If 2014 was the year of the hack, with more than a billion records compromised in a number of high-profile data breaches, what does that make 2015? For many businesses, it’s been a year of reacting to this alarming new world. Indeed, one of the scariest aspects is the financial liability that organizations face following a breach.
The Ponemon Institute’s recent Cost of Data Breach study pegged the average cost incurred for each compromised record at roughly $150. That would put costs incurred in 2014 at around $150 billion. How does an organization prepare for such potential risk? One answer may be finding the right cyberliability insurance policy.
Many businesses have operated under the assumption that their liability insurance covers cyberrisks. Not so, says Lauri Floresca, senior vice president of E/O, and cyber team leader at Woodruff-Sawyer & Co., an insurance brokerage firm.
“Existing liability policies are not enough to address cyberexposure,” she says. “The industry has now crafted products to directly address this exposure area.”
One result of the headline breaches in 2014 and 2015 has been that corporate boards have begun to take up the issue of cybersecurity — and the liabilities attached to it.
“Sony, Anthem, Target, Ashley Madison — these high-profile breaches have touched everyone the last few years,” Floresca explains. “Target’s board of directors was sued, which made corporate boards all over sit up and take notice when it leads to personal liability for them, as well as financial liability of the company.”
In the aftermath of all this cybersecurity carnage, more organizations have been looking to offload some of their risk by purchasing cyberliability insurance. Global insurance broker Marsh reported a 32 percent increase in customers purchasing stand-alone cyberinsurance policies between 2013 and 2014, and the firm is expecting continued accelerated demand for cyberinsurance in 2015. Neophyte organizations in need of a policy have been embarking on what can often be a perplexing odyssey into a market where no two policies are the same and providers lack sufficient data.
“The industry needs to become a little more organized so people and companies can make sense of it — to figure out what their options are,” says Winn Schwartau, founder and president of The Security Awareness Company and an acknowledged expert in IT security. “It’s not explicitly clear right now. We don’t have metrics and we don’t have ways to quantify real numbers. There’s a lack of actuarial data available,” he says.
“Polices are not standard,” Floresca says. “And the inability to compare policies in the near term is not likely to change. Insurers are still figuring this market out. Policies can be tricky to parse, so I always recommend working with someone who understands these polices.”
While this may be a new market for insurers and those seeking policies, everyone is quickly learning that the same market dynamics are at work in cyberliability. Highly publicized breaches and their subsequent coverage payouts have been driving many premiums upward.
Target has recouped about $90 million of roughly $245 million in breach-related costs through its policy, and Home Depot has recouped about 45 percent of its breach-related costs, according to Jody Schwartz, director of information security and IT risk for Rewards Network, a merchant cash advance and marketing services company focused on the restaurant industry.
“In my policy research, the general trend in the insurance industry is that premiums are going down, except for cyberliability insurance, which is going up,” Schwartz says. “These policies and their premiums are becoming more expensive. It’s an interesting time in the evolution of these policies.”
Floresca offers a more nuanced take on the market: “In certain segments, in areas such as POS and healthcare, where there’s lots of data to secure, premiums have increased. For midmarket companies, it’s a healthy market,” she says.
“Premiums have stayed level. Consumer-facing companies clearly have a greater need for coverage. We see greater demand for companies that contractually need to have it. Some contracts are now demanding that cyberinsurance be in place.”
So what does an information security officer need to know before embarking on this cyberliability insurance adventure? Most policies consist of two main areas of coverage: direct costs and related liability. Direct costs include first-party (the organization itself) costs, such as breach remediation, forensics investigation and legal advice; and third-party (customer) expenses, such as those stemming from customer notification, call-center support and credit-monitoring activities.
Related liability refers to lawsuits from customers, regulatory investigation expenses and fines and payment-card industry assessments when applicable.
While there’s some variation among the specifics of what is and is not covered under these areas among policies from different insurers, the real differentiation can be seen in the various sublimits within each area of coverage. For example, a policy might have $5 million of coverage for direct costs but have a sublimit of $1 million for breach remediation.
“You really need to be aware of sublimits within parts of the policy coverage,” Schwartz says. “Legal fees, forensic investigation, third-party notification. You need to make sure those are in line with the scenarios you’re looking at if a breach happens. Read everything, because there are different first-party and third-party policy costs.”
Schwartz offers several more insights for companies reviewing cyberliability insurance policies.
“It’s critical to review the policy terms and the sublimits within it,” he says. “Look at the most likely breach scenarios for your business to determine where to focus your coverage and the appropriate coverage limits.”
Schwartz had the opportunity to implement this advice firsthand at his company, which operates a card-linked dining-rewards program, by working with the general counsel to implement these insights as part of the company’s recent cyberliability policy renewal. Such coverage is a good fit for organizations processing large amounts of consumer or credit card data.
“The best exposures to handle through cyberliability insurance are data privacy and consumer data, such as personal health records, or service providers handling other customers’ data,” Floresca says. “These policies address that exposure well. Credit card data has further coverage for that industry’s penalties and fines. That’s an area that can be really expensive.”
Clearly, these policies have a lot of details that need to be scrutinized very closely. But it can be just as important to focus on what isn’t in the policy. “When you’re looking at a policy, find out what is excluded,” Schwartau says. “Looking at what isn’t covered is as much of value in assessing a policy as what is covered.” Also be aware that no two policies are the same. They’re as different as the networks and the data that they’re covering. Every business has a unique risk profile. After thoroughly researching the matter, some organizations may even find that it doesn’t make business sense to get a policy.
“At the end of the day, it comes down to TCO and ROI,” Schwartau says. “Does it make business sense? What’s your risk? What’s your exposure? What’s in your database? Is it worth it for a bad guy to go after it? You need to know your risk. That’s the starting point for any insurance consideration.”
“No one wants to exercise a policy, but it’s good business practice — and it is becoming more standard as cyberthreats continue to evolve,” Schwartz says. “There are always going to be some cost associated with a cybersecurity breach. But a cyberliability policy is a good contingency to have in place. Every business has general liability insurance, and now that same mentality needs to evolve to cover cyberrisk.”