Distributed denial of service (DDoS) attacks can have very significant financial costs associated with them. There are the direct costs that can be measured in dollars, including the amount of business lost due to downtime; the cost of mitigation to get systems back online; and the cost to repair or replace damaged systems. There are intangible costs as well, such as damage to a company's reputation, and opportunity costs from business that went elsewhere and won’t come back.
In addition, a DDoS attack can mask other forms of cyber attacks that lead into their own associated costs, such as recovering from a data breach.
The actual financial cost of a DDoS attack varies according to the type of business and the length of the attack. Costs can range from thousands or tens of thousands of dollars per day to millions of dollars for companies that do extensive business over the Internet.
General business insurance typically has exclusions for cyber liabilities, and so many companies are turning to cyber insurance to recoup some of these costs. Cyber insurance is quickly becoming an important part of their risk mitigation strategy.
There are different types of cyber insurance policies, with each type covering different aspects of cyber liabilities. According to the Financial Services Roundtable, there are four main types of cyber insurance coverage, including:
- Data breach and privacy management coverage, which covers the costs associated with managing and recovering from data breaches. This includes the forensic investigation, notification of victims of stolen data, credit monitoring for the victims, and associated legal fees.
- Multimedia liability coverage, which covers defacement of websites, media and intellectual property rights.
- Extortion liability coverage, which covers the damages incurred from extortion. For example, coverage might include the damages of having a hard disk encrypted by Cryptolocker or having a DDoS attack knock out a website or other services if a ransom isn't paid.
- Network security liability coverage, which covers incidents like third party theft and DDoS attacks.
Any business that is considering a cyber insurance policy should do a risk assessment to understand its areas of vulnerability and the impact of an actual event. The company should understand not only what type of insurance would best suit its needs, but also how much coverage. This is where the impact assessment is valuable.
For example, a company that is the victim of a massive data breach could be on the hook for hundreds of millions of dollars in liabilities spanning multiple years. To date, Target Corporation has amassed liabilities of more than a quarter of a billion dollars stemming from its 2013 data breach.
Any company that is considering purchasing a cyber insurance policy should consult with legal counsel when selecting a policy. A lot can be at stake and the policy wording can make the difference between a large payout and deniability of a claim.
Cyber insurance is not a substitute for making smart investments in cyber security and following industry best practices. However, it is an important part of almost any business's risk mitigation strategy.