Home Depot, Michaels, eBay, Target, Neiman Marcus, Veterans Affairs, Sony, JPMorgan Chase. Or in a Word…Data Breaches.
Cyberinsurance is hotter than the Geico Gecko sunbathing on a rock in the Mojave at high noon. Too much? Anyway, the point is that in less than a decade corporations have gone from “What’s cyberinsurance?” to “Cost of doing business.”
In her extensive story on northjersey.com, The Record’s Joan Verdon explores the many aspects of cyberinsurance from cost to coverage. The following has been excerpted from her piece and edited to fit our format. You may find the complete, unedited version by clicking on this link.
What is cyberinsurance?
- Cyberinsurance policies typically protect businesses from costs incurred through data breaches or shutdowns of computer systems.
- In data breaches, the policies cover costs of investigating the breach, notifying affected parties, legal expenses and related fines.
- Businesses are seeking coverage for both “first-party” risks, such as notification costs, and “third-party” risks, such as class-action lawsuits brought by credit card holders.
- $200 million is the typical maximum for coverage, with several insurers “stacking” policies to add up to that amount, rather than one insurer taking on all of the risk. But some companies are starting to offer “catastrophic” cybercoverage for larger amounts.
- Insurance companies require businesses to meet certain standards for data security and monitoring before they will provide coverage.
Up over 200 percent on cyberpolicies
[Robert Morris, president of Rampart Group insurance brokerage offers] “We’re up over 200 percent on cyberpolicies since last year, and it’s still growing rapidly.”
Bad news is good news for cyberinsurers
[News] that JPMorgan Chase, the financial giant with a reputation for investing heavily in data security, had been breached and that addresses and phone numbers connected to 83 million household and business accounts had been stolen reinforced fears that no one is safe from cyberattack.
News of the Chase breach came 11 months after Target, the nation’s second-largest retail chain, was hit by a holiday-season hacking that compromised some 40 million credit and debit cards. The total cost to Target of that attack is expected to top $1 billion. Home Depot, Neiman Marcus, [and] eBay, as well as smaller retailers, also have been breached.
Retail and bank breaches involving payment cards get the most publicity, but any place that handles confidential or financial information — hospitals, law offices, government agencies — [has] to worry about cyberleaks.
Ponemon Institute and PwC cybercrime numbers
[Ponemon observes that] cybercrime has cost a sampling of 59 U.S. companies an average $12.7 million this year, up roughly 10 percent from last year’s average of $11.6 million. This year’s average includes two companies that were each hit with more than $50 million in cyberattack costs.
The accounting firm PricewaterhouseCoopers reported in September that data breaches increased 48 percent this year, with 117,339 attacks occurring each day around the globe.
Cybercoverage plans vary with different businesses
American International Group, Chubb, Travelers and other large insurance carriers have rolled out corporate cybercoverage plans. Warren-based Chubb has developed a number of specialized cybersecurity products, including policies designed for health care organizations, lawyers and small businesses. Marsh, the insurance brokerage division of Marsh & McLennan Cos., last month announced it would provide catastrophic cyberattack coverage for large companies that want an additional $300 million in coverage above the first $100 million in costs, which the company would be expected to cover.
Rates all over the map
Experts say the costs of cyberinsurance vary greatly and depend on the number of records or amount of data a company collects and needs to protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in August said standard rates are $20,000 to $25,000 for $1 million of coverage.
Tom Ridge, the first U.S. homeland security chief, said last week that his company, Ridge Insurance Solutions, was joining with the venerable Lloyd’s of London to offer cyberattack insurance. The Chase breach, Ridge said at an appearance in London reported by Bloomberg News, scared corporate executives around the world.
“Who would have thought that JPMorgan, with its security budget, could be hacked into,” Ridge said. “Now a lot of people are thinking, ‘If it could happen to them, it could happen to us, too.’ ”
How do cyberinsurers arrive at a pricing structure?
One problem insurers face, however, is knowing how to price a policy based on anticipated risk when information about the impact of cyberattacks is limited.
“The problem is there’s not enough actuarial data to tell us how many attacks there are going to be and what’s going to be the cost of the attack,” said Rampart Group’s Morris.
If a company comes to an insurer seeking fire insurance, Morris said, “they know what’s going to burn, within certain parameters because they have the statistics for hundreds of years. We don’t have that in cyber at all. Not even close.” That causes prices for policies to be “all over the place.”
Rampart Group brokered its first cyberinsurance some four or five years ago, Morris said. The policies, however, have become far more complex and sophisticated since then. Insurers now provide coverage packages that help a company notify customers of a breach, that provide forensic accounting services and credit-monitoring services and that pay for public relations or legal assistance.
Morris said Rampart Group itself pays for cyberinsurance coverage as part of its business insurance because it needs to protect itself if any confidential information on its customers is breached.
A cost of doing business
[HiTouch Business Services, an office products and services company,] has never had a breach, but the company has had cybercoverage since it was founded in 2010.
“We had a very small policy from Day One, and we’ve kept increasing it every year,” [said Michael Palmer, HiTouch’s CEO.]
Recently, HiTouch has seen that its larger business customers, who enter into contracts for large purchases or services, want to deal with vendors who have cyberinsurance. “Their legal departments are saying these are the insurances every vendor you have must carry,” Palmer said.
Cyberinsurance could improve security
Industry experts say the drive for cyberinsurance should help strengthen corporate cyberdefenses in the same way that insurance companies years ago led the push for uniform building codes and code enforcement to reduce fire and property liability risks.
What about coverage for consumers?
The growth in corporate cyberinsurance is causing some insurance companies to also look at cyberinsurance riders on personal life insurance or homeowners policies, coverage that would provide reimbursement in cases of identity theft, stolen information, or even lawsuits linked to social media misuse.
Morris said he is trying to develop a personal cyberinsurance policy to provide $500,000 to $1 million in coverage for a premium of about $200 a year. The coverage could protect someone who might be sued because of something a family member posted on social media or bring in digital-reputation repair experts if the policy owner is attacked on social media.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.