With the finable GDPR compliance deadline just months away, the vultures are circling – and leading the pack is a group of companies touting so-called ‘cyber insurance’. While the majority of IT security vendors are opting to scare the XXXX out of organisations with their demands for rip and replace strategies to safeguard personal data, a number of small business insurers are opting for a sugar pill instead. Both approaches are highly questionable, as Paul German, CEO, Certes Networks, explains.
Virtually every business is struggling to get to grips with the challenges of the new General Data Protection Regulation (GDPR). But the current feeding frenzy, from IT vendors to ‘GDPR data experts’ and, now, insurance companies is, quite frankly, unconscionable.
Offering an insurance policy to ‘transfer the risk’ of cybersecurity breach is nonsense, and emphasising the new regulatory reporting demands associated with GDPR is a classic piece of misdirection. Wrapping it up with threats about the number of businesses that fail after a security incident is little more than profiteering.
The fact is that no insurer will insure any company against GDPR breach – the costs, from punitive fines to business loss, are simply too high. Secondly, no insurer will cover any organisation that fails to protect its data or assets. Leave the door unlocked and the homeowner is not covered in the event of burglary – the same applies to poorly secured data. So just what is ‘cybersecurity insurance’ actually providing?
Essentially nothing. Worse than nothing, since there is a risk that organisations will mistakenly believe the ‘insurance’ provides extra time to understand GDPR and how it affects the business – rather than invest in a cybersecurity policy today. In fact, the insurance is nothing more than a business cost – and it certainly will not reduce any risk.
Worse, in fact. The regulator is looking for a policy, a strategy, a clear direction towards safeguarding sensitive data at rest and in transit – no regulator is looking for an insurance policy!
With just months to go, companies should have clear thinking in place with regard to securing both data at rest and in transit – but with so many vendors insisting that rip and replace of encryption devices is the only option, it is little surprise that many companies have failed to make the change.
Just as the concept of cyber insurance is a nonsense, there is also no need to embark on a radical, expensive and disruptive security rip and replace. Finable compliance may arrive in May 2018 but this is not a one-off deadline: regulators fundamentally need to see that companies are on a clearly defined and workable journey towards GDPR compliance – they are not going to radically fine any company that can demonstrate it has taken steps towards improving security.
One of the biggest concerns for businesses – and one that the vultures are leveraging to the max – is the new need to inform both the regulator and affected data subjects, as soon as a data breach has been detected, something that is likely to have a devastating impact on business reputation. However, if the data is encrypted, in the event of a breach there will be no need to notify data subjects as the information will not have been compromised.
For many businesses, therefore, it is likely there is nothing wrong with the traditional security and encryption processes being used, provided they have been implemented correctly. It is as and when an organisation decides to change the way it processes user data that additional controls and security considerations will be required. The ultimate goal is to secure all data in transit regardless of network or service being used – but that doesn’t have to be achieved immediately.
So forget the insurance, step away from the rip and replace merchants, and embark upon a journey that ensures the business has done everything possible to protect itself – and its customers – from data compromise.