Until recently, at least, corporate boards largely turned a blind eye to the problem, this paper notes. A 2010 Carnegie Mellon survey found that 56 percent of board members at firms with revenues between $1 billion and $10 billion thought improving risk management was important, but none of them cited improving data and computer security as a priority. Insurers, however, are now routinely including cyber risk assessments in their estimates for overall coverage, and more companies are signing up.
But those buying policies must augment their coverage with a variety of internal safeguards, the author maintains. These safeguards include installing the virtual equivalent of security cameras and padlocks, and using technology to detect intrusions, patch software holes, encrypt crucial data, and provide buffers between internal systems and the Internet.
Adding a cyber watchdog to the corporate hierarchy is also important. When Sony was first hacked in April 2011, the company did not have a senior manager devoted to information security, the author reports. The presence of such a manager can make a significant difference. One study cited by the author found that firms with a chief of information security reported lower costs after a breach: a tally of $157 per affected consumer versus $236 for firms without a leader in strategic security.
Corporate acknowledgment of the problem seems to be on the rise. More firms are disclosing information about their data protection measures to the U.S. Securities and Exchange Commission (SEC), which has hinted that it might soon require such disclosure. And some studies have shown that companies that choose to disclose aspects of their data protection practices in their annual reports profit from the move. Investors could view this form of disclosure as a commitment to prevent a cyber attack, “which would positively impact consumer trust, lead to greater transparency, and drive up the company’s market value,” the author writes.
In considering cyber risk insurance, firms should conduct a cost-benefit analysis: Would a policy mitigate exposure to cyber risk, taking into account how applicable state laws affect liability? The analysis becomes more complicated for multinational firms, because the nascent laws on cyber crime vary significantly from country to country.
If managers do opt to buy insurance, they can’t use that coverage as an excuse to delay other cybersecurity measures, the author cautions. “As losses mount, investors will likely stop treating cyber attacks as a corporate nuisance,” he concludes, “and start treating them as the serious threat that they are” to a firm’s very survival.
Cyber attacks are on the rise, costing firms millions in direct and indirect costs, and managers should consider purchasing special insurance to limit their liability. But buying a policy should not give companies a false sense of security; strong internal countermeasures are still required.