By Michelle Harven
Data breaches cost companies millions upon millions of dollars. Target calculated it lost $148 million in its 2013 data breach, which includes a $10 million class action lawsuit. After seeing a company fall so hard and hearing the numbers, it’s no wonder cyber insurance has been selling at an increasing rate.
According to a 2013 Lloyd’s of London’s risk index, cyber risk has moved from No. 19 in 2011, which was seen as non-malicious, to the world’s No. 3 risk overall.
Companies are discovering how much a data breach could affect their bottom line and are quickly buying insurance to protect themselves from the inevitable. According to the Boston Globe, one in three companies now have cyber insurance, which jumped 20 percent last year.
“There’s no other part of the insurance industry that’s growing like cyber,” said Matt McCabe, senior vice president at MARSH, a global company in insurance brokering and risk management. “The amount of clients that we have purchasing have increased double digits over the past three years.”
(credit: MARSH Global Analytics)
“More companies sell it and more customers buy it,” said Anne Tobin, agency manager at the The Number One Insurance Agency in Massachusetts. Tobin was was also one of the customers affected by the Target breach. She said the cost of a breach like Target is layered.
First, the company is dealing with its own system and making sure it’s restored to where it should be. Secondly, it’s notifying all the individuals and the departments in individual states that require notification during a data breach. Finally, there’s the handling of monitoring.
“A lot of times [the company] agree[s] to monitor the financial accounts and stability of folks that were breached so they can get a financial score on themselves all the time and make sure things aren’t taken,” said Tobin. “To have that watched, there’s a fee. And there’s also the situation where the hacker has taken money out of someone’s account and you have to work through the legal ramifications that cover those losses also, so it’s pretty complex.”
The complexity of all the costs that come with a breach is one of the biggest reasons companies need insurance. It’s also something Josephine Woolf, a fellow at the Berkman Center for Internet and Society at Harvard University, said is what is creating challenges for insurance companies. She said the market is just too new for these insurance companies to know how to insure data breaches.
“We are really notoriously unbelievably terrible at figuring out how much these incidents cost,” said Woolf. “You think about something like a large data breach, sometimes there’s a very direct financial tie and that’s with someone’s credit card information and using that to manufacture fraudulent credit cards, so you can track how much fraud happens. But then people start saying the reputational costs are enormous, they’re never going to do business again. Part of it I think is media inflating how disastrous these are sometimes, part of it is the complications of all the different after-affair costs.”
Arthur W. Coviello Jr., the retired chairman of RSA, a global security company, said with the quick moving tech industry, it’s difficult for insurance companies to foresee what’s going to happen. “I met with some of the largest insurance companies. They have a superficial understanding,” said Coviello. “They’ve had decades to understand how it floods in Cohasset during a storm, they have weather patterns, they’ve been doing this for decades. You think they know what’s going to happen with the Internet of Things?”
Woolf agreed that cyber breaches haven’t been going on long enough for insurance companies to know all the after-effects or what’s to come in the tech world. She said they don’t have the data to know how much money is actually being lost or how frequent these incidents will be.
“The question of how much of a loss should be paid out to Target, how much of a loss should be paid out to Visa, and how much of a loss should be paid out to you is a really, really thorny one,” said Woolf. “And of course everyone in this story believes that they are bearing too much of the cost and the other guys should be paying them back.”
The Target example is one that references third-party insuring, whereas cyber insurance expands to both first- and third-party insuring agreements.
“A lot of the things that are in the press involve the third-party liability side,” said Nicholas Pasciullo, chair of the Cyber Insurance Practice Group in Pennsylvania. “This would be the privacy breachers, the hospitals, the retail places where someone goes in and takes third-party personal data.”
The cyber insurance that deals with those breaches is primarily for the cost of responding: taking care of responses to customers, monitoring credit scores, and paying for damages.
However, Pasciullo said the bigger issue lately has been with first-party insurance, which is protecting against the loss of access to the company’s data and also covers things like direct theft.
“They’ve had a difficult time because there’s no best practices,” said Pasciullo, “The companies or entities are too diverse; they have no ability to meet one specific standard.”
Pascullo said the National Institute for Standards and Technology has been trying to set standards for protecting electronic assets and has been struggling. Pasciullo said the institute actually provides conflicting advice in its best practices, so the insurance industry has been unable to create policies using their typical system.
Without much guidance from their normal resources, insurance companies are adapting by modernizing the way they insure. Pasciullo said insurers would normally just check off whether or not a company was protecting itself, now they do it the other way around. Companies tell the insurance agencies what they have in place for data protection.
“To me that was a change that was long overdue,” said Pasciullo, “It really revolutionized the way the insurance companies operate, and it’s because it’s the nature of the electronic data and the nature of security at this point.”
However, some say the cyber insurance companies do have enough data to know how to insure companies and have been doing it for long enough to have efficient policies in play.
“We’re now 10 years down the road into large data breaches and there are some very sophisticated economic modelings on data breaches at MARSH,” said Senior Vice President Matt McCabe. “I don’t understand somebody who would say that cyber insurance really is not developed and doesn’t know how to insure a company and these perils. We do it all the time. There have been claims made and the claims have paid out. That sounds like a success story to me.”
McCabe says these cyber policies come with a whole response plan package built for keeping a company afloat after a breach. Companies are supplied with a data breach coach, forensic services, call center services, credit monitoring, and ID theft restoration.
McCabe agreed that the product is going to develop further. “We’re probably right at the starting point of this,” he said. “It’s a time of great education in the industry, great expansion in the industry, and it’s a time of development of new solutions. More products are being developed for more diverse sectors of the economy and that of course is feeding into the overall growth.”
There are new challenges that come up every year with a hit because the ways that a company is affected keeps changing. Along with measured financial losses, many companies also face a loss of reputation and market value, which is something that insurance agencies do not cover at this time. There are always other questions, such as what happens when someone’s intellectual property or patent is stolen, which is still too complex for insurance policies.
Woolf said cyber insurance companies may look completely different in 10 to 20 years. It’s true that cyber has thrown the insurance companies for a loop and it may be reworked along with the rate of change in technology. With more companies needing and buying cyber insurance, the market is a lucrative area to be in, but still an evolving one.
(Photo credit: GotCredit)