Encryption vs. Cyberinsurance: One’s Risk Management, The Other’s Risk Transfer.

The Anthem data breach is turning out to be big not only in terms of number of people affected.  According to pymnts.com, quoting ft.com, Lloyd’s of London has stated that cyber attacks are “now too big for private insurance companies to handle” after details of Anthem’s hack were revealed.  This is another development that should make people take a long, hard look at using encryption software to secure sensitive data.

Risk Management

As breaches of personal and other sensitive information started to grow exponentially, and data security professionals kept pointing out that data security tools like disk encryption were meant to manage risk (and could not eliminate it), some people started to misinterpret the advice they were given.

It was unusual yet not rare to find people thinking along the lines of: well, if it’s meant to manage risk, maybe we don’t need these security tools.  We’ll just manage it in a different way.  And, presto, you had companies that signed up for cyberinsurance only at the expense of using proper data security tools and drafting up enforceable, well-thought computer usage policies.

There are advantages to this short-sighted approach: huge savings on anything that is remotely related to technical issues, including IT labor; instant coverage as opposed to the weeks or months (or years!) that it could take to plan and implement a technical approach; reducing oversight and monitoring; etc.  The savings in time, energy, and money are astronomical.

The problem is, this is a different kind of risk management: while the use of data security solutions represents a reduction in risk, the use of cyberinsurance represents a transfer of risk.

Transfer vs. Reduction

From the point of a company looking to manage the risk of a data breach, perhaps it doesn’t matter that they’re transferring the risk as opposed to reducing it.  After all, on the surface it achieves the same thing: it clears away the risk.

But, there is the issue of permanence: as pymnts,com showed, insurance companies are increasingly unwilling to venture into the field of insuring again data breaches.  So, in the long run, companies may need to look into implementing data security tools after all (although it may not be true in the really long long run; technology has a way of finding solutions to its own vexing problems, especially ones that don’t originate from the natural world).

Plus, legal protections don’t extend to signing up for insurance.  And, people are not less likely to sue you because you signed up for insurance (in fact, maybe they’d be more likely to bring legal claims against you).

Last but not least, there is no guarantee that you’ll be able to cash in on your insurance: insurance companies have gone to court over payments, asserting on technicalities that certain things aren’t covered.

Meanwhile, reducing risk is win-win all around: legal protections abound in the form of safe harbor clauses in legislation; it wouldn’t be hard to convince the courts that encrypted data does not represent a data breach because the data is protected; most people are quite aware that encryption offers real protection.  Plus, as opposed to transferring the risk (specifically, financial risk), the threat of a data breach is actually reduced.

Related Articles and Sites:
http://www.pymnts.com/news/2015/we-cant-cover-cyberattacks-says-lloyds-of-london-insurer/
http://www.databreaches.net/big-cyberattacks-crippling-private-cyberinsurance-firms/



Comments (0)


Let us know what you think