A major – or even minor – hack attack on a business lives on long after the malware has been neutralized. If credit card data is stolen, for example, customers might sue, new security systems have to be installed, and the damage to the company’s reputation practically guarantees a dropoff in business.
One way to limit the sting of the damage is to get someone else to pay for it – by buying insurance and spreading the risk among a large pool of fellow insurees. Those seeking to go the insurance route will find a warm welcome at AIG Israel, one of the largest insurance sellers in Israel, and the world’s biggest seller of insurance against hackers.
Just be sure that you’ve shored up your system’s defenses and trained your workers to avoid opening up rogue emails or surfing to suspicious sites, said Sharon Shaham, deputy director of the commercial insurance department of AIG Israel. “We expect customers to install well-known, proven software to keep hackers out. It’s not our job to assess how customers defend themselves, but if they expect an insurer to step up and offer assistance after a data breach, they need to take all necessary steps to protect themselves.”
The prospect of an insurance adjuster limiting or even holding up altogether payments for damages due to a major data breach will, said Shaham, be an incentive for companies to take steps to protect themselves, as it would with other forms of protection, like fire insurance. “In our experience, 80% of cyber-attacks in general are due to human negligence, where a worker opens up a suspicious link that leads to the installation of malware on a network, thus enabling hackers to get control of a system.”
If the claim is big enough, adjusters will comb through the system to see where the attack came from and how it got into the system, Shaham said, with the information analyzed to determine what kind of settlement the company gets. The better the protection, the better the payout.
Like in other forms of insurance, insurers offer coverage to soften the blow from major damage due to a hack attack. That coverage could include payment for direct costs (lawsuits by customers, demands for refunds or other payments, etc.), as well as coverage for other outgrowths of an attack, such as losses to company stock prices, reputation, and even market share. AIG Israel, said Shaham, has “hundreds of customers in Israel and thousands around the world who have bought special insurance to protect themselves against damages.”
Despite the headlines that highlight some of that damage – including high-profile attacks like the one on Sony last December, or a previous one on Target, which the retailer is still feeling – many businesses have held off on buying cyber-insurance, whether because of the extra cost or the belief that they will recoup losses from other forms of business insurance. While that could be the case, it isn’t always, said Shaham, so companies would be much better off with an insurance package that covers all aspects of a hack attack. “We’ve been selling insurance like this in Israel for the past year or so, as well as worldwide for the past decade, although in less comprehensive forms that what AIG offers today.”
And while many business owners look askance at new insurance “products” like this, as consumers do when offered different forms of life or health insurance that may duplicate coverage they already have, Shaham sees her company’s insurance as a good way to make sure businesses pay more attention to shoring up their cyber-defenses.
“With so many hack attacks the result of human error, we strongly encourage our clients to ensure that their workers are aware of the damage and of what behaviors to avoid on order to prevent attacks. In fact we offer programs to help them set up educational programs for clients to train their personnel. We’ve found that for many companies this kind of awareness helps bring down their chances of being attacked, saving them – and us – the significant costs that can result from a data breach.”