Equifax is back in the news with regards to its 2017 cyber breach which saw the records of 147 million Americans exposed.
This time around however, it’s not Equifax’s cybersecurity that is in question, but rather their overall ability to pay claims. The Equifax breach is an excellent case study for organizations that are still questioning both the value of cyber insurance, and their overall risk exposure to a cyber breach.
The costs of the Equifax breach are now nearing a half a billion dollars. This factors in compliance, fines, as well as reputational risks. Of that, the insurance policy covered only $125 million. For a company that solely deals in data as their core service, the organization severely miscalculated its risk exposure. This a common thread that many organizations face when evaluating not just what their actual cyber exposure is, but also how to adequately insure it.
In Equifax’s case, they are now expected to run out of money from their claims settlement fund for those affected by the breach. This will only further compound the company’s issues, extending the duration of this crisis and further tarnishing their reputation.Much like we wrote when this incident first took place, there are many ways to ensure that an organization can be prepared against cyber risk. Insurance is just one tool to help reduce the financial exposure the organization is willing to accept.
What was lacking in Equifax’s case, and what organizations would be wise to glean from their mistakes, was an investment in establishing a pro-active cyber security culture and training their staff, from the board to the front lines in proper cyber hygiene. A simple patch could have likely prevented this almost $500 million-dollar mistake from Equifax, or at the very least reduced its economic and reputational toll significantly.