What started out as a dating site – albeit a controversial one at that – has turned into a nightmare. Ashley Madison, a dating site for married people who are looking to have an affair on the side, suffered a devastating cyberattack this week as hackers published private details relating to nearly 40 million users.
The information released contained names, phone numbers, email addresses and even sexual preferences. The fallout of the attack, which took the form of a 10GB database on the “dark web” that could be accessed through a specialized web browser called Tor, was felt around the world. One radio show in Australia had listeners calling in to see if their partners had had accounts on the website, resulting in some unsavory moments.
This has resulted in the company’s reputation – like that of its users – lying in tatters and calls into the question the credibility of similar websites. How can a person be expected to sign up to a confidential website if their private information is so easily at risk of being exposed?
This is an example, recent and extreme, of what a cyberattack can mean for your company. The average cost of data theft is around $3.8 million (€3.4 million), according to the latest report by the Ponemon Institute. This is an increase of 23% compared to what a company would have lost to a hacker in the previous year.
Cyber insurances for companies
The damage done to a company’s credibility may not be repairable but there is at least a way of preventing the economic fallout from being too harsh. Large corporations are away of the risk that is posed and are looking for solutions. This has resulted in an increase in cyber insurance, which has seen an increase from 10% to 26% in the last year in the United State alone. It is estimated that up to 60 different insurance firms are offering this service.
Information theft is also a worry for European businesses and they are heading for a more rigorous legal framework for data protection, with a new law on the way. Protection against possible regulatory fines and penalties is something that every potential cyber-insurer must cover in Europe.
In general terms, you could say that there are two distinct risks that these policies cover: direct risks, which affect the company itself, and indirect risks which affect third parties (clients and users). In a typical information leak, the direct cover would help to defray the costs of notifying about an attack and the following analysis, the repair and restoration of the data, and the victims’ verification service. The indirect cover would take care of the costs of fines, legal fees, judges, and complaints on behalf of users.
So, is it worthwhile for your company to contract a cyber-insurer or is this just another way for insurance companies to increase their revenue by exploiting unchartered territory? It depends and the first thing to consider is rather obvious; prevention is always better than the cure. A good antivirus for businesses y and following recommended security steps is the best defense against a cyberattack.
That said, the main advantage of these insurance policies is that the company can continue operating if it suffers an attack. It doesn’t prevent or decrease the chances of being targeted, but it allows you to relax knowing that the future won’t be so grim.
However, no matter what insurance the company has, it will never recover its reputation after an attack and this can be devastating. According to a report by Ponemon, a cyberattack can cause a company to lose up to 4% of its clients and customers in some sectors.
So, if your company finally decides to contract a cyber-insurer there are a few things to consider. The insurer should offer retroactive cover (which pays for breaches that take place before the policy is activated), cover for unencrypted documents (text documents, spreadsheets, etc.), third party information, information stored on the cloud and mobile devices, and that it is clear what the company considers to be negligence – so they don’t leave you high and dry at the worst moment.