The Problem with Cyber Insurance: Outdated Incentives

Photo by Possessed Photography on Unsplash

With an increasing cost of data breaches from new laws like CCPA (effective 2020) and existing GDPR (effective 2018), the cyber insurance industry’s days are numbered. Are you ready?

Instead of solving your cybersecurity problems, cyber insurance companies capitalize on your amortized cost given the probability of a breach. It’s economically viable because data breaches have been relatively cheap.

Historically, protecting your data has been a very time-consuming and expensive commitment. For example, it used to take $4.2M and a team of 4–5 security engineers to build E2E-Encryption over 2 years into a product. In that world, cyber insurance presented an attractive low-cost alternative to throttle the consequences of not having the resources to protect your data. But with modern services, it’s now possible to raise your security data bar quickly without the costs. For example, Peacemakr’s free E2E-Encryption-as-a-Service with Open-Source SDKs could be used to encrypt everything.

Not only is the overhead of protecting your data dropping, but the cost of a data breach is increasing. With existing fines up to 4% of global revenue from GDPR and statutory fines per breach and a private right of action available under CCPA, we may be entering an age where encrypting your data is more effective and cheaper than buying cyber insurance?

Equifax. Garmin. Marriott. Are we naming companies or famous cyber events? The fact that you can’t tell is trouble for these brands.

Nothing kills a deal faster than mistrust. Even if covered by cyber insurance, a data breach will tarnish your reputation. Your top salespeople will leave because they will lose their commissions. Your marketing folks will demand a very expensive messaging pivot. The board will want to fire the CISO, and if you don’t have one, may suggest that you resign.

Screenshot from the App Jumbo reporting a breach victim’s Address, Email, and Password were all sold on the dark web.

You might even end up as the talking points on podcasts and clubhouse room, being discussed, for example, as “a16z’s breach of the week.” Your brand will become known as an event, a hard lesson learned, like Equifax.

Once data is leaked, that’s it. It’s out there. Apps like Jumbo will detect specific customer’s passwords and personally identifiable information floating around on the dark web and link it directly to your brand.

CCPA holds businesses accountable for all data leaks impacting California residents, up to $750 (minimum $150) per record lost, along with a private right of action. So, your $15M coverage policy will save you from the first 200,000 stolen records, and the rest is on your business. For perspective, there were 8.4B records stolen just in the first quarter of 2020, which would have amounted to $1.2T in fines, just from CCPA, when applied to CA citizens. IBM estimates that those breaches’ average cost was about $150 per record stolen without the CCPA fines, meaning total damages would have been estimated at $2.4T from both fines and business losses. In the best possible case, CCPA doubles the average cost per record stolen, and in the worst case, it 6x to $900 per record stolen. But that only applies to CA residents' data records.

GDPR applies to all of Europe, with fines upwards of 4% of the company’s global revenue.

With regulatory responses cracking down on lax data security practices, cyber insurance days are numbered.

What can you do to protect your business?

Instead of paying increasing premiums to insurance companies, how about we focus on protecting the data? As the expression goes: an ounce of prevention is worth a pound of cure. It’s much better to invest in your future with strong security in place rather than try to clean up the mess with insurance later.

There are several drop-in security solutions out there to help you protect your critical business data and systems from breaches, for example,

  • Snyk develops security analysis tools to identify open-source vulnerabilities so you never run vulnerable 3rd party libraries in your cloud again.
  • Peacemakr offers drop-in E2E-Encryption-as-a-Service to help you quickly and efficiently raise your data security bar.
  • Sqreen built a monitoring and protection platform made to be incredibly powerful yet very easy to use.
  • ArmorCode simplifies software security with a single pane of glass management portal for organization-wide visibility, control, and collaboration.

So, what are you waiting for?

15+ Years experience leading security, Ex-Apple, Ex-Pure Storage, Ex-Symphony Communications, Co-Founder and CEO of Peacemakr, Lives in San Francisco.