Echoworx Talking Security –
Cyber Insurance: What it is and how it works
In order to understand how cyber insurance affects the outcome of a lawsuit, an organization needs to first understand what sorts of lawsuits come out of a cyber exploit. Most losses coming out of a data breach are of the result of class action lawsuits. And, since class actions involve so many individuals, each uniquely affected by a data breach, proving how much an organization is damaged and what sort of payout is required is not easy.
Each cyber insurance policy is unique in terms of what it covers and is made up of different parts and conditions – a bit like Frankenstein’s monster. For example, in the case of a lawsuit, one cyber insurance policy might cover monetary damages of a data breach but not the legal costs – and vice versa with another policy.
But there are certain hard rules to consider.
If other organizations are not respecting privacy rules and regulations, it doesn’t give permission for a company to follow suit. In order to be covered under a cyber insurance policy, an organization needs to ensure they are following the regional regulations of the geographic area they operate in or with – like the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada or the General Data Protection Regulation (GDPR) of the European Union.
In addition to offering protection to the personal data of their countries’ citizens, these stringent regulatory rules also encourage the idea of ‘privacy by design.’ Coined by Dr. Ann Cavoukian, privacy by design dictates that every component of an organization’s digital infrastructure must be constructed with data protection in-mind. On the regulatory side, this concept means mandatory reporting of data breaches, among other things.
Employing proactive cybersecurity measures, like encryption, can help inoculate an organization from the most-damaging aspects of a data breach – especially the outcome of a class action lawsuit. If an organization has an encryption program in-place, for example, this might be an indicator to a judge or cyber insurance provider that they have done their part to protect customer data.
But having and actually using proactive cybersecurity measures are two different things. Simply having an encryption solution, for example, is not good enough – an organization needs to be using it for it to be theoretically valid. It’s kind of like having seatbelts in a car – they’re no good unless people are wearing them.
Just as there are no uniform cyber insurance policies, there are many factors which go into calculating the actual monetary damage of a data breach. For a large company, for example, monetary damage might be more visible due to a drop in market value. For smaller companies, assessing this monetary damage can be a more difficult task – but this doesn’t necessarily signal insignificance.
The actual equation behind calculating the monetary damage of a data breach should be thought of as more fluid, with different moving parts. For example, the ultimate damage figure might be an equation of a combination of the outcome of a class action lawsuit with a calculatable drop in customers due to brand damage.
Ultimately, there is no foolproof way to protect an organization from a cyber exploit – cyber insurance included. But there are ways to soften the blow or at least discourage a cyber exploit from taking place. Think of it like protecting a home – you might install a burglar alarm, storm windows and have home insurance but, at the end of the day, if someone wants to get into your house they will.