The perceived silver bullet of cyber insurance has existed since the 1990s, but companies were forced to consider coverage limitations when a New York Court ruled in February 2014 that Sony’s general liability policy would not cover the $2 billion in costs the company had incurred from the huge data breach in 2011 involving the online network for its PlayStation game console. The decision highlights two important points. First, because of the insurance industry’s continued efforts to limit coverage for cyber claims under commercial general liability policies, most businesses should consider policies specifically written to insure against cyber risks. Second, policyholders need to purchase adequate limits of liability for cyber risks. However, in the case of Sony, while they did purchase cyber insurance and its cyber insurer did provide coverage, Sony quickly exhausted its limits of liability defending the class action lawsuits. Once a hacker has breached a company’s security, the number of potential claimants may potentially equal the number of clients the company has. Litigation costs resulting from a breach will likely be proportionately high, so it is important to purchase adequate limits of liability. Thus, the insurers who offer the product most suited to a company’s need must help negotiate favourable terms, limits, a realistic price, and an appropriate cover. The perception of cyber insurance providing what be a silver bullet against cyber threats is somewhat diminished in the daylight of reality. Having been on the buyer end of cyber insurance, I was also surprised just how short the onboarding interview/checklist was and how accepting they were of the number of serious braeches that had occurred prior to procuring the policy. But then, this was in time when interest rates were high – as one insurer told me, ‘when interest rates were high, the risk could be offset by the percentage generated from reinvesting high policy costs!’ At the end of day, cyber insurance can be part of the overall security mission so long as it is appropriate to the end expectation, realistic in cover, and not seen as a compensatory control to bridge a known security hole. If the required due diligence is not exercised, it could turn out that the investment made into cyber insurance is an extension of a security nightmare mid-crisis that proves to be a bullet made from lead and not silver. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
