Cyberinsurance: Products Mature But Still Underused

September 27, 2012 – In The News
Risk Professional

The bad news keeps coming. Every month, some company somewhere is hacked and loses confidential data. A storm of negative publicity -- and lawsuits -- quickly follows. Everyone is a potential target, and nobody is safe. Yet, according to a global survey by PricewaterhouseCoopers, the majority of companies don't have cyberinsurance in place.

Some don't know that specific coverage is available, or they mistakenly believe they are sufficiently covered by existing liability policies. Others assume -- dangerously -- that their security is tight enough to prevent a breach, or that they are too small for malicious or criminal hackers to bother with.

Verizon Communications, in its 2012 Data Breach Investigations Report, counted 855 incidents last year, with a total loss of 174 million records. Financial losses in each instance ranged from a few dollars to more than $100 million, and at least four companies went out of business as a result of a breach.

Year-to-year trends vary, but the overall direction is not encouraging. For 2010, Verizon reported a record low of 4 million records lost in 800 breaches. That represented a lull between the case of credit card processor Heartland Payment Systems in late 2008, which accounted for 300 million of that year's 361 million compromised data records; and 2011, when hacking into the PlayStation platform affected more than 100 million customer records, cost Sony Corp. $6 billion, and prompted more than 55 lawsuits.

The average cost per lost record was $194, according to a March 2012 report by Ponemon Institute, or an average of $5.5 million per company, plus $3 million in lost-business costs. The Ponemon study does not include companies that lost more than 100,000 records "because they are not representative of most data breaches, and including them in the study would skew the results," the researcher said.

Like many companies in such situations, Sony had only general liability insurance coverage, which does not cover cyber breaches. That point was made clear when Sony's insurer, Zurich American Insurance Co., filed a lawsuit to assert that it didn't have to defend the electronics giant in court or pay for damages.

Not only was Sony sued by its own insurance company, but it also became the target of a class-action suit by users who were upset that Sony added a "no suing us" clause to its terms-of-service agreement after the breach occurred.

Deep, and Not So Deep, Pockets

Breaches aren't just about credit card account numbers stored by big consumer-focused companies. Any firm keeping personally identifiable information, even if only about their employees, is at risk, as are small companies providing services to larger organizations that involve handling sensitive data. Exacerbating smaller companies' risks is the fact they do not have the financial cushions of their larger counterparts.

"When Sony got hacked, when a bank gets hacked, they just pay for it," said Dan Weedin, a Seattle-based insurance consultant with Toro Consulting. "Small businesses aren't set up for that."

He cited a recent example in which a hacker added nine fictitious employees to a company's payroll. "By the time they caught it, they had no way of getting that money back," he said. "That could put someone out of business."

Small-business owners have less understanding of cyber risks and the need to insure them, and they are attractive targets for criminals because they are less prepared technologically, Weedin said.

"Everyone is vulnerable," stated security expert Emile Trombetti, senior vice president of commercial markets at consulting firm Booz Allen Hamilton, who works with clients in the process of getting cyberinsurance. "If you believe you can keep people out of your network completely, you're fooling yourself."

Trombetti said that in security evaluations Booz Allen has done for client companies, it looks for a number of key items including secure network architecture, the presence of a strong chief information officer, identity management systems, firewalls and perimeter defenses, encryption of data both in storage and in transmission, and secure, encrypted mobile devices.

BYOD -- bring your own device -- policies have spread rapidly, requiring companies to accommodate, and manage security on, tablets and smart phones that employees bring to, and use for, work. "We are very astute at looking at encryption and how [the companies] protect the data going to these devices," said Trombetti.

Managing the Risks -- and Costs

Like any category of risk that an enterprise has to manage, hacking attacks cannot be completely eliminated. But there are proven measures to mitigate the exposure. Companies that follow established best practices will not only reduce the number and cost of breaches, but will also have an easier time obtaining cyberinsurance.;;

For example, the Chubb Group of Insurance Companies, headquartered in Warren, N.J., will give customers discounts or rebates for good security practices. "What we're doing is helping the insured at building up their loss controls," said Jeffrey Portis, Chubb assistant vice president and cyberspecialist.

Discounts or rebates can help cover the cost of hiring a third-party firm to test an incident response plan and network security, for example. Chubb will reimburse customers for some security products, including up to half the cost of mobile security products from AirPatrol Corp.

In a February 2012 survey of 145 public companies in the U.S. and Canada, Chubb found that two out of three still had not purchased cyberinsurance -- a product class that has been around for about a decade, according to Christine Marciano, president of Princeton, N.J. insurance broker Cyber Data-Risk Managers. An increase in reported incidents, underscored by media attention and by state laws and other regulatory guidelines requiring disclosure of data breaches, has raised consciousness in the last couple of years. The Sony incidents "highlighted the fact that general liability coverage doesn't cover" such losses, said Marciano. "This has really added to the visibility."

Firms looking to buy cyberinsurance have about 30 carriers to choose from, the broker added. However, policies have significant differences, and buyers should pay careful attention to what is covered and what is not.

Policy Details

Most policies will cover the expenses that immediately result from the breach itself, including professional crisis management and public relations services, the expense of notifying everyone whose records have been compromised, credit and identity theft monitoring, forensics investigations to determine how the breach took place, as well as legal penalties and fines. Most policies will cover the cost of defending lawsuits and any damages that result. But they will not necessarily cover anything that normally falls under other types of insurance, such as employee harassment or shareholder loss claims.

Firms may also incur the expense of notifying -- and extending credit monitoring services to -- customers in states that do not have laws mandating notification after a breach. "Chubb's policy is voluntary notification," said Portis. "There are four states that don't have notification laws. If you have a breach in Alabama, we would still allow notification to be brought there."

What if you have a box of paper forms that hasn't been entered into the computer yet, and somebody steals them? That varies, and companies should make sure this is covered if they want it to be.

Most carriers will provide up to $20 million in total coverage, said Marciano of Cyber Data-Risk Managers. Policies can be layered on top of one another to provide additional coverage as needed. "It does get expensive," she added.

So far, cyberinsurance payouts have been fairly reliable. "It's still early, and a carrier doesn't want to be the one who will deny a claim," said Marciano. "If the insured is doing what they said, and have policies and procedures in place, and it is sensitive information, they'll be covered." But there should be no complacency.

Imperatives for the Insured

Marciano said many carriers will insist that all data on mobile devices be encrypted. If a breach occurs, and it turns out there was no encryption, that would be a clear violation of terms, and the insurer would be within its rights to decline payment. "Encryption solution providers are getting a good number of calls to help clients encrypt their data so they're insurable," Marciano said.

The same applies to keeping systems secure and up to date. "If a breach occurs, and they haven't done any software updates for a year and a half, that claim would be excluded," stated Steven Anderson, vice president and senior underwriter for international insurer XL Group. "The reality is, we want some of the responsibility on the insured that they keep up with their network as best as possible."

Companies also need to monitor their service providers and ensure they are doing everything they can to protect data. Vendors can be covered under an umbrella policy or can take out their own. Companies using third-party providers for storage, security, networking or other services that could potentially touch on sensitive data need to ensure that the vendors follow best practices and be insured.

Techinsurance of Allen, Texas specializes in covering such vendors, including small and "micro" businesses. It currently insures 17,000 computer and IT service providers. "We do cyberliability and technology errors and omissions," said founder and chairman Jim Cochran. It is surprising, he said, that the customers of these firms typically don't ask for this kind of insurance.

"The contracts generally just require that the contractors show general liability and workers comp," he noted. However, general liability coverage tends to cover only property damage or physical injuries. What's more, the contracts are written in terms that apply as much to drywall contractors as to computer consultants.

Confused Legal Landscape

There have been several efforts to get a standard, national data security law passed, said Scott Vernick, an attorney and cybersecurity expert with national law firm Fox Rothschild. "I can't tell you how many bills have been introduced over the past five years," he said. The legislation "hasn't gone anywhere" amid the "absolute gridlock in Washington.";;

As a result, companies' responses to data breaches must comply with the laws of the states where the people affected live -- whether the incidents involve compromised credit card or Social Security numbers or medical records.

"In some states, you have to notify the state police," Vernick said. "In some states, you have to notify the attorney general. In some states, you only have to notify the consumer. In some states, there is a threshold of harm. Some states include medical information, and in other states the information at issue is much more limited."

Then there are international laws to consider. These days, even small firms selling goods online can have customers overseas and get caught in an even more complicated legal web.

"The European privacy regime and privacy regimes in other countries are very different from those of the U.S.," Vernick said. To deal with this reality, Fox Rothschild partners with overseas law firms.

There are some national legal standards already in place for certain types of companies. In October 2011 the Securities and Exchange Commission released guidance for publicly listed companies, reminding them that data breaches are among "material risks" that must be reported. Having a cyberinsurance policy in place reduces a firm's financial exposure.

Financial services firms have to comply with the privacy provisions of the Gramm-Leach-Bliley Act; health care organizations are subject to the Health Insurance Portability and Accountability Act; and any company that deals with bank cards has to comply with the Payment Card Industry Data Security Standard.

"There should be federal standards," said Darren Hayes, chair of the computer information systems program at Pace University and a member of the New York school's Seidenberg CyberSecurity Institute. "There will be some disagreements. The burden to the small cap companies will be greater than to the large cap companies, which may already have controls in place." But he said it is ultimately up to the companies themselves to step up their security.


According to the Verizon report, 97 percent of breaches were "avoidable through simple or intermediate controls," Hayes pointed out. "Yes, cyberinsurance is important. But, in general, companies aren't doing what they should be doing to protect systems."

A security checklist such as the following speaks to the necessary preparations:

• Incident response plan in place
• Information protection policy in place
• Controls in place for third-party vendors
• Secure network architecture
• Powerful chief information officer
• Strong identity management
• Firewalls, perimeter defenses, and virus prevention
• Encrypted and protected mobile devices

Cyberinsurance Provisions at a Glance

Usually covered:
• professional crisis management and public relations services
• notification expenses
• credit and identity theft monitoring
• forensics investigations
• penalties and fines as allowed by law
• legal costs and damages
• slanderous comments on social media sites
• breaches caused by outside hackers and by internal employees

Not covered:
• online harassment of employees (typically falls under employee practices liability)
• decline in stock valuation (typically falls under a directors and officers policy)
• cybercrimes by top-level executives

Sometimes covered:
• notifications to people who live in states that don't have notification laws in place
• copyright infringement on corporate websites
• loss of paper records that have not yet been digitized
• extortion
• breaches at third-party vendors
• loss of revenue due to business interruption