Breach, Data Security

Cyber security insurance: Insuring success

It was a letter from his wife's old community college that made Alex Deshuk particularly happy that his city had invested in cyber insurance. 

As the manager of technology and innovation for the city of Mesa, Ariz., Deshuk last fall led the team that made the decision to purchase a cyber insurance policy to cover the city. Not too long afterward, Deshuk's wife received a letter from Maricopa Community Colleges, where she had taken classes two decades before, informing her that the community college's database had been hacked and records going back to her time there and beyond might be at risk. The college incident highlighted the concerns that Deshuk shares with many other IT security professionals: In the case of a major breach, aside from better security tools and tactics, what can an organization do to better protect itself? For an increasing number of organizations, it's buy cyber insurance.

“Our biggest concern was protecting the information of our citizens,” says Deshuk, adding that Mesa's policy not only limits the city's exposure in the case of a breach, but provides coverage to help assist residents if their personal information sitting on the city computers is compromised. The $5 million policy, which Mesa had underwritten last fall by ACE Group, is “fairly complicated,” says Deshuk; but, it generally offers the city protection and coverage in the case of an online exposure. 

Cyber insurance policies were introduced little more than a decade ago, but have become wildly popular in just the past few years, as news of devastating (and increasingly expensive-to-rectify) exposures become the stuff of daily local and national headlines. Not many people outside of Arizona may know of the Maricopa Community Colleges record breach, but a person would have to be hiding under a rock to not have heard of the Target breach compromising the personal information of 40 million customers in late 2013. Similar high-profile breaches at Michaels, Neiman Marcus and LivingSocial and Washington state courts and many other companies and government agencies have spotlighted not only the increasing likelihood that virtually any organization may be hacked, but also how expensive cleaning up those incidents can be. Case in point: Target probably will have to pay out as much as $2 billion just for credit monitoring provided to customers, according to Vormetric.

While Mesa was already far along in its process when news of the Target breach broke, Deshuk says, “Those [major] breaches made it easier for us to move forward more quickly. When you think about it, the cost per million [dollars of coverage] is relatively inexpensive compared to other liability insurance in what it covers.”

Close to one-third of companies already have a cyber insurance policy, based on reports from consulting firms. For example, according to a 2013 Ponemon survey of nearly 19,000 security and risk management professionals, 31 percent say their companies have cyber security insurance policies and 39 percent say they are planning to purchase one. And, the number of cyber insurance policies sold in 2012 increased 33 percent compared to the previous year, and jumped another 20 percent in 2013, says New York-based insurance brokerage firm Marsh LLC. 

Why such interest now? Executives are waking up to the notion that even if they are not the next Target (pun intended), the cost of cyber liability coverage is quickly being outpaced by the cost of improvements and, in many cases, legal settlements. According to a 2013 NetDiligence study reviewing only the legal costs associated with 29 separate hacking incidents, defense expenses ran as high as $10 million and settlement costs as high as $20 million (mean costs were $575,000 and $258,000, respectively). An earlier study by the Ponemon Institute found that the average data breach cost $5.4 million in 2012, up 26 percent from the previous year. Add to that, at least two recent court rulings – one in New York and another in Washington state – have also supported the notion that the compromise of personal information stemming from these breaches is not covered under traditional liability insurance policies. 

“The whole area of cyber insurance has matured quite a bit in the last three to five years,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “It sounded like a good idea 15 years ago, but [today] you're in a world of hurt if you don't know what your exposure is going to be.”

OUR EXPERTS: Business protection

Stephen Boyer, co-founder and CTO, BitSight 

Alex Deshuk, manager of technology and innovation, city of Mesa, Ariz.

Ken Goldstein, VP and global cyber security and media liability manager, Chubb Group of Insurance Companies 

Lysa Myers, security researcher, ESET 

David Navetta, partner, InfoLawGroup 

Larry Ponemon, chairman and founder, Ponemon Institute

More insurance companies are writing these policies too: Cyber insurance has gone from just a niche product offered by a small handful of insurance carriers to a high-profile offering hawked by more than two dozen major insurers, including AIG, Liberty Mutual, Chubb Group and Marsh & McLennan. Chubb's cyber insurance business, started in 2001, has been seeing double-digit growth, according to Ken Goldstein, vice president and global cyber security and media liability manager for the Chubb Group of Insurance Companies. “We continue to see companies of all sizes in a broad array of industries looking to transfer third-party liability and first-party expenses related to cyber risk,” says Goldstein. “This includes, among other things, coverage for unauthorized access to private and proprietary information, crisis management and privacy notification expenses, business interruption and extra expense, contingent business interruption and extra expense, system failure, regulatory defense and fines, penalties and consumer redress and PCI data security assessments.”

Ponemon says that in recent years, underwriters have gotten “really smart about this area,” as there is more activity focused on measuring risk. Likewise, organizations are realizing that their traditional insurance may not do them much good in the case of a major breach. “A lot of organizations to this day believe that their property and casualty insurance covers this, there's still that myth and they have a belief that they are okay or they can self-insure or it won't happen to them,” says Ponemon. “They are in la-la land.”

Stephen Boyer, co-founder and chief technology officer for BitSight, which develops ratings on companies' cyber security performance (akin to FICO credit scores), says that with tools and services like his own, insurers are developing the ability to better gauge the cyber risk of the organizations they underwrite. “The insurance world is not that dynamic and we're seeing a lot of new faces in the last year as [insurers] are seeing the opportunity and the growth in cyber-liability insurance.”

In the market 

The headlines about breaches at Target and Neiman Marcus are sending more retail businesses to seek out cyber coverage, say experts. But that is not the only sector where this type of insurance is finding favor, and it's not just popular among the large chains and national players either. Goldstein says Chubb is underwriting policies for a relatively diverse group of organizations, including financial and health care organizations, hotels and restaurant chains, and service providers as well as retail chains. “Of course, any company that collects, stores or transmits private or proprietary information has a cyber security exposure,” Goldstein says, “and should consider whether a cyber insurance policy is right for its needs.”

David Navetta, partner of the InfoLawGroup, Denver, who helped develop cyber insurance products at AIG at the start of last decade, believes we are “only just approaching the upward ramp of the hockey-stick curve of growth in demand for these policies.” He is seeing interest in online coverage moving down-market to small- and midsized companies as they are realizing that they carry risk – often for their own company and information, as well as the larger companies to which they provide services. 

Ponemon (left) agrees, saying that in many cases procurement officers at larger companies are starting to demand that their vendor companies have a cyber insurance policy in place to ensure that they are not only covered, but that they have gone through the due diligence that comes with having the policy written. In addition, Ponemon says, he is also seeing marked interest from virtually any concern that deals in high-value intellectual property – such as defense or aerospace contractors and biotech companies.

More companies are buying cyber insurance, and they are also buying more coverage. Cyber insurance limits purchased in 2012 averaged $16.8 million, 20 percent higher than 2011, according to Marsh LLC. 

While the metrics for determining risk are improving, they are still a work in progress. Hence, the cost of coverage and amount of coverage still varies widely among the insured. Goldstein says that typically small businesses will pay an average annual premium of between $2,000 to $15,000 for $1 million of cyber liability coverage. For large businesses, the cost for each $1 million of cyber liability coverage would range from about $17,500 to $50,000 or more. 

Ponemon agrees that annual premiums in the $12,000 to $15,000 are about on par (62 percent of respondents in the Ponemon survey believe the premiums are fair given the nature of the risk). Navetta says the cost of insurance premiums has gone down over the past five years as the number of insurers offering this type of coverage has grown exponentially, and the business has become more competitive. 

Deshuk recommends the purchase of cyber risk insurance from Illinois Union Insurance Company with a coverage of $5 million per occurrence and a $75,000 deductible. The cost of this policy is $37,919.

Policies can also vary in terms of what they specifically cover, but according to Navetta, there are typically three main “insuring agreements” that policies tend to cover. The first insuring agreement relates to data response to the breach where it affects personal information. This typically covers the cost of lawyers or third-party investigators that have to step in, as well as the potential cost of mailing notifications to affected customers and even – sometimes – offering those customers credit or benefits to offset their inconvenience. Sometimes, this part of the policy will extend to cover call-center activities or elements of crisis management. The second insuring agreement covers third-party claims that may arise as a result of the breach – lawsuits by customers, patients or business partners who have suffered costs or compromise by an exposure (say, if a bank sues a retailer for having to reissue credit cards if the retailer is hacked). The third set of insurance agreement can cover so-called cyber extortion scenarios – wherein a hacker breaks in, encrypts a company's database and holds it for ransom. 

As insurers vie for business, there are fewer exclusions than there used to be in these policies, but they still exist and can often surprise policy-holders who don't read the fine print. Goldstein says standard exclusions might include patent infringement; code infringement; return of fees (disgorgement); or costs and expenses incurred to replace, upgrade, update, improve or maintain a system. Insurers also might exclude coverage for situations where information is compromised because an employee used unencrypted media, like taking their client list home on a data stick, or where a disgruntled employee absconded with access codes or personal information. And the perhaps the qualification giving most pause, the majority of policies set firm timeframes in which to report a breach, even though many take weeks or months to discover. Among the 30 percent of Ponemon study respondents who said they had no interest in purchasing a cyber insurance policy, one of the key issues was the concerns about too many exclusions, restrictions and uninsurable risks.

Not if, but when

Just as IT security professionals have come to learn that the likelihood of a breach is less about if it will happen and more a question of when, the same could potentially be said for securing cyber liability insurance – it's not a question of if most organizations will opt to purchase it, just when they will. The concern is no longer that a major breach will cost a lot or drive away customers or give the company a bad reputation. Rather, it has become do or die for many companies given the financial and legal aftermath. 

“The benefit simply comes down to risk transference,” says Lysa Myers, security researcher at ESET, a global IT security company. “In a time when the risk of a breach grows faster than most companies' ability to defend against them, transferring the financial risk with insurance coverage can give companies enough cushion in order to survive the hit caused by such an event.”

Cyber insurance can help companies pay for the expenses incurred in a cyber liability lawsuit and potential indemnification costs, says Goldstein. In addition, it can help cover many of the costs associated with a data breach, such as notification and credit-monitoring expenses or the cost to conduct a forensic examination to help determine the cause of the breach, he adds. “Executives should also consider the importance of risk management and loss prevention tools that are offered by some insurers as well,” Goldstein adds. For instance, Chubb provides its cyber insurance customers with access to eRisk Hub, an online site that provides a template to help develop an incident response plan, access to a data breach attorney and recent articles, whitepapers and other risk management tools. 

Indeed, the preparation and due diligence that goes into the underwriting process often forces organizations to take a closer look at their own network security policies and practices, which in turn can lead to becoming more secure. In fact, 62 percent of organizations in the Ponemon study believe obtaining cyber insurance has made their company better prepared to deal with security threats.

“Nothing will totally mitigate our risks here,” says Deshuk. “But these policies help and they are going to grow.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.