I spoke with an executive in the professional services industry that is being asked to submit a formal bid for the services their company provides. He has responded to hundreds of requests over the past 5 years, but this request for proposal was different than all of the others he has had to respond to.
The proposal he was responding to had a mandatory insurance requirement to carry coverage of several million dollars for Security and Privacy Liability Insurance (Cyber Risk). Why?
This is likely going to become a more standard practice as we move forward. Companies that seek services from outside firms to meet the needs of their business are not willing to put their business at risk due to the poor business practices of their suppliers. But can requiring companies to carry Cyber Risk insurance really do anything to solve the problem? Not likely…but it raises the ante as it pushes risk management back into the arms of many small businesses.
The cost of this insurance varies depending upon the risk exposure presented to the insurance provider. If you are a small business providing services to a large company, that company has years of intrinsic value and good will created through reputation and performance within their market vertical. It is one thing to have a machine go down that prevent widgets from going out the door on time. There is a tangible protection in this case. Perhaps a virus brings down production equipment directly or indirectly. But the scope of the issue is limited and it is internal.
What happens when a security breach occurs that is tracked back to the outsourced service vendor employee and this breach has a direct impact on the company’s customers for whom the vendor is providing services for? What is the cost of this breach? Can insurance really cover this cost?
If you are a small or midsized business, the dollar cost for the Cyber Risk Insurance may not cost all that much, if you are able to find an insurer willing to provide it to your business. If your business is being proactive with Cyber Security you are more likely to be insurable. But it’s not the dollar cost of the insurance that really matters. It is the use of that insurance due to IT and employee security related issues that have manifested itself in someone else’s back yard. How much will that cost your company?
Is this hype or is this for real?? “A ransomware attack that began in Europe on Friday is lingering — and hitting new targets in Japan and China. The WannaCry software has locked thousands of computers in more than 150 countries. Users are confronted with a screen demanding a $300 payment to restore their files. The cyberattack has hit more than 300,000 computers, White House homeland security adviser Tom Bossert said at Monday’s midday White House briefing”. (Bill Chappell, NPR, May 15, 2017)
How much longer will it be before the US Government requires all companies meet a level of Cyber Security Compliance?
Ben Budraitis, CEO
iTruss Solutions, Inc.