Archive for March 17th, 2009


Breach Insurance – A Bad Joke?

I had a client ask me today about data breach insurance and had to do everything I could to keep from laughing.

In my humble opinion, data breach insurance is possibly the biggest license to print money ever found by the insurance industry.

I have read a number of these policies and they read like a Who’s Who of security best practices.  They require an organization to ensure that they follow these best practices to the letter making it virtually impossible to collect.  Remember, security is not perfect.  Just some samples of the requirements I have seen in these policies include:

  • Your organization must conduct monthly or more often vulnerability scans and penetration tests;
  • You need to have a CISSP or other relevant certified individual on staff;
  • You need to have a dedicated CISO or similar person overseeing security;
  • You need to diligently follow specific standards such as the PCI DSS, GLBA, HIPAA or similar;
  • You need to follow NIST, NSA or other relevant security guidelines.

Miss any one of these requirements, and you cannot file a claim against your policy.  Based on the requirements I have seen, compliance with the PCI DSS is a cake walk.

And just like the PCI DSS, suffer a breach and you are required to have an independent forensic examination conducted.  If this examination turns up any, and I do mean any flaws in your implementation of these best practices, you claim will be denied and your organization is responsible for the cost of the examination and all other related costs.  Can’t wait to sign up can you?

But, it gets even better.  Analysis of the premiums related to these policies and the costs involved in meeting the requirements to even have a chance to file a claim are such that over a five year period, your organization will likely pay just as much, if not more, than the coverage of the policy.  To add insult to injury, most organizations figure that their ability to file a successful claim is less than 5% because their own internal audit findings indicate that they cannot execute their existing security procedures consistently.

Bottom line.  Ask lots and lots of questions of the underwriter if your management is bent on getting one of these gems.  Focus on what’s necessary to collect.  Keep a tally of the costs to maintain compliance including any new tools and personnel that might be required.  Once the costs of compliance are known along with the premiums, I think your management will see that it’s likely cheaper to self insure.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009