According to a recent report, in 2019 the average cost of a data breach to a company was $3.9 million, ranging from $1.8 million in India to $8.2 million in the United States. Fines for failing to comply with regulations or litigation by disgruntled customers can drive the costs much higher.
In 2017, the US health insurance company Anthem settled a class action lawsuit for $115 million over a breach that had compromised the personal information of nearly 79 million people. A year later, Yahoo settled a lawsuit brought by shareholders for $80 million.
Increasingly companies are taking out cyber-insurance to cover financial losses resulting from a breach. Losses may include the costs of notifying affected parties, legal fees, compensating affected individuals and regulatory fines.
When purchasing cyber insurance, it is crucial to know what is covered and what prompts payment. For example, cyber-extortion costs are usually covered in full, although there are jurisdictions where coverage for some cyber-extortion risks is not permitted.
ISO/IEC 27102 offers guidance on cyber-insurance, including the kind of losses covered, what triggers payment and what measures need to be on place to satisfy the insurance providers. The publication notes that, “The adoption of cyber-insurance to reduce the impacts of the consequences arising from a cyber-incident should be considered by an organization in addition to information security controls as part of an effective risk treatment approach”.
ISO/IEC 27102 provides advice about both first- and third-party coverage. First-party insurance covers costs related to the damage or loss of its cyber assets. Third-party insurance covers those responsible for the systems through which the breach occurred.
Cyber security insurance can also cover reimbursable expenses, usually related to the recovery process. These include, for example, the cost of forensic investigations, extortion in the case of ransomware, and business losses.