If your business manages personal information about health or finances, a security breach can cost millions. HITECH and other regulations not only apply fines, but they require disclosure and notification of those affected. In some cases, companies must pay for free credit reports too. These costs can range from $80 to $200 per compromised record. The problem for many companies is the sheer volume of information that can be compromised in a single breach. If you lose 5,000, 50,000 or 500,000 records, the math may mean bankruptcy. Fortunately, you can now get insurance to cover these risks.
Network security or privacy loss insurance has been around for just over a decade. Initially it was only offered by a handful of specialist insurers, like Lloyds of London. Nowadays, there are more than 15 companies offering coverage for security breaches, as well as brokers who can help you find the right coverage.
Insurance against security breaches covers two main areas. First-party coverage protects you against the direct costs suffered by your business, including potential fines, productivity loss, financial damage and even PR expenses. Third-party coverage protects you against costs incurred for damage to third parties, such as virus damage or identity theft remediation.
Healthcare and insurance companies are buying these policies to cover the residual risk of a breach that reveals HIPAA protected information. With the large numbers of patients or insured customers, the potential cost of a breach can be very high. But it's not just healthcare organizations that have personally identifiable information (PII). Large companies have a ticking bomb in their HR databases, with Social Security numbers, credit details and other PII.
Working with a broker and the insurance firms, buyers of this type of insurance have to first figure out how much coverage is needed. The potential loss depends on the number of records of sensitive data, the regulatory framework and the company's existing security infrastructure. Coverage can be secured for a few thousand dollars, offering protection against losses in the $1 million to $5 million range. Special policies can be tailored for more coverage. (Worst moments in network security history.)
Because the industry is still relatively young, premiums and coverage level will vary depending on the policy. Companies are probably better served working with a broker to find the right policy. Increasingly, these types of coverage are required in contracts, just like other forms of professional liability insurance.
The bottom line is that no matter how much you spend on security, you can never guarantee there will be no breach. Quite the opposite: a security breach is almost guaranteed in every company, it's only a question of time and severity. With regulatory fines of $250,000 and $500,000 reported frequently in the news, and disclosure and remediation costs in the millions, there's too much residual risk for many companies. Just because you have fire extinguishers and sprinklers in your business doesn't mean you don't also buy fire insurance – the potential risk is too high. It's time many companies considered security insurance too.