Data Security Breach Insurance?
One does not have to be very observant to notice just how many data security breaches have been occurring over the last few years. It is almost as if data security breaches are becoming an epidemic. Financial losses have also mounted accordingly, and there appears to be no end in sight.
In information security governance there are four possible responses to security-related risks; to eliminate them (often by getting rid of a type of a type of vulnerability-ridden technology altogether), to mitigate/reduce them, to accept them, or to insure against them. Historically, organizations have tended to mitigate risk or accept it more than anything else. The last of these options, insurance, has not been popular for a number of reasons, including the fact that it tends to be expensive, and also that when security-related incidents occur, insurers have too often not reimbursed insurees adequately (at least according to the latter’s perception). I suspect that another reason that taking out insurance has not fared all that well in the information security arena is that senior management has too often summarily dismissed talk about potential security incidents within their own organizations. “Have any major security incidents occurred within our organization?” is too often their response when they are urged to expend resources to counter security-related risk. When information security professionals respond by pointing out real-world incidents that have occurred in other organizations, senior management frequently remains unconvinced and unmoved. But data security breaches have now become widespread—I cannot think of any major sector (e.g., transportation, petroleum, manufacturing, and so on) within the business arena or even within the government arena that has escaped having at least one massive and widely publicized data security breach. Thus although insurance against security risk has not fared all that well so far, perhaps insurance against data security breaches might fare better.
Just last week a Canadian insurance company must have been thinking the same way, because it announced that it will offer insurance against data security breaches. If such breaches occur, this company will reimburse the insured victim for costs associated with computer damage, notifying potentially affected individuals, and losses that credit card companies suffer due to identity theft. I think that this company has caught on to something that is bound to be more popular than conventional security insurance, and I expect that the announcement of this specialized form of insurance will be only the first of many from other insurance companies within the next few months. It is also safe to say that you can count on an increasing proportion of organizations taking out insurance against data security breaches. On the other hand, if insurance companies continue their historical pattern of not reimbursing insurees in accordance with insurees’ expectations, this form of insurance will start to become less and less popular. Only time will tell. Meanwhile, though, the notion of offering a very specific form of security insurance against a type of incident that is plaguing nearly every organization, the data security breach, seems like a very good one.