Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare.
Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties.
“Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides,” says David Bradford, who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society.
Taking a Broader View of Risk
Bradford estimates that 40 insurers offer cyber-liability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States. Because the cyber-insurance industry continues to mature, its offerings aren’t as consistent from provider to provider as they are with other types of insurance.
“There are so many material differences between the coverages available that there is no real one-size-fits-all approach,” says Richard Bortnick, an attorney at the law firm Cozen O’Connor.
What’s covered by most cyberpolicies? Generally, they fall into two areas: first party coverage, which covers direct expenses, and third-party coverage, which covers payments made to others.
Examples of first-party coverage include notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit monitoring services, which insurer Chubb estimates could cost up to $30 per customer. Other first-party expenses include repairing reputation harmed by a breach, including public relations costs; restoring systems and data; repaying funds stolen through fraud or extortion; and covering revenue losses associated with computer system disruptions.
Third-party coverage encompasses court-imposed damages, regulatory penalties and defense costs associated with lawsuits alleging the disclosure of customers’ personally identifiable information or harm to business partners’ systems.
An organization’s decision on what type of policy to buy and what it should cover depends, in part, on the type of information that could be exposed.
“To the extent that an entity has a large number of personally identifiable information records, then there’s a much bigger chance of exposure,” says Kevin Kalinich, global network and cyber-risk practice leader for Aon Risk Solutions, an insurance brokerage. In general, businesses with such exposures include retailers, hospitality providers, healthcare providers, health insurers, financial institutions, payments processors and educational institutions, including colleges and universities.
Assessing Existing Coverage
Temple University sought cyber-insurance after other schools suffered breaches and its director of risk management and insurance, Lisa Zimmaro, realized that its general liability policies didn’t protect it from losses related to its computers and information systems.
“There are a lot of exclusions in general-liability policies that made us think that had we had a breach, our general liability carrier would deny coverage,” Zimmaro says.
But businesses that don’t retain a lot of personally identifiable or sensitive information on their computers would likely choose far more limited cyber-insurance coverage, if any at all.
Ace Hardware, a cooperative of 4,500 stores owned by individual retailers, bought a limited policy because the parent organization stopped processing credit card information several years ago, says William Montanez, director of risk management. Its cyber-insurance is limited to coverage of legacy exposures.
The Cost of Breaches
Still, for many organizations, data breaches and exposures can prove costly.
A hack of South Carolina’s tax system in 2012 is expected to cost the state at least $20 million, mostly for the costs to notify 4 million taxpayers whose personally identifiable information was exposed and provide them with free credit-monitoring services, according to the news website Greenville Online. The federal and state governments generally self-insure, but smaller local governments often rely on insurance.
Although most data breaches aren’t as costly as the one South Carolina experienced, they can make a dent in an enterprise’s coffers. The average breach costs an organization $5.5 million, according to the 2011 Cost of Data Breach Study conducted by the Ponemon Institute. The typical breach exposes more than 28,000 records at a cost of $194 a record that includes notification, call center, forensics and other direct expenses.
Those types of losses may eventually prompt more organizations to seek cyber-insurance. But John Wheeler, a research director at IT consultancy Gartner, cautions that cyber-insurance isn’t a stopgap measure to compensate for weaknesses in an IT security program.
Local solutions are available
“Cyber-liability insurance has gained a higher profile with the breaches experienced by several large retailers in the past couple of years,” said Mike Olson, manager of Grand Rapids State Agency. “We now have several companies that offer cyber-liability coverage and a couple that will offer it on a stand-alone basis. People should stop by or call (326-1122) so we can walk them through a few questions that will help us provide a good quote for their specific needs.”
http://www.inforisktoday.com/cyber-insurance-one-size-fits-all-a-5395; Information Security Media Group, Security Agenda Special Edition