The team of forensics investigators and security consultants called on to contain the data breach at U.S retail giant Target have finished that particular phase of the incident response. But the fallout associated with the security incident could last years, say security experts, costing the retailer millions in regulatory fines and legal fees associated with potential lawsuits.
Target's legal counsel has very likely reviewed the company's cyberinsurance policy if it has one, said Mark Greisiger, president of NetDiligence, a Philadelphia-based cyber risk assessment services firm that works with cyberinsurance underwriters. In addition to helping offset costs related to a serious security incident, cyberinsurance policies often provide assistance with breach services, including immediate access to legal counsel, forensics investigators and security consultants. Target declined to comment to CRN about its insurance coverage.
"There's a good chance that a company like Target has had coverage in place for a decade," Greisiger said. "A major benefit is to be able to get assistance in a timely manner when all hell breaks loose. It can get some businesses through the first 24 hours when they don't even know where to begin."
Some businesses, however, have been caught without coverage. Sony's PlayStation Network was hit hard by hackers in 2011, resulting in more than three weeks of downtime while forensics teams determined the scope of the massive breach. The attacks came in two separate waves and resulted in the exposure of account data on more than 70 million people and about 12 million credit and debit cards. Sony is still reeling from the incident and is in a longstanding dispute with its commercial general liability insurance company, Zurich American Insurance Co., over the hundreds of millions of dollars in claims it made from expenses it incurred during the data breach.
High-profile incidents such as the Target and Sony breaches are causing some businesses to look at what policies they have in place, said Ben Goodman, president and CEO of 4A Security, a New York-based managed security service provider. Cyberinsurance is part of a risk management strategy, said Goodman, who also is CEO of 4A Security partner Enterprise Risk Associates, which specializes in insuring against risk assessments.
Insurance policies help transfer risk and reduce the financial impact of an incident, said Goodman.
"From our perspective this is where it is a mistake to think IT security is just a technology issue; it's also a business issue," he said. "You can control the impact an attacker may have on you by putting in all the best practices so you are not an easy walk-in-the-park kind of place for a hack, but at the end of the day you're not going to be 100 percent effective."
4A Security and Enterprise Risk Associates are run as separate businesses, said Goodman. 4A Security sales engineers aren't selling insurance policies, he added, as they would have to be licensed according to state guidelines.
NEXT: How Does Cyberinsurance Work