A large global company announces a hacker attack, resulting in damage to information systems and the theft of credit card data.
Sound familiar? It should. Consider the fortunes of Home Depot, Target, Neiman Marcus, Supervalu and others that have been victims of cyber attacks. Hundreds of millions, if not billions, of dollars have been lost not only because of the breach, but also because sales decreased after frightened consumers stopped shopping. Target’s profits dropped by 50% from Q4 2012 to Q4 2103.
The problem has grown so significantly that many companies, in addition to bolstering information technology security, have elected to transfer this privacy risk through cyber insurance products.
The total amount in premium payments jumped from $1 billion to $1.3 billion from 2012 to 2013, according to Betterley Risk Consultants. More importantly, cyber insurance policies are responding effectively. According to the 2013 Net Diligence Cyber Liability & Data Breach Insurance Claims study, the average claims payout was $954,253. Many of these claims remain open.
In most industry sectors, only between 10 to 20 percent of companies make an investment in cyber insurance. Those numbers continue to climb rapidly.
Meanwhile, the thieves are winning. A report by McAfee for the Center for Strategic and International Studies placed the cost at $445 billion globally for cyber crime. The Secret Service recently estimated that more than 1,000 businesses had been affected by a malware very similar to the one that was found on Target’s systems. The virus was not recognized by antivirus software until last month.
More troubling is that companies with fewer than 10,000 records are more likely to be victims of hackers than companies with more than 100,000 records, according to The Ponemon Institute’s “2014 Cost of Data Breach Study: United States.”
The reason? They are easier pickings. A hacker can break through a single location retailer more easily than a major corporation. Smaller organizations would not be able to survive costs for breach response, regulatory penalties and law suits.
Don’t expect to be able to sweep a privacy breach under the rug. The District of Columbia, Puerto Rico and 47 states require companies to notify affected individuals after a cyber-attack. Further, regulators are being more aggressive and plaintiff attorneys are being more creative.
The next obvious question is, what does the insurance cover?
The real challenge here is that there is no standard cyber insurance policy. Different insurers cover different things and there are very few insurance brokers/agents that know the intricacies of the contracts. Finding the right broker to find you the right policy is critical. Policies generally cover, breach response expenses, regulatory actions and lawsuits from affected parties. Some policies will extend coverage for the net income lost due to reputational damage or the business interruption and extra expenses as a result of a network security event.
Cyber insurance has become a good market for insurers, with at least 50 companies offering some sort of cyber coverage. The most any company can buy in cyber-insurance is $300 million, and that represents a rare policy.
Part of the problem with the lack of uniform policies and coverage amounts is the sheer difficulty of predicting attacks. Underwriters “could tell you exactly the chance of an office building burning down in Midtown Manhattan, but there isn’t anyone on this planet who could tell you the probability of a large U.S. retailer being hacked tomorrow,” Graeme Newman, a director at CFC Underwriting, told the New York Times in a June article.
In the end, cyber insurance is not intended to replace a strong IT security infrastructure. It has become a necessity for balance sheet protection for companies of any size.