Cyber Insurance Isn’t Just about Having a Policy

Implications of The Home Depot’s Security Breach Settlement


People purchase insurance to shift liability—to literally shift the onus of financial responsibility in the wake of a devastating event. Whether by an individual or a national retail giant like The Home Depot, the decision to purchase insurance is based on many factors, including the cost of the insurance over time versus the cost of repair and potentially remuneration in the wake of a disaster. Is it cheaper to take out insurance against an event or to self-insure and absorb the cost immediately at the time the event occurs?

In the not-so-distant past, technical security in the corporate world consisted mostly of a highly technical, reactive, “defense team” mentality. It was based around vulnerabilities, attack signatures, intrusion detection and other terms that bring to mind the uber-geek, uber-technical, uber-vast sea of ones and zeros that made most of us happy that someone else was dealing with it.

In the past few years, however, the nature of commerce and corporate business has changed in such a way that cybersecurity is no longer solely a concern for highly technical binary masters and their stateful packet inspection. In fact, recent events have outlined that corporate cybersecurity is shifting in the spectrum from the purely extremely technical defense to a legal and liability issue.

In 2014, Home Depot suffered a data breach that compromised 56 million payment cards and 54 million email addresses. Specifically, a hacker used an exploit called BACKOFF that “scraped” memory at their point-of-sale terminals. A year earlier, Target suffered a breach through basically the same exploit that compromised 40 million payment cards. In both cases, this resulted in class-action lawsuits.

I feel very confident that Home Depot had a strong team of competent security personnel working at the time of the 2014 breach. It is safe to assume that other affected organizations did as well. So, it is not an indictment on any organization that I write this, but it is a very sobering indication of the quickly changing landscape in cybersecurity.

In the outcome of the class-action lawsuit against them, it is reported that Home Depot agreed to pay $19.5 million. Payment is broken down into $13 million in reimbursement and $6.5 million in identity protection services to those affected. Home Depot did not admit any wrongdoing. In the case of the previous year, Target agreed to pay $10 million.

What is most interesting, however, is that Home Depot agreed to hire a chief information security officer (CISO) and to improve its security practices. This illustrates an important element of the new world of cybersecurity. Governance, risk management, and compliance (GRC) practice is as much a legal and liability issue as it is a technical one. And, the corporate investment into GRC can be a large step toward mitigating both the possibility of attacks, as well as the possibility of litigation and their defense against it.

The purpose of GRC, proper security management and policy is to create a standardized, structured defense effort using best practices and industry-learned information and experiences to create a strong, unified cyber defense. GRC also sets forth the best defense in any legal action.

The industry has put forth several large frameworks that define the best practices for cybersecurity engagement and deployment. The risk-based NIST cybersecurity framework was developed to voluntarily be deployed to protect critical infrastructure. Alternately, the NICE cybersecurity workforce framework is designed to guide the best education and skills development for cybersecurity personnel.

The protection that GRC and the frameworks provide can only be fully realized through proper education and certification. GRC positions within organizations can only be valued properly if they are filled with appropriately credentialed and qualified individuals. Requiring the addition of a CISO position speaks volumes in the dedication of a corporation to managing the GRC from within and creating a compliant, structured defense.

So, what is the cost of insurance? And what is the cost of not having insurance?

While admitting no wrongdoing, Home Depot paid $16.5 million in total damages. However, they also had to investigate, document and present findings. They had to put up a legal defense in a class-action lawsuit. It is estimated that they booked $161 million in expenses for the breach. They also took a decline in their stock price in the days after they announced the breach. They were faced with hiring a new C-level executive to head up a corporate-wide improvement of the cybersecurity practice.

The utilization of best practices and standards through proper GRC is equal to liability shifting, which is exactly what insurance is. Investing in education, certification and proper internal organization structuring leveraged against the proper framework to protect critical infrastructure is the key not only to asset protection, but possible legal relief and protection. It is also much less expensive than the going cost of paying for damages.

Where and how do you begin? Whether you’re a seasoned cybersecurity veteran, have been given expanded security responsibilities, or are new to the scene, it’s important to have a steadfast resource for continued education and news. Our cybersecurity page has the latest courses, certifications, white papers, webinars and blogs to help you fight these threats.

Nothing will fully prevent or stop the enemy in a cybersecurity war, but best practices, frameworks, and proper education and credentialing provide your best defense in both cyberspace and the courtroom.

In this article

Join the Conversation