Data breaches and system intrusions aren’t letting up in speed or scope. And the costs are mounting. While there’s no widely accepted way to measure the cost of a data breach, the Ponemon Institute estimates the average cost of a data breach to be $154 per record, up from $145 the previous year. And the total average cost of a data breach rose to $3.8 million last year, from $3.5 million in 2014.
To mitigate these costs and the risk of breach, enterprises are spending billions in tools to manage identities, protect their on-premises networks and cloud systems, pen test their environments, firewalls, encryption, anti-malware, threat intelligence and big data security analytics. But the thing is, they’re doing this in the dark. These decisions are being made in the dark. We really don’t know, empirically, what security investments work and which ones do not work.
Enterprises, CISOs and CIOs need a way to put context into these decisions and understand the value of that threat intelligence system, or that big data security analytics program. Maybe it makes sense for certain organizations to invest in these things, and in other cases it may not.
Whether or not it makes sense can depend on enterprise size, business model, geographic foot print, number of employees, industry type and so on. To make these decisions it takes a lot of horizontal information across many organizations and industries and it takes understanding risk. How to assess risk, manage it, and price risk — this is what insurance companies do. And this is where cybersecurity insurance comes in.
According to a market survey [.pdf] conducted by Global reinsurer PartnerRe and Advisen, the cybersecurity insurance market has already reached $2 billion and will likely see $4 billion by 2020.
Cybersecurity insurance is a way for organizations to lessen the financial impact of security and denial of system availability incidents. That could include everything form data theft to data breaches, extortion, data destruction and so on.
Proponents of cybersecurity insurance say these products will help to guide organizations to spend more wisely on cybersecurity tools and efforts. The market remains, relatively, small because policies are said to be difficult to price, expensive, and there remains a considerable amount of market education to be done about what, exactly, these policies cover.
I think as we collect more data about breaches and as insurance companies learn more about the factors that reduce cybersecurity breaches and the security capabilities that lower the financial impact of these breaches, cybersecurity insurance premiums will decrease and adoption of policies will rise. This will create a virtuous cycle with the insurance companies getting more and better data about what is working, what isn’t, improving their ability to measure and price cybersecurity risks.
According to the 2016 Global State of Information Security Survey, based on responses from 10,000 IT and security decision-makers in 127 nations, cybersecurity insurance is something that is already on the radar of many enterprises with 59% of enterprises considering such policies. Expect that number to climb in the years ahead.
Has your enterprise considered a cybersecurity insurance policy?