Corporate data breaches are growing at an alarming rate. In the first half of 2012, privacyrights.org conservatively reported over 272 breaches affecting at least 18.5 million records. More realistic figures came from datalossdb.org, which reported 704 breaches for the same period.
Hackers recently penetrated Sony Corporation’s PlayStation and Online Entertainment divisions, costing the corporation as much as $2 billion. Sony had to confront as many as 60 class-action lawsuits over the hacking while battling its insurance carrier, which insisted that its general business coverage excludes cyber crime.
Other companies that suffered losses from hackers include Best Buy, Citigroup, Hilton, JPMorgan Chase, Lockheed Martin, Marriott, Target and Verizon.
The largest breaches for 2012 include:
- Zappos breaches 24 million records--hacker
- University of North Carolina breaches 350,000 records--exposed data
- Global Payment Systems breaches 7 million records--hacker
- South Carolina Health and Human Services breaches 228,435 records--insider
- University of Nebraska breaches 654,000 records--stolen from database
- LinkedIn breaches 6.5 million records--hacked
One problem many companies face is that sensitive and confidential information is increasingly being stored by cloud vendors. These off-site data silos now expose critical information to entirely new levels of data breaches. As storage and data handling technology continues to evolve, data risk managers must remain acutely aware of how to ensure the safety and integrity of off-site data silos.
To protect themselves from hackers, more companies have begun carrying cyber risk insurance. As part of a multi-faceted risk reduction strategy, cyber insurance can offer a level of protection for corporate intellectual property and consumer records. Cyber insurance policies vary by type and level of protection. There’s business interruption insurance, which covers a company's direct losses due to hacking. These policies may include such “after incident” services as hiring computer forensic teams and the implementation of credit-monitoring services.
The caveats in taking out a cyber insurance policy should be noted at this point. Compared to other types of insurance, the cyber insurance industry is still in its infancy. There are still a number of legal opt outs that give carriers some wiggle room when it comes time to collect. Compounding this is the ever-evolving nature of cyber threats.
Cyber security managers must make sure that the cyber policy they purchase provides the right type and level of protection their company needs. They must take into account advancements in technology, current insurance products, pricing, coverage options, and prevention strategies.
For those still "on the fence," a company’s traditional insurance product will more than likely have gaps for cyber/data breaches. Cyber insurance policies can fill these gaps, offering direct loss and liability protection for risks created by the use of cloud computing.