Asleep on Data Security?

By: | September 1, 2013

Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at [email protected].

The reality of cyber crime and its disturbing rate of growth is well known to just about everyone, even to the sleepy insurance industry. Yet, one has to wonder how the industry — which is built on data — will respond to this reality, given its penchant for shunning new technology and ignoring the threats that other industries take more seriously.

On the surface, it would seem that it’s not all that worried about losing the precious data that is the lifeblood of its business. Having given a number of talks on this topic at insurance industry forums, I can tell you that data security is not among the primary things that keep insurance executives up at night. Perhaps the industry thinks there’s not much it can do about it, so it writes it off as a “cost of doing business.” Or maybe it (mistakenly) believes that data thieves have better targets to aim for than the insurance business.

Whatever the reason, this relative indifference to a very damaging problem is reflected in the somewhat low-key data security products market in insurance. It was very interesting to note that among the dozens of vendor announcements at the recent IASA Educational Conference and Business Show, only one directly addressed the issue of data security.

That one, from Baker Tilly, was an announcement that it had published an educational article on the recent executive order on cyber security from the federal government. So it wasn’t a product or a solution, but just a heads-up. And Baker Tilly is a network of accounting and business advisory firms — not an insurer or an insurance tech vendor.

But the industry actually has come up with a response to this obvious threat. In fact, its response is just what you would expect. Carriers are now selling insurance to cover cyber risks and exposures.

A number of insurers are proffering products that offer a wide range of benefits. These include coverage for legal defense expenses and liabilities arising from claims related to a data breach; coverage for the cost of notifying customers and employees of the breach; coverage for all kinds of breaches (including stealing of credit card numbers by employees or third parties); coverage for statutory violations, regulatory investigation, and negligence or breach of contract; provision of credit and identity protection services; and even access to a team of experts that can help the insured respond to a security breach and limit financial loss or damage.

At first blush, these would seem like ideal products that — while they do little to prevent illegal intrusions and thefts, and accompanying charges and lawsuits — at least make the insured feel less worried about being hacked. The question that arises, however, is how insurers rate the risks that they are now covering for individual companies. Who qualifies for these cyber threat insurance policies and who doesn’t — and why?

One executive told me privately, “Sure, we sell the coverage, but if we were the customer, I’m not sure I would cover us.”

And there is the problem in a nutshell. If my source’s observations apply to other insurers, then carriers are selling products for which they would not qualify.

Wouldn’t it be a good idea for the industry to clean up its house first, before offering cleaning services to others.