Why cyber insurance should be your last line of defence

Data breaches are proliferating, and the associated costs are exploding. According to the Ponemon Institutes’s “2014 Cost of Data Breach Study: United Kingdom” study, the average cost of a data breach has reached in the UK increased from £2.04 to £2.21 million.

Businesses’ general liability policies don’t cover those costly data breaches, which points to cyber insurance being a wise choice.  In fact, AON PLC, the world’s largest reinsurance broker, claimed in October 2014 that the cyber insurance market was at the time growing at 38% annually.

However, as a case in the US a bit earlier this year has shown, cyber insurance should not be relied upon as your first line of cyber defence.  In 2013, California healthcare provider Cottage Health System discovered that security on one of its servers had been disabled, leaving tens of thousands of patients’ files potentially open and exposed on the internet for more than two months.  Naturally, Cottage was sued, along with inSync, the company responsible for putting the records in a secure location online.

Cyber forensic investigators were called in to figure out what happened, security consultants helped analyse and reconfigure the servers, affected patients were notified and offered credit monitoring services and business was lost due to newly cautious customers, all racking up the costs.

Good thing the healthcare provider had insurance to cover such a data breach, right?

Wrong. Cottage’s insurer, Columbia Casualty, earlier in May filed a complaint against Cottage, claiming that whatever money it had to pay out under the policy would have to be paid right back to it, for the same reasons that the class action lawsuit had been filed: because the healthcare provider allegedly failed to follow “minimum required practices” as spelled out in the insurance policy.  Specifically, the insurer is claiming that Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the internet.”

Cottage was aiming to claim around $4 million (about £2.6 million) from Columbia to cover damages related to the incident as well as potential fines from a Department of Justice investigation of possible violations of the federal Health Insurance Portability and Accountability Act (HIPAA).

Clearly, this case shows that getting insurance doesn’t mean the job of securing data is done.  Understand what data you store and where it is processed, and take the steps necessary to protect it from the threats to its security.  Adopting standards such as Cyber Essentials, IASME or ISO27001 will help you do this in a structured and controlled way.

Then go out and get cyber insurance as the last line of defence.