2017, it reported in a regulatory filing that the incident resulted in damages estimated at $870 million. 

Nevertheless, the insurance company managed to avoid paying the claim, stating that the “acts of war” clause had been breached. 

Why you need data breach insurance

While there are caveats, they are just that – caveats. And it cannot be denied, no organization today can afford to go without data breach insurance, at the very least, if not cyber liability insurance (if such applies to your line of business).

As we saw earlier, data breaches are happening more frequently than ever, and more than most would think. No one is immune, from the biggest companies with the biggest protection budgets, down to the “little guys” who think that they’re not interesting enough for cybercriminals to target them.

The big guys

• $25 million lost by Apple during a 12-hour store outage
• $150 million lost by Delta Airlines during a 5-hour operation center outage 
• $90 million lost by Facebook during a 14-hour outage
• 900,000 Virgin Media users had their data exposed
• $24.7 billion class action suit filed against EasyJet due to a data breach
• 5.2 million Marriott guests had their data breached

The “little guys”

• 71% of ransomware attacks target SMBs
• $7.68 million is the average loss for attacks executed by insiders at SMBs
• There was a 424% increase in new small business cyber breaches last year
• 60% of SMBs say that attacks against them are targeted, sophisticated, and damaging

The breach, sooner or later, will happen. And it will bring with it:

• Financial impact
• Reputational loss
• Loss of productivity
• Legal liability
• A disruption to business continuity 

When a business is caught off guard and is unprepared for the impact, the damage can be that much greater, both financially and operationally. And if it doesn’t have data breach insurance in place, the losses will not be recoverable.

Why data breach insurance in not enough

Data breaches are much like car accidents – you can’t avoid them by having insurance. Just because you have car insurance doesn’t mean you’re going to get in your car and start driving without your seatbelt on. 

Similarly, while data breach insurance will help you mitigate losses, it is no replacement for a “seatbelt.” That is, data breach insurance should never be perceived as a preventative measure. It can never replace a robust plan and skillful execution of detection, prevention, and resolution.

In fact, it cannot be understated how important accelerating resolution is. The average cost of downtime is estimated at $5,600 per minute, and sometimes even at $9,000 per minute.

Accordingly, reducing the time an incident goes on is a key imperative for every organization, regardless of size and industry, or the kind of insurance it has. You need to make sure to train the workforce for security awareness and compliance as well as have the right tools in place to prevent data breaches, and, when you are unable to prevent them, mitigate them quickly and effectively.

To learn how Exigence can help you accelerate incident response, we invite you to contact us at info@exigence.io.