Security Think Tank: Cyber insurance – buyers beware

How can IT security best use the new financial and insurance products available to IT to improve data protection without increasing cost?

Financial or insurance products do not help improve data protection, they only help deal with the aftermath.  

Also typical policies are so precisely worded that an entity wanting to make a claim has limited grounds to do so. For example, if an entity has been negligent in protecting said data, then policies will not pay out. Or premiums would be so high that the entity may as well fix data protection issues in the first place. 

So while the new influx of cyber security insurance policies might look good, they are there for a reason. That reason is for insurance companies to make money, and we would advise readers to tread with caution, read the small print and ensure the correct type and level of cover has been chosen.

There is also the misconception that general company insurance policies will include insurance for data theft or loss. In the UK, at least, data is not considered a tangible asset that one can steal, hence we have computer misuse and data protection law to cover these eventualities.

The recent case of Schnucks, a supermarket chain in the US, demonstrates this. 

Schnucks experienced a credit card data breach affecting up to 2.4 million customers. The state courts ruled this was not Schnucks' fault – rather it was a victim of criminal wrongdoing. 

Thus Schnucks thought it could claim losses and legal costs from its own insurance company. But the insurance company said Schnucks did not have cover for data theft. The supermarket chain ended up footing the bill.

The need for cyber security insurance is real – losses can be enormous and put companies out of business – but tread carefully.

Tim Holman is president of ISSA-UK and CEO at 2-sec.

Read more on IT risk management