For a data center, cyber insurance should be as much a priority as, say, fire insurance -- but many companies don't know what they need, or whether they're covered by their existing policies.
Having a cyber insurance policy in place helps a data center minimize the financial impact of a breach, attack, or outage, Aleksandr Yampolskiy, CEO and co-founder of SecurityScorecard, said.
"This is especially important for data centers, as the incident will likely have an impact on the customers using the hosting services," he said.
There’s now more risk, as enterprises today are increasingly interconnected. In Yampolskiy’s opinion, that makes cyber insurance a best practice.
A data center can also be backed up and running faster if the costs are offset by cyber insurance, Keith Moore, founder and CEO at CyberPolicy, said.
But data center operators should be aware that not all cyber insurance policies are created equal and choose ones that best fit their needs.
"For example, policies that cover business interruption, forensic investigations, and data loss may be more applicable to a data center” operator, he said. However, cyber insurance policies that focus on fraud, extortion, and reputation management may be less relevant, since these are not necessarily the biggest risks that a data center faces.
Data center operators have been reliable buyers of cyber insurance coverage, Julie Eichenseer, director of global client solutions at Guidewire Cyence Risk Analytics, said.
"With such high-value data, and as companies share and collaborate more than ever, the internal and external threat will only increase," she said. "As the number of attacks continues to rise, traditional defenses no longer cut it."
According to a study by the Ponemon Institute, the average cost of a data center outage in 2016 was $740,357, up from $505,502 in 2010.
"With the IT security market for data centers estimated at $10 billion, the cost of insurance represents a very small percentage of total spend – and is worth the investment when you consider the rising average costs of data center downtime," Eichenseer said.
The cyber insurance marketplace is still catching up to reality, Bill Fox, global CTO for healthcare, life sciences, and insurance at MarkLogic, said.
Fox is a former attorney and health care executive who has first-hand experience with massive data integration projects, such as healthcare.gov, the health insurance exchange website launched by the US government as a result of the the enactment of the Affordable Care Act, also known as “Obamacare."
Eventually, cyber insurance will be mandatory, he said, just like flood insurance is in coastal areas.
Without cyber insurance in place, a data center operator should be prepared to face not just the immediate costs of a breach itself, but also the inevitable lawsuits that follow. "The consequences of the lawsuit can create a crisis as damaging as the breach," Fox said.
But cyber insurance is getting more and more expensive.
According to a report by the British insurance giant Aon, cyber insurance premiums have been rising by 23 percent annually and will hit a total of $4 billion by 2021. That's a higher growth rate than any other type of insurance.
This may change over time, as insurance companies encourage customers to follow cybersecurity best practices the same way health insurance providers encourage customers to stop smoking and lose weight, car insurance policies penalize customers for speeding, and fire insurance policies insist on sprinklers and fire alarms.
Today, however, it's still not clear what safety precautions actually reduce cybersecurity risks. Unlike other areas, like fire, flooding, or tornadoes, the field is evolving rapidly. Unlike natural disasters, cybercriminals are actively and aggressively finding ways around precautions put in place to thwart them.
In addition, new threats appear on a regular basis. Policy and security procedures designed to deal with data breaches, for example, may not be adequate in the face of ransomware or relevant at all in cases of cryptojacking (hijacking someone’s computer to mine cryptocurrencies, such as bitcoin).
There are several vendors trying to measure and evaluate risks in real-time, Robert Huber, chief security and strategy officer at Eastwind Networks, said.
With Europe’s General Data Protection Regulation having gone into effect this past May, more data may become available to model cyber risk. That may help lower insurance costs for the best-prepared companies.
In addition, growth in the cyber insurance market may bring more competition between providers, eventually leading to better and less expensive coverage.
Of course, you can’t slack off on security simply because your data center has cyber insurance. Following security best practices can reduce the likelihood of an attack and the extent of damage if one were to happen -- plus, it can keep your cyber insurance premiums down the line.