BreachExchange mailing list archives
Paying the price to insure a company's reputation
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 4 Jun 2014 19:50:23 -0600
http://www.njbiz.com/article/20140602/NJBIZ01/140609955/Paying-the-price-to-insure-a-company's-reputation A data breach or recall can certainly ruin a company's day — and its bottom line. But the costs of a reputation-damaging scandal can stretch far beyond making good with customers. For example, a company may need to bring in a crisis manager to help it with public relations or damage control. And that can mean a big expense for a small firm. That is where reputational risk insurance comes in. Attorney Darren Hanison is a partner with Goldberg Segalla, a law firm with offices in Princeton. “There are several types of reputational risk insurance,” he said. “The easiest to sell I think is an insurance policy that covers the costs of the corporate entity employing a crisis manager to spend money effectively managing their reputation if it has been damaged by an event.” The key for buyers is figuring out if the price is right. “It’s probably not aimed at a massive corporate, because the type of insurance levels that you’re able to buy at the moment are probably not more than, tops, $25 million a year in coverage. (But) even if you’re a corporation that could spend $100 million if you need to, there’s a fiduciary responsibility on the directors to protect their shareholders. So if you can have $25 million of cover, then you should. “It’s more midcap companies that have got a big brand but aren’t necessarily a massive organization yet. Although they might have a PR budget, if an event would happen they would be spending a lot of money, and may not have a crisis management department. Private equity companies who own various brands, they also probably don’t have much of this in place. All the way down to small- to medium-size enterprises who have a business-to-business relationship, particularly if they have a security breach, they become within their marketplace a difficult company to want to use. They may want to have money in the bank, as it were, to spend on crisis management.” Policies, which can range from as high as $25 million to as low as $1 million, are written on a yearly basis, so a company with a $1 million policy could use $200,000 for each of five crises, for instance. Under these policies, a company with a data breach such as the recent one that affected Target would be reimbursed for the money it spends repairing and protecting its reputation — up to the amount of the policy it has purchased. “This is not a standard insurance cover,” Hanison said. “It’s not required by law. It’s not required insurance, but it’s becoming more of a known problem. In the insurance world, reputation is now seen as the third most important issue for the business.” But the “newness” factor and ever-changing cyber-landscape are part of the challenge for both insurers and the would-be insured. “Compared with others, this (insurance) is expensive, because the risk almost is much greater,” Hanison said. “This type of coverage, because it’s relatively new, it’s difficult for insurers to have any actuarial evidence how this is going to develop, therefore they charge relatively high premiums. Insurers are keen to offer the cover even if, in the first couple of years, they might make a loss. You can’t prove a product unless it’s actually selling.” In addition, a policyholder can spend 10 percent of the policy value without having to get the insurer’s consent, Hanison said. “If you have an event, you want to be able to react to that immediately. You’ve got to have that flexibility, and that means the insurers are on the hook straight away, and therefore the premium has to be chunky enough.” Other types of policies even try to identify the cost of lost reputation, Hanison said, but these are much more challenging because it’s difficult to be a dollar amount on such a situation. “This idea of paying the cost of doing what is required to try to manage the damage to the reputation is I think where the market is going from an insurance point of view,” Hanison said. “That becomes much more what an insurer would call a first party. It’s very similar to property insurance: the insurance company will pay you the cost of rectifying the problem.” Of course, it’s not that simple even with these straightforward policies. “At what point has their work been enough to rectify the damage caused to your reputation by the event? That is where there will always be an argument between the insured and the insurer.” That is where attorneys like Hanison really come into play. “I’ve been involved in developing the wording with the insurance company,” Hanison said. “The insurance company would come to me as a lawyer and say, ‘I want to develop a policy wording that says what I want to do.’” If there is a claim, Hanison becomes involved in a different way: “I would be the lawyer instructed to effectively monitor the insurance position. I would monitor those positions as far as the insurer is concerned – play an overall role in terms of making sure the policy does what it’s supposed to do, but only what it’s supposed to do.” As far as Hanison is concerned, however, this is insurance worth having. “Sometimes, protecting the reputation is more important than the crisis that has happened,” he concluded.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Paying the price to insure a company's reputation Audrey McNeil (Jun 12)