Does hacker insurance make your business a bigger liability?

It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?

The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.

“We all appreciate the need for car insurance” he told me. “No matter how careful a driver you may think you are. The simple fact is that you never know when a drunken idiot is going to crash into you”.

The argument being, as with all insurance policies, you are paying a premium to cover you for that worst-case scenario should it ever happen. “When it comes to online security,” Mr Insurance assured me, “the chances of the worst-case scenario becoming a reality are increasing day by day, as criminals develop ever more sophisticated methods of hacking your site. To not insure against the risk of being hacked is bad business, and that’s the bottom line”.

I can, of course, appreciate the logic of those arguments but I’m still not convinced that insurance is quite the magic bullet it’s being made out to be here. Unlike driving a car, running a secure web business is pretty much about how safe you are, rather than how unsafe other people are. If your site is locked down securely in terms of both the back-end and customer-facing components; if customer data is secured and encrypted in transit and at rest; if security policy is implemented and maintained at the right level, then the ‘drunken driver’ scenario does not come into play.

Unless you consider the ‘drunken driver’ to be the equivalent of the dodgy employee, I guess. There’s certainly no denying that insider hacking is a huge problem, with disgruntled or plain dishonest employees (and former employees who have retained access to your systems because you have not thought to disable their ability to login) committing fraud, stealing customer data and selling commercially sensitive information.

Of course, whether insider hacking would be covered by a typical insurance policy is another thing. If you leave your keys in the car and it is nicked, most insurers will tell you it wasn’t insured against being driven off under such circumstances. If an employee steals customer credit-card information by using the login you gave them (the car keys, in other words) the hacker insurance company may well take a similar “not covered” stance.

So, yes, the bad guys are investing huge amounts of money and effort into developing ever more clever ways of getting their hands on your data. But the vast majority of them still require basic lapses in security in order for them to be executed. Those businesses that are really taking security seriously, and not taking their eye off the security ball, are not exposing themselves to an ever-increasing risk of becoming a victim – quite the opposite in fact. The hackers are far more likely to target insecure sites, or perhaps more accurately the automated vulnerability discovery bots employed by the hackers aren’t going to even notice those sites which aren’t vulnerable.

Insurance itself is not a bad thing, please do not get me wrong. What’s more, your business insurance should, of course, cover you for any disruption to your business, be that through fire, flood or your servers being taken offline for whatever reason. What I do have an issue with is marketing anti-hacker insurance as some kind of panacea, an antidote to the security ills of the modern online era.

I can actually make use of that car insurance analogy myself now, because while just as in the auto insurance business your premiums will be less if you can show you have a decent immobiliser fitted to prevent theft, so anti-hacking insurance will require evidence of your business taking appropriate steps to prevent the problem of data theft in the first place.

My concern, however, is the very knowledge that if the worst-case scenario should happen and your business gets hacked, there’s a nice lump sum waiting to cushion the blow. It serves to take the edge off the risk, to make it less of a worry. And that, surely, is a bad thing. It’s the equivalent of taking a big security sedative, making the hacking problem a little less stark and a little more warm and fuzzy.

So, by all means talk to your insurance brokers about what levels of cover you have should customer data be compromised or your online business be disrupted through a Distributed Denial of Service attack; talk about whether you need specific liability cover to deal with the cost of post-breach clear up, notification, auditing etc. But please don’t ever forget that the best insurance policy you can have against such loss is not getting hacked in the first place.

Source: Davey Winder, PC Pro


Dominic Jones

I'm a proud father, husband, huge James Bond fan, lover of fast cars and prolific buyer of technology gadgets.I started my first business when I was 21, learning the harsh way how to become successful. Through hard work, dedicating myself to learning and persistent focus I created one of the fastest growing computer services businesses in the UK.