Breach Insurance – A Bad Joke?

I had a client ask me today about data breach insurance and had to do everything I could to keep from laughing.

In my humble opinion, data breach insurance is possibly the biggest license to print money ever found by the insurance industry.

I have read a number of these policies and they read like a Who’s Who of security best practices.  They require an organization to ensure that they follow these best practices to the letter making it virtually impossible to collect.  Remember, security is not perfect.  Just some samples of the requirements I have seen in these policies include:

  • Your organization must conduct monthly or more often vulnerability scans and penetration tests;
  • You need to have a CISSP or other relevant certified individual on staff;
  • You need to have a dedicated CISO or similar person overseeing security;
  • You need to diligently follow specific standards such as the PCI DSS, GLBA, HIPAA or similar;
  • You need to follow NIST, NSA or other relevant security guidelines.

Miss any one of these requirements, and you cannot file a claim against your policy.  Based on the requirements I have seen, compliance with the PCI DSS is a cake walk.

And just like the PCI DSS, suffer a breach and you are required to have an independent forensic examination conducted.  If this examination turns up any, and I do mean any flaws in your implementation of these best practices, you claim will be denied and your organization is responsible for the cost of the examination and all other related costs.  Can’t wait to sign up can you?

But, it gets even better.  Analysis of the premiums related to these policies and the costs involved in meeting the requirements to even have a chance to file a claim are such that over a five year period, your organization will likely pay just as much, if not more, than the coverage of the policy.  To add insult to injury, most organizations figure that their ability to file a successful claim is less than 5% because their own internal audit findings indicate that they cannot execute their existing security procedures consistently.

Bottom line.  Ask lots and lots of questions of the underwriter if your management is bent on getting one of these gems.  Focus on what’s necessary to collect.  Keep a tally of the costs to maintain compliance including any new tools and personnel that might be required.  Once the costs of compliance are known along with the premiums, I think your management will see that it’s likely cheaper to self insure.


3 Responses to “Breach Insurance – A Bad Joke?”

  1. 1 Bud Grabill
    August 10, 2016 at 9:13 AM

    Obviously you’re a reporter and not a CIO at a Level 2 corporation. It’s laughable until you’ve had a breach. Been through the breach experience, and the insurance was a 17.1 to 1 ROI-to-premium return. Saved us millions.

    “Good judgement comes from experience. Unfortunately, most experience comes from bad judgement.”
    – President Harry Truman

    • August 13, 2016 at 3:22 PM

      Sorry, but I’m an IT guy not a reporter. I’m glad you had a good experience when you suffered a breach, but from what I’ve been told by my clients, that is the exception not the rule. All of my clients got only a small fraction of what they thought they would get when they were breached.

  2. March 31, 2009 at 9:50 PM

    This blog’s great!! Thanks :).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: