A Good Policy

Once a novelty, data-breach insurance has quickly become a must-have. It won’t offset all the expenses associated with a cyber attack, but it can ease a lot of pain.

There is one inescapable truth for any company that handles consumer data: At some point, they will be targeted by hackers looking to steal their data. This persistent threat makes cyber-liability insurance a necessity. Without it, a company that has been attacked can be on the hook for paying damages out-of-pocket to affected consumers, in addition to fines and remediation costs.

Of those payouts, remediation can arguably be the most costly. Companies victimized by a data breach, denial-of-service, or ransomware attack must fund an ongoing public-relations campaign to regain the public’s trust, mount an internal investigation to determine the weakness that was exploited, and install new technology and security features to prevent future attacks.

Globally, the average cost for companies experiencing a data breach was $3.62 million in 2017, according to a study by Traverse City, Mich.-based Ponemon Institute. While that amount was down from $4 million in 2016, companies experiencing breaches are seeing more records stolen or compromised than ever.

During the first six months of 2017, there were 918 data breaches affecting 1.9 billion records, more than 1.5 times the number of records exposed in 2016, according to Amsterdam, Holland-based data-security provider Gemalto.

“Data-breach insurance is becoming a necessity because of the high costs associated with the fallout from a breach,” says Robert Siciliano, a Boston-based data-security expert. “The more sensitive the consumer data a company handles, the more it has to lose from a cyber event.”

Spreading Out Risk

The financial damage caused by a cyber attack is so great that more transaction processors, merchants. and financial institutions of all sizes are taking out policies than ever before, according to insurance providers. Every major insurance carrier offers cyber insurance, including Chubb Ltd., The Hartford, and Travelers, as well as dozens of smaller carriers. “Any carrier offering business insurance would be foolish not to be in this market segment,” Siciliano says.

While reimbursable expenses vary by carrier and policy type, most policies cover legal fees, fines, and the cost of notifying customers of a breach and monitoring their credit. Coverage can also include network security liability, breach response, financial penalties awarded from lawsuits, forensics to determine why the event occurred, data loss, and lost business revenue.

While cyber-liability insurance typically doesn’t cover the entire cost of a data breach, it can significantly reduce the financial hit a victimized company incurs. For companies in the world of digital payments, that protection can make the difference between surviving an attack and being put out of business.

Equifax Inc., which suffered a major breach in 2017 that reportedly cost the credit bureau $439 million that calendar year, reportedly had a policy covering $125 million of those expenses. Global Payments Inc., which reported a breach in 2012, had a policy that covered $30 million of the $121 million in associated costs.

On average, companies taking out cyber insurance will purchase at least $1 million in liability coverage. Many will opt for tens of millions in coverage, and some policies are written for hundreds of millions of dollars, says Tim Francis, enterprise cyber lead for Hartford, Conn.-based The Travelers Companies Inc. When a policy exceeds $10 million in coverage, it is underwritten by multiple carriers. “That’s how insurance companies spread out their risk,” Francis says.

Cyber-liability coverage has evolved so far since being introduced more than a decade ago that companies can customize their policies from a menu of options that include network-security liability, breach response, losses due to business interruption, data loss, and cyber extortion.

This last hazard is becoming more common as hackers launch ransomware attacks, which hold a company’s data hostage by encrypting it and then threatening to withhold the key if the ransom is not paid. In 2016, Uber Technologies Inc. reportedly paid hackers $100,000 after they accessed the names, email addresses, and phone numbers of more than 57 million customers and drivers.

Uber paid the ransom based on a promise by the hackers they would delete the stolen information if the ransom was paid. The ridesharing company then tried to keep the incident quiet, but Bloomberg News broke the story about a year later. It is not known for certain whether Uber had cyber insurance.

When dealing with a ransomware attack, Travelers will bring in a team of experts to assess whether the hackers will free the data being held hostage and negotiate a settlement with them. “Sometimes it is determined that the data is not retrievable even if the ransom is paid,” Francis says.

Indeed, some hackers will delete the data or keep copies of it to be sold on the dark Web after the ransom is paid. “Our ransomware experts determine whether the data being held hostage is retrievable before any money is paid,” says Francis.

Less Guesswork

While the cost of a cyber-insurance policy varies based on the amount of the coverage, premiums are becoming more stable because, after writing policies for more than a decade, insurance carriers can better predict what the financial fallout will be from a cyber event.

“Loss ratios are understood much better by carriers than they were several years ago, so premiums are not as high,” says Robert Halsey, a director with RGS Ltd. LLC, a Troy, Mich.-based insurance broker. “When cyber liability was first introduced, there was more guesswork about how to price it because the cost of the risks was not as well known.”

As part of the underwriting process, carriers typically perform a risk assessment of a company’s cyber security to not only determine what weaknesses exist, but also to create a blueprint for correcting those deficiencies before the policy is purchased.

The Hartford, for example, uses four main criteria when underwriting a policy: the data assets a company has, how those assets are being protected, and how a company identifies and responds to cyber threats. Applicants are then measured against peers that have been assessed using the same criteria, says Tim Marlin, head of cyber and professional liability for The Hartford.

“A company handling highly sensitive data is going to undergo a more extensive underwriting process than a company handling less sensitive data,” says Marlin. “That is why there is no one-size-fits-all policy or pricing. How each policy applies to each customer is unique.”

In addition to evaluating a company’s security weaknesses, Travelers will also look at its security strengths, which can help lower the premium and, in some cases, raise the amount of coverage that can be purchased, Francis says. Travelers will also perform a more streamlined underwriting review before renewing a policy. Policies are in force for 12 months.

When a cyber event occurs, carriers provide policyholders with access to a variety of advisory services through third parties that help the policy­holder navigate all the unforeseen issues that pop up. One of those issues is abiding by state law when a breach occurs. Each state has its own laws regulating how a company must report a breach, notify consumers whose data has been stolen, and provide access to credit-monitoring services.

Failing to comply with laws in the states where affected consumers live can bring the wrath of the state attorney general and a class-action lawsuit by affected consumers.

Says The Hartford’s Marlin: “We make attorneys available to policyholders to guide them through the state laws and deal with a class-action suit. Their in-house counsel does not always have the expertise to navigate these types of issues.”

Carriers also make forensic experts available to assess what went wrong and what steps need to be taken to prevent future attacks. The Hartford offers policies that provide funds for improving data security after a breach. “Our aim is to make sure a policyholder is more secure after an attack than they were before,” Marlin says.

Many carriers will also write policies that provide coverage in the event a third party that has access to the breached company’s network inadvertently opens the door to hackers.

Small Targets

Large financial institutions, processors, and merchants aren’t the only entities in need of cyber-liability insurance. Small and mid-size merchants and independent sales organizations are also being targeted by hackers.

Of the 34,000 cybersecurity incidents that occur daily in the United States, small and midsize companies are targeted 61% of the time, according to Verizon Enterprise Solution’s 2018 Data Breach Investigation Report.

In addition, while a joint poll from Insureon, a Chicago-based provider of cyber-liability insurance, and Manta, a Columbus, Ohio-based provider of education and marketing tools and other resources for small businesses, found that 76% of the small businesses surveyed don’t keep customer data on file, it showed they still may store information that’s more sensitive than they realize.

For example, a bakery accepting credit cards could be breached by hackers through its point-of-sale system if it is not properly protected, says Insureon President Jeff Somers.

“It’s an unfortunate fact in modern business that no one is safe from cyber threats,” Somers says. “For many small businesses, cyber-liability insurance is available as a standalone policy or as an add-on to their business insurance policies. Depending on an organization’s needs, our customers choose first-party or third-party cyber-liability insurance or a combination of both types of coverage.”

‘A Worthless Piece of Paper’

While insurance can buy processors, merchants, and financial institutions peace of mind, data-security experts recommend they have intimate knowledge of the terms of their policy before they have to make a claim.

“Companies should know exactly what’s covered in their policy and what’s not so there are no loopholes that prevent coverage from kicking in when needed,” says Russell Schrader, executive director for the Washington D.C.-based National Cyber Security Alliance. “Don’t assume your policy can cover a specific event, such as ransomware, until you need to make a claim.”

When choosing an insurance carrier, a best practice is to start with an insurance broker that can assess the company’s liability needs, flesh out all the ways its network can be breached, and determine how much insurance the company needs and what kind of deductible it can afford.

Armed with that information, the broker can then match the company to an insurance carrier. In some cases, a company may need to purchase coverage from more than one carrier.

Finally, with the threat of breaches steadily rising, businesses need to be aware that just because they take out a cyber-insurance policy, they can’t rest when it comes to upgrading their network security.

“The number of cyber attacks is going to keep growing,” says Schrader of the National Cyber Security Alliance. “Liability coverage can be tricky to understand, and the last thing any company victimized by a hacker wants to be told is that their policy is a worthless piece of paper because they didn’t follow their carrier’s compliance guidelines.”

Cyber Liability  by the Numbers

An analysis of 419 companies in 13 country  or regional samples showed that

$3.62 million is the average total cost of a data breach

$141 is the average cost per lost or stolen record

27.7% is the likelihood of a recurring material data breach over the next two years

Source: Ponemon Institute