Business data breaches driving up demand for cyberinsurance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.northjersey.com/news/business/insuring-against-loss-from-hackers-1.1107528

When Robert Morris' grandfather co-founded the Rampart Group insurance
brokerage 50 years ago, the priority for most of his business clients was
making sure they had adequate fire insurance, and insurers checked to make
sure their clients' office and factory buildings had the right firewalls.

Now, Rampart Group's biggest clients are concerned about a different kind
of firewall, and they are making sure they are covered if their electronic
databases and computer systems are breached.

"Today's hot button is cyberinsurance," said Morris, president of Rampart,
which has offices in Fort Lee and three other locations. "We're up over 200
percent on cyberpolicies since last year, and it's still growing rapidly."

Cyberinsurance covers companies for costs from data breaches, unexpected
computer crashes or shutdowns caused by hackers. Corporations first began
seeking cyberattack coverage about six years ago, as news of costly data
breaches began to surface.

Many early attacks were caused when an employee's laptop was stolen or
computer backup tapes were misplaced. But over the past two years, reports
of sophisticated criminal rings infiltrating retail, bank and government
computer systems and the undetected collection of credit card data and
personal information have become alarmingly common.

This month, news that JPMorgan Chase, the financial giant with a reputation
for investing heavily in data security, had been breached and that
addresses and phone numbers connected to 83 million household and business
accounts had been stolen reinforced fears that no one is safe from
cyberattack.

News of the Chase breach came 11 months after Target, the nation's
second-largest retail chain, was hit by a holiday-season hacking that
compromised some 40 million credit and debit cards. The total cost to
Target of that attack is expected to top $1 billion. Home Depot, Neiman
Marcus, eBay as well as smaller retailers also have been breached.

Retail and bank breaches involving payment cards get the most publicity,
but any place that handles confidential or financial information —
hospitals, law offices, government agencies — have to worry about
cyberleaks.

The Ponemon Institute, a Michigan-based research think tank specializing in
data protection and security, reported on Thursday that cybercrime has cost
a sampling of 59 U.S. companies an average $12.7 million this year, up
roughly 10 percent from last year's average of $11.6 million. This year's
average includes two companies that were each hit with more than $50
million in cyberattack costs.

Cybercrime expenses are rising, Ponemon Chairman Larry Ponemon said,
because "the bad guys are getting better at what they do."

The accounting firm PricewaterhouseCoopers reported in September that data
breaches increased 48 percent this year, with 117,339 attacks occurring
each day around the globe.

American International Group, Chubb, Travelers and other large insurance
carriers have rolled out corporate cybercoverage plans. Warren-based Chubb
has developed a number of specialized cybersecurity products, including
policies designed for health care organizations, lawyers and small
businesses. Marsh, the insurance brokerage division of Marsh & McLennan
Cos., last month announced it would provide catastrophic cyberattack
coverage for large companies that want an additional $300 million in
coverage above the first $100 million in costs, which the company would be
expected to cover.

Rates all over the map

Experts say the costs of cyberinsurance vary greatly and depend on the
number of records or amount of data a company collects and needs to
protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in
August said standard rates are $20,000 to $25,000 for $1 million of
coverage.

Tom Ridge, the first U.S. homeland security chief, said last week that his
company, Ridge Insurance Solutions, was joining with the venerable Lloyd's
of London to offer cyberattack insurance. The Chase breach, Ridge said at
an appearance in London reported by Bloomberg News, scared corporate
executives around the world.

"Who would have thought that JPMorgan, with its security budget, could be
hacked into," Ridge said. "Now a lot of people are thinking, 'If it could
happen to them, it could happen to us, too.' "

Bloomberg reported last week that U.S. property insurers have record
surpluses after investment gains and two years without devastating
hurricanes. The insurers, as a result, are willing to take on additional
risk, and see cyberpolicies as a new source of growth.

The pricing challenge

One problem insurers face, however, is knowing how to price a policy based
on anticipated risk when information about the impact of cyberattacks is
limited.

"The problem is there's not enough actuarial data to tell us how many
attacks there are going to be and what's going to be the cost of the
attack," said Rampart Group's Morris.

If a company comes to an insurer seeking fire insurance, Morris said, "they
know what's going to burn, within certain parameters because they have the
statistics for hundreds of years. We don't have that in cyber at all. Not
even close." That causes prices for policies to be "all over the place."

Rampart Group brokered its first cyberinsurance some four or five years
ago, Morris said. The policies, however, have become far more complex and
sophisticated since then. Insurers now provide coverage packages that help
a company notify customers of a breach, that provide forensic accounting
services and credit-monitoring services and that pay for public relations
or legal assistance.

Morris said Rampart Group itself pays for cyberinsurance coverage as part
of its business insurance because it needs to protect itself if any
confidential information on its customers is breached.

Michael Palmer, chief operating officer of HiTouch Business Services, a
national office products and services company based in Saddle Brook, said
cyberinsurance increasingly is becoming a standard cost of doing business.

'Policy from Day One'

HiTouch, a Rampart client, has never had a breach, but the company has had
cybercoverage since it was founded in 2010.

"We had a very small policy from Day One, and we've kept increasing it
every year," Palmer said.

Recently, HiTouch has seen that its larger business customers, who enter
into contracts for large purchases or services, want to deal with vendors
who have cyberinsurance.

"Their legal departments are saying these are the insurances every vendor
you have must carry," Palmer said.

Cyberinsurance planning "has to be a collaborative effort" between the
company and the insurer, Palmer said, adding that HiTouch has annual
meetings with Rampart to evaluate its coverage. The coverage, he said, has
to be coupled with HiTouch's internal data security and governance
policies. The insurers "want to know that you're protected at a certain
level before they're going to insure you," he said.

Industry experts say the drive for cyberinsurance should help strengthen
corporate cyberdefenses in the same way that insurance companies years ago
led the push for uniform building codes and code enforcement to reduce fire
and property liability risks.

Personal coverage

The growth in corporate cyberinsurance is causing some insurance companies
also to look at cyberinsurance riders on personal life insurance or
homeowners policies, coverage that would provide reimbursement in cases of
identity theft, stolen information, or even lawsuits linked to social media
misuse.

Morris said he is trying to develop a personal cyberinsurance policy to
provide $500,000 to $1 million in coverage for a premium of about $200 a
year. The coverage could protect someone who might be sued because of
something a family member posted on social media or bring in
digital-reputation repair experts if the policy owner is attacked on social
media.

"Cyberinsurance is becoming something every industry and really anybody who
has a computer needs," Morris said. "Because anybody can get hacked."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!