Companies Turn to Cyber Insurance as Hacker Threats Mount

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.foxbusiness.com/technology/2014/03/20/companies-turn-to-cyber-insurance-as-hacker-threat-mounts/

Investors cringe when a company they own, such as Target (TGT) or Las Vegas
Sands (LVS), suffers a cyber breach that results in the loss of customer or
employee data.

The cost of a high-profile breach can be in the tens or hundreds of
millions of dollars due to lost business, disrupted services and
compensating potential identity theft victims.

But sophisticated companies are increasingly balancing the rising risk of a
pricey cyber event by acquiring cyber security insurance from the likes of
AIG (AIG) and Chubb (CB). Cyber coverage can mitigate the costs of
everything from hiring forensic investigators and high-priced lawyers to
shelling out ransoms to cyber extortionists.

"This is an arms race and an ongoing battle. Cyber insurance is becoming
increasingly prevalent as boards of directors and officers become more and
more aware of the seriousness of cyber security risks," said Jim Halpert,
co-chair of DLA Piper's global privacy practice.

Like flood, fire and auto insurance, the idea behind cyber insurance is to
spread the risk and cost of a security incident among a broader pool of
companies that deal with sensitive data.

Cyber events can range from a breach of customer data like the epic breach
of Target and a loss of intellectual property to a business interruption
caused by a distributed denial of service (DDoS) attack.

Cyber Insurance Gains Popularity

The Ponemon Institute estimates organizations were hit by $5.4 million in
costs per data breach in 2013, up 26% from the year before.

"Cyber insurance is becoming less of an option and more of an automatic
purchase," said Dave Navetta, founding partner of the InfoLawGroup who
helped develop cyber insurance products at AIG at the start of last decade.

According to a 2013 Ponemon survey of nearly 19,000 security and risk
management professionals, 31% say their company has a cyber security
insurance policy and 39% say they are planning to purchase one.

Companies that are most likely to scoop up cyber insurance include ones in
more regulated industries such as financial services and health care. Some
observers said retailers, at least up until recently, have been slower to
grab cyber insurance. They also believe colleges and universities are
lagging behind on this front despite recent breaches at the University of
Maryland and Johns Hopkins University.

In general, insurance experts believe the larger and more sophisticated a
company is, the more likely they are to buy cyber coverage.

To be sure, some small companies that may deal less with payment data and
other sensitive information may determine cyber insurance is not for them
or they are already covered by other policies.

Still, the vast majority of companies have at least some risk to a cyber
event that could eat into profits, hurt shareholders and lead to layoffs.

"Any company that collects, stores or transmits private information
ultimately has a cyber security exposure," said Ken Goldstein, vice
president and global cyber security and media liability manager for the
Chubb Group of Insurance Companies.

What Does it Cover?

Interestingly, the Securities and Exchange Commission's 2011 cyber guidance
advised companies to disclose to investors a "description of relevant
insurance coverage."

Cyber insurance carriers offer a broad spectrum of policies that cover
various liabilities related to potential breaches and attacks.

These risks are best broken down into third-party liabilities and
first-party expenses.

Third-party liabilities include lawsuits brought against a company by
employees or customers for inappropriate access to private information and
fines and customer redress brought on by regulators.

First-party expenses cover forensic analysis in the wake of a breach, costs
tied to notifying customers and offering data monitoring services, boosting
bandwidth to conquer a DDoS attack and paying extortionists a ransom to
stop an attack.

There are some potential fallouts from a cyber event that insurance
companies are not likely to cover, including damage done to brands and
physical harm caused by equipment failures.

Cyber insurance premiums can range widely based on the size of a company
and the extent of its perceived exposure. Goldstein said small and mid-size
companies may have a $2,000 to $15,000 price per $1 million limits of
liability of coverage, compared with $17,500 to $50,000 or more for larger
size companies.

'Don't Jump Into Anything'

Chubb offers companies loss prevention and risk management tools, including
premium reimbursements to spend money on better encryption as well as
providing access to breach cost calculators and Internet response plan
templates.

Sixty-two percent of respondents in the Ponemon survey believe the premiums
are fair given the nature of the risk.

Lawyers emphasized the importance of reading the fine print of cyber
coverage to see specifically what type of events will and won't be covered.

"Don't jump into anything right away. Take your time and look at a number
of different providers. Carefully read the policies," said Randy Sabett,
vice chair of Cooley's privacy and data protection practice.

Many insurance companies have jumped into the cyber market, with names like
Ace (ACE), AIG, Beazley, Chubb and Marsh & McLennan (MMC) leading the way.

"Over the last two or three years essentially every insurance carrier has
gotten into that market. There's been a lot of competition. Premiums have
come down and coverage has gotten larger," said Navetta.

Cyber Insurance Shakeout?

Chubb's cyber insurance business, which started around 2001, has enjoyed
double-digit growth lately, according to Goldstein. "I see a lot of upside
with that cycle continuing," he said.

Before agreeing to insure a given company, insurance companies launch an
underwriting process that may scrutinize an organization's network
security, privacy policies, password protection, intrusion detection,
vulnerability scanning and incident response procedures.

That may help explain why 62% of respondents in the Ponemon survey believe
the insurance has made their company better prepared to deal with security
threats.

However, Navetta said underwriting standards at some insurers declined as
more players got into the market. "We're at an inflection point. We may see
a little bit of a shakeout of the market because post-Target everything
seems riskier," he said.

Goldstein of Chubb said it would be "shortsighted" of certain insurers not
to take underwriting "seriously," especially given the fact that "there are
big losses happening and playing out on a daily basis in the news."

Of course, the act of simply obtaining cyber insurance does not mean
companies can turn the blinders on to the risk of a breach or an attack.

"Insurance is only part of an effective risk management response. You can't
just insure away all risks in this space," said Halpert.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!