What happened to Capital One could happen to any business. Fortunately, they were insured.
If a corporation with the resources of Capital One can't protect their network, how can any other business be expected to? This is the harsh reality confronting small and mid-size business owners. A single mistake can be costly...even company-ending.
Background: on Monday, July 29th, Capital One announced that a hacker had compromised the personal information of more than 100 million people, in one of the largest-ever thefts of data from a bank.
Why this matters:
Every indication is that the attacker exploited a fairly basic vulnerability (more on this at the end) that many businesses using public cloud services like Amazon Web Services, Google Cloud, or Microsoft Azure face.
The costs for Capital One will be staggering. If the Equifax breach, which exposed the data of 145 million people, is any indication, the Capital One breach could cost more than $1 billion (yes, with a b). The Equifax breach is estimated to have cost $1.4 billion already.
Could your business withstand a $100,000 unforeseen cost, much less $1 million or $1 billion? Cyber security incidents are costly.
Fortunately, Capital One purchased $400 million of cyber insurance — and although it may not be enough, it will cover the brunt of the loss. The most comprehensive cyber insurance policies available today, like Coalition's, are designed to broadly cover the loss exposures of a data breach or privacy violation of any kind (even accidental disclosures!) This can include the costs to notify customers, provide credit monitoring, regulatory fines & penalties, and incident response and forensic services, among many others. And it's more affordable than you might think. A policy with up to $1 million of coverage can cost only a few hundred dollars per year for a small business, or a few thousand for a mid-size business.
Bottom Line: Make sure you are insured. In this day and age, every company must be prepared for a data breach or cyber incident. For small and mid-size businesses, risk transfer (i.e., insurance) is the single most cost-effective tool available. Coalition's cyber insurance policy, specifically and uniquely, comes with 24/7/365 cybersecurity scanning, free tools to protect your company and employees, and access to Coalition's security incident response team. The result? Coalition policyholders experience 1/5th the claims as the broader cyber insurance market (according to NAIC and Aon data).
For complete technical details on the Capital One Server Side Request Forgery (SSRF) vulnerability, check out Evan J's post on Preventing The Capital One Breach.
Related blog posts
Control Cyber Risk from the Inside Out
Coalition Control™ integrates with cloud providers Microsoft 365, Google Workspace, and AWS to allow customers to manage digital risks in a single platform.
Cyber Incident Reporting: Important Questions to Ask for Essential Business Planning
Cyber incident reporting obligations can be complex. Businesses must consider how they will meet the requirements before an incident to expedite the process.
Change Healthcare Attack Fallout: How Coalition is Responding
The attack on Change Healthcare is a reminder of our shared dependency on technology and the ever-present cyber threats facing modern businesses.
