Insuring Against Cyber Breaches

The cost of a data breach can be a crippling expense for companies and a looming threat. The world record for the largest payout for a ransomware demand, made by an insurance company this year, now stands at $40 million. That’s why it’s so important for companies to figure out how much they should be spending on cybersecurity, says Maryland Smith’s Lawrence A. Gordon, a widely respected pioneer in cybersecurity economics. 

PCQuest, one of the most-read IT publications in India, recently tapped Gordon’s expertise for a look into cyber insurance in its March 2022 print issue. 

Gordon, the EY Alumni Professor of Managerial Accounting and Information Assurance, is co-author of the Gordon-Loeb Model, which provides an economic framework for deriving an organization's optimal level of cybersecurity investments, along with Maryland Smith’s Martin P. Loeb.

In the article, “Who comes after the Spiderman takes off?,” PCQuest notes: “Cyber insurance no longer is a footnote in the backyard of an enterprise’s IT strategy. It is the turnstile now. But is it helping enough to let the right future arrive in time?”

The publication points to IBM’s estimates that the average cost of a data breach has now reached over $4 million. And Mimecast estimates that the average ransomware demand levied against U.S. companies is well over $6 million.

Gordon says organizations need to consider three things when figuring out how much to invest in cybersecurity. 

“First – the probability of a cyber breach (derived from the combination of the threat and vulnerability of a cyber breach),” he says in the article. “Second – the potential loss from a cyber breach; and third – the productivity (in terms of reducing the probability of a cyber breach) of investments in cybersecurity.”

His Gordon-Loeb Model provides a framework for integrating the three considerations to figure out the optimal amount for an organization to invest in cybersecurity. 

Usually, investments in cybersecurity are geared toward reducing the probability of a breach – spending on activities such as encryption, access controls, firewall, intrusion prevention and detection systems, employee training, etc. – and strategies for transferring the risk of incurring a breach. For that, Gordon says insurance is critical. 

“An important part of an organization’s strategy for transferring the risk associated with incurring a cyber breach is to invest in cyber-insurance,” says Gordon. “Thus, purchasing cyber-insurance is (at least from my perspective) best thought of as part of the decision to derive the optimal amount to invest in cybersecurity within the framework of the Gordon-Loeb Model.”