Two recent articles have come up with differing viewpoints regarding the merits of buying network security and privacy (NSAP) insurance. On the one hand, an article in Network World has taken the position that it is almost foolish not to have NSAP insurance given the potential damages, increasing threats and the inability to safeguard against all such threats. The author reasons: “Just because you have fire extinguishers and sprinklers in your business doesn’t mean you don’t also buy fire insurance – the potential risk is too high. It’s time many companies considered security insurance too.”
An article in the Monitor titled College Officials Wary of ‘Cyber Insurance’ for Private Data suggests that purchasing NSAP insurance should actually be avoided given it does nothing to solve the ultimate problem, namely safeguarding data. Specifically, representatives from the University of Texas-Pan American and South Texas College said they were confident in their information security systems and saw little value in NSAP policies — despite the fact “higher education institutions across the nation have purchased [NSAP insurance] to offset large expenses following a data breach.” According to Bob Lim, UTPA vice president of information technology, “Rather than spending money at the back end, use your resources to prevent (risk). There’s better use in working to fight intrusion than being scared of it.”
The thrust of UTPA’s argument runs something like this:
We need to adequately protect sensitive data in order to safeguard our reputation. If we sustain a breach, there is something greater at stake than just the cost of the breach – it’s the hit to our reputation, which is very difficult to monetize. Accordingly, we are better served by spending our resources and money on prevention rather than on the backend for a solution that may not even properly cover us.
Ironically, this is the very same argument that large financial institutions made years ago when they opted not to buy NSAP insurance. They believed that their reputations were sacrosanct so they needed to avoid a breach at all costs – buying the insurance was evidence a breach was even possible. If you asked around today, most of these institutions currently have NSAP insurance – with towers that well exceed $100 million. Why the change in position?
There are three factors that caused large financial institutions to change their collective tunes. First, because so many organizations have been hit with very public breaches, the reputational hit became less and less of a reputational concern. After all, if everyone is being hit, the “before” is not as important as the “after”, i.e., how you treat your customers post-breach. And, that is the second reason why the insurance option became more attractive. NSAP insurance quickly funds and allocates resources after a breach. Sort of like an experienced swat team entering the picture. Financial institutions started to realize the benefits in having risk professionals assist in the post-breach aftermath. Finally, the IT departments began to realize insurance was not an indictment on their capabilities but actually a way to fund the costs of a breach without touching their own IT budgets. In other words, rather than being opponents of the coverage, CTOs and CIOs became champions of it when they saw the direct benefits in obtaining the coverage.
All of this begs the question. Are financial insitutions smarter or are the folks from UTPA? When does NSAP insurance begin to make sense? As with most questions related to the purchase of insurance, it depends on your risk appetite, exposures, controls, and ability to financially withstand an incident. Taking such factors into consideration, it is clear that the answer will vary widely. It is suggested that management at least start the process of determining whether NSAP insurance makes – especially since the options are getting better by the day. Who knows. Maybe UTPA will ultimately change its position as more and more breaches of colleges and universities are reported.