Cyber Insurance –Protecting Your Company from a Breach
The prospect of cyber breaches keeps North Texas corporate executives awake at night -- with good reason. Cyber Insurance is quickly becoming one of the most asked about types of insurance coverage. Unfortunately, the solution those executives look to, insurance, can be problematic on several fronts.
Through Sept. 16, some 546 breaches have become public this year, with more than 18.9 million records exposed, according to data compiled by the Identity Theft Resource Center. That represents a 28.4 percent increase over the same time period last year, when 425 breaches had surfaced publicly, the Center says.
The monetary cost is huge for dealing with electronic breaches. All told, the total average cost that organizations pay for data breaches is about $5.9 million, up from $5.4 million last year, according to a Ponemon Institute study sponsored by IBM. That works out to a cost per record of $201, up from $188, the study shows.
While big breaches at companies like AT&T grab most headlines, entrepreneurial companies across the Dallas-Fort Worth area are getting hit hard. Just this year, cyber security problems have surfaced everywhere from Snelling Staffing, Placemark Investments, Neiman Marcus and Michaels Stores to Methodist Dallas Medical Center and Sally Beauty.
Little coverage from commercial general liability
As both the number and cost of data breaches rise, the insurance industry is pushing customers to purchase policies specifically geared for cyber-related issues. The message from both the industry and the courts is becoming clear: Insurance customers should not necessarily expect carriers’ traditional products, such as commercial general liability policies, to cover cyber-related issues.
“This is because older liability forms were drafter before electronic breaches became a material risk, while many recent forms now specifically exclude cyber liability,” says insurance coverage attorney Ericka Bright of Wick Phillips.
Courts throughout the country have taken conflicting positions on whether commercial general liability policies cover cyber-related exposures.
To help avoid coverage disputes, companies should purchase policies specifically tailored for cyber breaches.
Unfortunately, these insurance products can pose several problems:
- Quantifying losses: Many of the problems that companies suffer from cyber breaches are intangible, such as lost business or damage to their brands, according to the New York Times. In a June 2014 piece, the newspaper pointed out that the retailer Target suffered a 46 percent reduction in profit after a breach of its point of sale system late last year, in large measure because the cyber issues scared off some customers.
- Getting enough coverage. Target had about $100 million in insurance coverage tied together via several carriers, and had tried to get more, the Times reported. Analysts have forecast that Target’s total damages from the breach could hit $1 billion. But the most that any business can hope to get in coverage is closer to $300 million, the newspaper said.
- Covering first-party costs. Though executives fear third-party litigation from data breaches, the costliest issue involves first-party matters after the breach, such as notifying customers and doing on-going monitoring of their credit records. These first-party issues are regulated by state, county and local governments, each of which has its own rules and regulations to comply with. Beyond that, some cyber policies cover first-party expenses, while some don’t.
- Exclusions, and terminology, vary. The insurance industry lacks common terminology for matters such as notifying carriers of breaches, public relations expenses and forensics. Policies can also vary dramatically in what types of coverage they exclude, such as acts by rogue employees, bankruptcy, paper records and the use of mobile devices that lack encryption.
- Sparse coverage for health care, retail, financial. Companies in highly regulated fields such as health care and financial services may find cyber insurance to be pricey and hard to find. Conversely, industries with minimal cyber exposure, such as agriculture, construction and publishing, will have an easier time getting affordable coverage.
What to look for in cyber insurance
Here are a few pointers to consider in buying coverage for electronic breaches:
- Get enough coverage. Make sure policy limits and deductibles are adequate.
- Seek coverage for vendors’ miscues. A vital component of any cyber policy is coverage for vendors’ acts and omissions. Most entrepreneurial companies farm out at least a portion of their information technology operations. If a carrier’s prospective policy doesn’t include such coverage, ask for it.
- Get help. Language in insurance policies is technical and difficult to understand for a layperson. It’s important to have both a broker and an experienced insurance lawyer review any policy that a company may be considering.
Attackers in cyber space are increasingly moving faster than defenders, and the gap is widening, according to a recent Verizon report. With small businesses increasingly becoming the top targets of cyber espionage, having the right data insurance is critical.
But with the broad range of cyber products on the market, it’s important to shop around and to have the right risk managers in your corner.
Please let us know if we can help.