Targeting Cyber Liability
(page 1 of 3)
The Target Corp. data breach did more than make headlines, it also created more boardroom anxiety than most headline-grabbing data breaches.
Perhaps the timing and context of the Target data breach had something to do with the nerves it struck — a major retailer was tapped during the holiday shopping season — but the estimated 70 million people who had credit and debit card information stolen, and now are more vulnerable to identity theft as a result, sent shock waves throughout corporate America. Class-action lawsuits, state and federal investigations, and compromised retail sales also accompanied the breach, but the reputational hit taken by the Minneapolis-based retailer might be the most damaging body blow.
“It’s really important, as you’re vetting that vendor that’s going to be managing your data, that they really have good protocols in place.” — August Felker, Murphy Insurance Group
With cyber criminals getting into the network structures of major retailers, no business is immune, which is why cyber liability insurance is getting a closer look. Stories like the Target breach have sparked discussions between insurers and clients, and insurance agents report a significant rise in interest in this coverage, even if inquiries don’t always lead to a purchase.
“It’s kind of funny because this Target breach should not have been such an eye-opening thing,” noted Colin Green, a risk management consultant in the Madison office of Cottingham & Butler. “These breaches have been happening all over the place for five or 10 years now, and it’s continuing to grow.”
In addition to Green, we interviewed the following industry experts for this look at cyber liability coverage: Raymond Koenig, partner and senior account executive, M3 Insurance Solutions; Tim Hausmann, chairman and principal, Hausmann-Johnson Insurance; August Felker, CEO of the Murphy Insurance Group; and Matt Murray, risk management consultant, Cottingham & Butler.
As our experts explained, it’s not a matter of if you become a cyber target, or if a dishonest employee sells information, or if employees carelessly lose information, but when. As you ponder the purchase of cyber liability coverage, here are 7 things to consider.
1. It goes beyond e-commerce
Interest in cyber liability coverage is not restricted to retailers and businesses with an e-commerce or online sales function; it’s much broader than that. Historically, cyber liability insurance has also piqued the interest of medical organizations, which have privacy compliance to consider. More recently, manufacturers that want to protect drawings or prototypes and service businesses with intellectual property or other proprietary information have inquired about it.
“It’s of interest to any organization that stores data and has data online or has a website, which is a great number in Wisconsin,” Green says. “These are privately held businesses with that type of exposure. They may not have the same exposure to the same degree as others, but everyone has exposure to it.”
2. Expect a white-glove test
Since cyber liability insurance is still in its infancy, the underwriting process for this coverage is hardly standardized. Hausmann compared it to a similar experience with employee practices liability because when the insurance industry is uncomfortable with the ability to quantify the exposure, its tendency is to ratchet up underwriting. Therefore, a cyber liability policy is not limited to a one- or two-page document; it includes a substantial list of questions that attempt to ferret out where companies are in terms of best practices in data protection and disaster/breach response.
For the insurance industry, there is a regulatory cost related to notification and a cost associated with making people whole in terms of “the expenses associated with trying to clear their good names,” Hausmann said. “So there is a whole host of issues, or exposures, that unfold if you have a claim of this sort.”
Depending on the carrier, policies are rated on considerations like revenue, record count, industry, and risk management. Insurers seek to learn more about technology systems, processes for business recovery, and the type of information being held by asking questions like: Do you keep credit card numbers? Do you keep health information? Where are you keeping it?
“As with other types of insurance, the carriers have an application process,” Koenig explained. “They are trying to capture a number of considerations. They start with revenue, and then the next biggest area is record count — the number of unique individual records you have on your system. Then they are going to focus on what kind of management oversight you have, what your IT controls are, and if you’ve got any prior losses. They do get into your actual experience and your use of encryption [the process of encoding information so that only authorized people can read it].
“Certainly, companies that have personal health information are going to pay more than a company that just has online sales. They will be looking at personal health information, personally identifiable information, and more critical components.”
Insurance underwriters also will be interested in practices like the proper disposal of IT equipment and the thoroughness of breach incident response plans, neither of which is optional. In addition to the use of encryption, they might also inquire about standard practices like data-access limitations, firewall redundancy, and remote data-wipe capabilities, which enable users to remotely erase data on stolen smartphones and tablets.
“They all have pretty in-depth applications, ranging from three to 20 pages,” Murray added, “and they are very in-depth in terms of what you have in place.”
Murray added that a lot of companies Cottingham & Butler works with go through the application process with no intention of buying coverage, but to engage in an assessment process. “They will say, ‘We don’t think we’re going to buy cyber insurance. We don’t see the exposure, and we don’t want to pay the money for it.’ But a lot of them say, ‘Send us the application, we’ll go through it as a risk-management tool,’ and use it to determine what they need to shore up.”
3. Test your vulnerability
With larger companies, insurance carriers demand — and third-party technology vendors perform — vulnerability testing before selling coverage. When companies conduct a forensics investigation through a third-party vendor, they perform “pseudo attacks” to find cracks in data protections. Infrastructure repair and process improvement could be part of the cost outlay.
“Certainly the companies that are selling cyber-liability products want to have a high degree of confidence that the policyholder does its very best to manage the risk,” Hausmann stated. “They are trying to avoid claims and identify organizations that have good policies and procedures to support underwriting for the cost of the insurance premium being charged for the risk at hand.”
For smaller clients, insurers may not ask the same questions, or the same number of questions. Those policies are underwritten in a much less rigorous environment than “where you have a hospital, and they have patient records and loads of confidential information in their management systems, and when you think about it, people running around with laptops on occasion,” Hausmann said. “Then, it’s a whole different level of scrutiny.”
Felker suggested that businesses are in denial about their true risk, especially given the hyperactivity and increasing sophistication of cyber criminals. “Even though businesses will say, ‘Oh, that’s not me,’ we here at Murphy get a ridiculous amount of phishing emails each day from people who are trying to get into our system,” he noted. “We have a pretty robust firewall, but all of our clients are getting the same thing. People are trying to hack in and get data. What we try to do is sit down with our clients and say, ‘Hey, what truly is the risk? What would be the financial obligation if there is a data breach?’”
4. Don’t count on pegging price
Since cyber liability insurance coverage is still in a formative stage, pricing is “all over the board,” Felker said. Insurers are still trying to fully understand the risk, and they don’t have the data to quantify and predict the kinds of losses they are accustomed to with other lines of insurance.
“That’s an issue that I think will be overcome in time as companies become more familiar with the risk, and the rates moderate,” Hausmann added. “In theory, they should drop over time.”
Whatever the premium costs, they likely pale in comparison to the cost of dealing with a breach. According to Hausmann, just the cost of meeting regulatory notification requirements is about $225 per person, so when you hear of a breach with millions of affected consumers, “you can do the math in your head in terms of the cost of notification.”