Paying the price to insure a company's reputation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.njbiz.com/article/20140602/NJBIZ01/140609955/Paying-the-price-to-insure-a-company's-reputation

A data breach or recall can certainly ruin a company's day — and its bottom
line. But the costs of a reputation-damaging scandal can stretch far beyond
making good with customers.

For example, a company may need to bring in a crisis manager to help it
with public relations or damage control. And that can mean a big expense
for a  small firm.

That is where reputational risk insurance comes in. Attorney Darren Hanison
is a partner with Goldberg Segalla, a law firm with offices in Princeton.

“There are several types of reputational risk insurance,” he said. “The
easiest to sell I think is an insurance policy that covers the costs of the
corporate entity employing a crisis manager to spend money effectively
managing their reputation if it has been damaged by an event.”

The key for buyers is figuring out if the price is right.

“It’s probably not aimed at a massive corporate, because the type of
insurance levels that you’re able to buy at the moment are probably not
more than, tops, $25 million a year in coverage. (But) even if you’re a
corporation that could spend $100 million if you need to, there’s a
fiduciary responsibility on the directors to protect their shareholders. So
if you can have $25 million of cover, then you should.

“It’s more midcap companies that have got a big brand but aren’t
necessarily a massive organization yet. Although they might have a PR
budget, if an event would happen they would be spending a lot of money, and
may not have a crisis management department. Private equity companies who
own various brands, they also probably don’t have much of this in place.
All the way down to small- to medium-size enterprises who have a
business-to-business relationship, particularly if they have a security
breach, they become within their marketplace a difficult company to want to
use. They may want to have money in the bank, as it were, to spend on
crisis management.”

Policies, which can range from as high as $25 million to as low as $1
million, are written on a yearly basis, so a company with a $1 million
policy could use $200,000 for each of five crises, for instance.

Under these policies, a company with a data breach such as the recent one
that affected Target would be reimbursed for the money it spends repairing
and protecting its reputation — up to the amount of the policy it has
purchased.

“This is not a standard insurance cover,” Hanison said. “It’s not required
by law. It’s not required insurance, but it’s becoming more of a known
problem. In the insurance world, reputation is now seen as the third most
important issue for the business.”

But the “newness” factor and ever-changing cyber-landscape are part of the
challenge for both insurers and the would-be insured.

“Compared with others, this (insurance) is expensive, because the risk
almost is much greater,” Hanison said. “This type of coverage, because it’s
relatively new, it’s difficult for insurers to have any actuarial evidence
how this is going to develop, therefore they charge relatively high
premiums. Insurers are keen to offer the cover even if, in the first couple
of years, they might make a loss. You can’t prove a product unless it’s
actually selling.”

In addition, a policyholder can spend 10 percent of the policy value
without having to get the insurer’s consent, Hanison said.

“If you have an event, you want to be able to react to that immediately.
You’ve got to have that flexibility, and that means the insurers are on the
hook straight away, and therefore the premium has to be chunky enough.”

Other types of policies even try to identify the cost of lost reputation,
Hanison said, but these are much more challenging because it’s difficult to
be a dollar amount on such a situation.

“This idea of paying the cost of doing what is required to try to manage
the damage to the reputation is I think where the market is going from an
insurance point of view,” Hanison said. “That becomes much more what an
insurer would call a first party. It’s very similar to property insurance:
the insurance company will pay you the cost of rectifying the problem.”

Of course, it’s not that simple even with these straightforward policies.

“At what point has their work been enough to rectify the damage caused to
your reputation by the event? That is where there will always be an
argument between the insured and the insurer.”

That is where attorneys like Hanison really come into play.

“I’ve been involved in developing the wording with the insurance company,”
Hanison said. “The insurance company would come to me as a lawyer and say,
‘I want to develop a policy wording that says what I want to do.’”

If there is a claim, Hanison becomes involved in a different way:

“I would be the lawyer instructed to effectively monitor the insurance
position. I would monitor those positions as far as the insurer is
concerned – play an overall role in terms of making sure the policy does
what it’s supposed to do, but only what it’s supposed to do.”

As far as Hanison is concerned, however, this is insurance worth having.

“Sometimes, protecting the reputation is more important than the crisis
that has happened,” he concluded.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!