The cost of a high-profile breach can be in the tens or hundreds of millions of dollars due to lost business, disrupted services and compensating potential identity theft victims.
But sophisticated companies are increasingly balancing the rising risk of a pricey cyber event by acquiring cyber security insurance from the likes of AIG (AIG) and Chubb (CB). Cyber coverage can mitigate the costs of everything from hiring forensic investigators and high-priced lawyers to shelling out ransoms to cyber extortionists.
“This is an arms race and an ongoing battle. Cyber insurance is becoming increasingly prevalent as boards of directors and officers become more and more aware of the seriousness of cyber security risks,” said Jim Halpert, co-chair of DLA Piper’s global privacy practice.
Like flood, fire and auto insurance, the idea behind cyber insurance is to spread the risk and cost of a security incident among a broader pool of companies that deal with sensitive data.
Cyber events can range from a breach of customer data like the epic breach of Target and a loss of intellectual property to a business interruption caused by a distributed denial of service (DDoS) attack.
Cyber Insurance Gains Popularity
The Ponemon Institute estimates organizations were hit by $5.4 million in costs per data breach in 2013, up 26% from the year before.
“Cyber insurance is becoming less of an option and more of an automatic purchase,” said Dave Navetta, founding partner of the InfoLawGroup who helped develop cyber insurance products at AIG at the start of last decade.
According to a 2013 Ponemon survey of nearly 19,000 security and risk management professionals, 31% say their company has a cyber security insurance policy and 39% say they are planning to purchase one.
Companies that are most likely to scoop up cyber insurance include ones in more regulated industries such as financial services and health care. Some observers said retailers, at least up until recently, have been slower to grab cyber insurance. They also believe colleges and universities are lagging behind on this front despite recent breaches at the University of Maryland and Johns Hopkins University.
In general, insurance experts believe the larger and more sophisticated a company is, the more likely they are to buy cyber coverage.
To be sure, some small companies that may deal less with payment data and other sensitive information may determine cyber insurance is not for them or they are already covered by other policies.
Still, the vast majority of companies have at least some risk to a cyber event that could eat into profits, hurt shareholders and lead to layoffs.
“Any company that collects, stores or transmits private information ultimately has a cyber security exposure,” said Ken Goldstein, vice president and global cyber security and media liability manager for the Chubb Group of Insurance Companies.
What Does it Cover?
Interestingly, the Securities and Exchange Commission’s 2011 cyber guidance advised companies to disclose to investors a “description of relevant insurance coverage.”
Cyber insurance carriers offer a broad spectrum of policies that cover various liabilities related to potential breaches and attacks.
These risks are best broken down into third-party liabilities and first-party expenses.
Third-party liabilities include lawsuits brought against a company by employees or customers for inappropriate access to private information and fines and customer redress brought on by regulators.
“Insurance is only part of an effective risk management response. You can’t just insure away all risks in this space."
- Jim Halpert of DLA Piper
First-party expenses cover forensic analysis in the wake of a breach, costs tied to notifying customers and offering data monitoring services, boosting bandwidth to conquer a DDoS attack and paying extortionists a ransom to stop an attack.
There are some potential fallouts from a cyber event that insurance companies are not likely to cover, including damage done to brands and physical harm caused by equipment failures.
Cyber insurance premiums can range widely based on the size of a company and the extent of its perceived exposure. Goldstein said small and mid-size companies may have a $2,000 to $15,000 price per $1 million limits of liability of coverage, compared with $17,500 to $50,000 or more for larger size companies.
'Don't Jump Into Anything'
Chubb offers companies loss prevention and risk management tools, including premium reimbursements to spend money on better encryption as well as providing access to breach cost calculators and Internet response plan templates.
Sixty-two percent of respondents in the Ponemon survey believe the premiums are fair given the nature of the risk.
Lawyers emphasized the importance of reading the fine print of cyber coverage to see specifically what type of events will and won’t be covered.
“Don’t jump into anything right away. Take your time and look at a number of different providers. Carefully read the policies,” said Randy Sabett, vice chair of Cooley’s privacy and data protection practice.
“Over the last two or three years essentially every insurance carrier has gotten into that market. There’s been a lot of competition. Premiums have come down and coverage has gotten larger,” said Navetta.
Cyber Insurance Shakeout?
Chubb’s cyber insurance business, which started around 2001, has enjoyed double-digit growth lately, according to Goldstein. “I see a lot of upside with that cycle continuing,” he said.
Before agreeing to insure a given company, insurance companies launch an underwriting process that may scrutinize an organization’s network security, privacy policies, password protection, intrusion detection, vulnerability scanning and incident response procedures.
That may help explain why 62% of respondents in the Ponemon survey believe the insurance has made their company better prepared to deal with security threats.
However, Navetta said underwriting standards at some insurers declined as more players got into the market. “We’re at an inflection point. We may see a little bit of a shakeout of the market because post-Target everything seems riskier,” he said.
Goldstein of Chubb said it would be “shortsighted” of certain insurers not to take underwriting “seriously,” especially given the fact that “there are big losses happening and playing out on a daily basis in the news.”
Of course, the act of simply obtaining cyber insurance does not mean companies can turn the blinders on to the risk of a breach or an attack.
“Insurance is only part of an effective risk management response. You can’t just insure away all risks in this space,” said Halpert.