In Light of Breaches, Mandatory Cyber Liability Insurance?

Should companies be mandated to have cyber liability insurance?  65% of publicly traded companies currently don’t have any such policy, according to a recent survey by Chubb Group of Insurance Companies.  In many cases, this is due to a simple lack of awareness: CEOs just do not know that this type of insurance is available.  Perhaps they often assume their business’ general liability coverage accounts for and protects them from any incidents of data breach and theft.  Generally, it doesn’t.  Cost can be another factor, with higher premiums for those companies deemed “higher-risk” by financial institutions.

Reasons aside, the question remains.  And, as with many issues, there are different trains of thought to take, considerations to weigh “for” and “against.” 

On one hand, it appears to be a no brainer.  After all, it doesn’t matter how good a driver you are, or how confident in your ability to never have even the slightest accident.  Car insurance, rightly so, is not optional.  Neither is health care insurance these days, to dip into murkier waters.  Point is, these things are now mandated.  Should not companies be similarly expected to have insurance for data losses incurred via Internet?  Like car insurance, you never know when you might need it.  It’s for their own benefit, really.  Insurance can’t prevent consumers from becoming victims of fraud or identity theft, but to forego it means a stricken company is even more vulnerable to fines, lawsuits, not to mention a massive drop in sales and loss of revenue.  I mean, I’ve spent a fair amount of time talking about Target recently, and this is something they’re discovering firsthand.  Moreover, the expenses demanded after a data breach—notifying customers, providing credit monitoring services, etc.—can get quite draining.  With cyber liability insurance, a company will be in a better financial position to provide these services to their wronged consumers, thus benefitting them as well.  Sounds like a win-win to me.

The only significant drawback that I can see is, again, price, especially for those higher-risk businesses.  Insurance should definitely be a priority, but not above protecting your databases with strong encryption in the first place.  A company’s funds should go here first, to prevent a data breach before it happens; insurance can’t remedy the damage done to a company’s reputation after all, even if it can supplement the financial losses.  Luckily, and particularly for smaller businesses, not all cyber insurance is a wallet vacuum.  "I've seen policies with premiums as low as $2,000 a year, though it can go up from there," says Ethan Miller, partner at Hogan Lovells, a San Francisco-based law firm.  And while the stance of some CEOs may even be that their general coverage is sufficient, they should reconsider. 

It might not take 15 minutes to purchase or involve a friendly talking Gecko, but cyber liability insurance is crucial and, as hackers grow ever bolder, should be a part of companies’ budget plans going forward.