Cybercrime is becoming such a common occurrence. Too many of us have to hear about and become familiar with the Deep Web sooner than I ever dreamed we would. I heard Charlie Miller and Chris Valasek – the presenters at Black Hat who hacked a 2014 Jeep Cherokee’s onboard computer sparking a massive vehicle recall – say that “everything is hackable.” And it is. If you think you’re safe then you’re likely next if you have anything of valuable personally or professionally.
What are the costs of cybercrime?
With all these cybercrimes that include database breaches of government personnel identities, big box store credit card numbers and customer data, and fingerprint databases that number in the millions, who pays? What costs are incurred?
From a high-level, the costs – at a minimum – are:
- Lost customers for the big box stores that were hit in the past 1-2 years
- Lawsuits and settlements for those customers affected by the breaches on these stores’ databases
- Individuals who have to fix identities and get new cards and personal information issued
- Corporations paying large dollars for cybercrime insurance (more on this below)
- Corporations paying handsomely for risk and cybercrime prevention planning and consulting
Cybercrime insurance – an interesting new twist
There are always opportunists out there looking to capitalize on the latest victims and cybercrime is no exception. Cybersecurity insurance seems to be the rage these days. Lloyds of London – those insurers who cover Keith Richards’ fingers and your favorite college quarterback’s arm who decides to stay in college one more year – are big into cybersecurity insurance. The problem is, they are insuring the loss - insurance against data loss, malware and service attacks, data breached and cybercrime – not helping prevent cybercrime in anyway.
Focusing on the consequences, not the causes
So, who pays? Well, consumers pay, I guess. Chubb – a leading provider of insurance coverage – also offers insurance against cybercrime…as do most large carriers and many smaller insurers popping up and entering the lucrative cybercrime insurance market. Companies seeking out insurance against cybercrimes are focusing on the consequences of cybercrime, not the causes, by purchasing liability and errors-and-omissions insurance.
As Chubb states, “Unfortunately, many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when. When a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” Chubb’s insurance covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.
As the cost of cybercrime losses rises and the frequency of cybercrime events also rises, the costs of those payouts will be passed on to consumers of all insurance policies with companies like Chubb. It’s called free enterprise. One such insurer - Marsh & Mclennan - which offers cyber insurance, has estimated that the market for cybercrime insurance doubled last year to as much as $2 billion.
Is C-level representation the answer?
I personally propose a C-level cybersecurity representation now in organizations of any notable size handling any sensitive data and information and running any projects with sensitive data for important clients that they want to keep long term. After all, it only takes one breach for you to lose many customers and gain a certain reputation that you really don’t want to have. And if you’re one of those corporations and you haven’t been hit yet…don’t worry…you will. Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.
Summary / call for input?
What are your experiences with cybercrime? Has your organization been affected? What risk or avoidance measures are you taking or planning to take to guard against cybercrime? Has there been a consideration to make a cybersecurity position a C-level representation?