In recent years we’ve seen a huge financial fallout for organisations that have suffered large-scale cyber attacks; from the £500,000 slapped on British Airways for the 380,000 compromised card payments of customers, to the possible $915m fine that Marriott may face following the enormous data breach last year. These repercussions are only likely to worsen as the volume and severity of attacks increases.
For instance, the General Data Protection Regulation (GDPR)’s arrival last year means that companies now face fines of up to 4 percent of global revenues or €20 million, whichever is greater.
In light of these risks, cyber-insurance is emerging as a safety net offering businesses protection if the worst happens. Far from being a luxury, there is every possibility that cyber-insurance will soon become a necessity for any organisation storing personal data. In the same way that drivers are required by law to have motor insurance, businesses may be obliged to have measures in place to guarantee compensation for customers left at risk by any data breach.
As when taking out any insurance policy, the first thing organisations will need to do is establish the exact risk they face in order to determine their premium. This is critical for two reasons. First, a more accurate assessment will allow a more accurate, and ideally better-priced, premium. Second, by auditing their defences in this way, organisations will face less risk that their claims will be refused if the worst eventually happens. Much like a driver who states their car is always parked in a locked garage will have a hard time claiming if it’s stolen from the street outside their house, organisations that are found to have over-stated their security capabilities could be in for a nasty shock.