Over at theconversation.com, an article is tackling “why companies have little incentive to invest in cybersecurity.” One of the arguments is that companies encounter moral hazard. That is, they’re don’t really feel the effects of the risk of their actions because someone or something else is taking care of the hazard.
Moral Hazard – Beneficiaries
Moral hazard is cited as one of the reasons why the banking industry brought on the 2008 financial crisis: they were playing with other people’s money, absolving themselves from the financial risks via the use of exotic options and other derivatives. Since the downside doesn’t affect them, the banks charged ahead into risky waters that culminated in a global financial meltdown.
Likewise, the argument is that companies don’t really invest in data security solutions because, among other things, someone else is taking the risk. The example given is that of Home Depot, Target, and Sony – companies that have experienced massive data breaches in the last couple of years. Despite their ongoing tribulations, it is pointed out that insurance companies acted as a salve to their misery. For example, Target, whose data breach expenses reached $252 million so far, saw a $90 million reimbursement from insurance companies.
Target wasn’t the only recipient of a risk transfer. Home Depot, which had the dubious honor of being the retailer with the largest data breach (until Target came along, that is), also saw its expenses reduced by about one-third when it received $15 million from its insurers.
Moral Hazard – Benefactors
So, to whom was the risk transferred to? Easy. The insurers. But then again, it seems wrong to bring up “moral hazard” with such parties because that’s what they’re there for: insurance companies are meant to take on risk.
Then there are the credit card companies. According to the same theconversation.com article, credit unions spent $60 million to replace the credit and debit cards affected in the Home Depot debacle. No doubt a similar figure will spring up once Target’s data breach is contained.
And ultimately, there’re the customers. Even if made whole by either their banks or the breached entities, customers don’t get compensated for the lost hours, frustrations, and other aspects related to rectifying the situation.
If breached entities had to compensate for all the problems they created – that is, the moral hazard aspect is minimized to zero – then they wouldn’t be so cavalier when it comes to data security. At least, that is the idea.
Related Articles and Sites: