Targeting Cyber Liability
The Target Corp. data breach did more than make headlines, it also created more boardroom anxiety than most headline-grabbing data breaches.
Perhaps the timing and context of the Target data breach had something to do with the nerves it struck — a major retailer was tapped during the holiday shopping season — but the estimated 70 million people who had credit and debit card information stolen, and now are more vulnerable to identity theft as a result, sent shock waves throughout corporate America. Class-action lawsuits, state and federal investigations, and compromised retail sales also accompanied the breach, but the reputational hit taken by the Minneapolis-based retailer might be the most damaging body blow.
“It’s really important, as you’re vetting that vendor that’s going to be managing your data, that they really have good protocols in place.” — August Felker, Murphy Insurance Group
With cyber criminals getting into the network structures of major retailers, no business is immune, which is why cyber liability insurance is getting a closer look. Stories like the Target breach have sparked discussions between insurers and clients, and insurance agents report a significant rise in interest in this coverage, even if inquiries don’t always lead to a purchase.
“It’s kind of funny because this Target breach should not have been such an eye-opening thing,” noted Colin Green, a risk management consultant in the Madison office of Cottingham & Butler. “These breaches have been happening all over the place for five or 10 years now, and it’s continuing to grow.”
In addition to Green, we interviewed the following industry experts for this look at cyber liability coverage: Raymond Koenig, partner and senior account executive, M3 Insurance Solutions; Tim Hausmann, chairman and principal, Hausmann-Johnson Insurance; August Felker, CEO of the Murphy Insurance Group; and Matt Murray, risk management consultant, Cottingham & Butler.
As our experts explained, it’s not a matter of if you become a cyber target, or if a dishonest employee sells information, or if employees carelessly lose information, but when. As you ponder the purchase of cyber liability coverage, here are 7 things to consider.
1. It goes beyond e-commerce
Interest in cyber liability coverage is not restricted to retailers and businesses with an e-commerce or online sales function; it’s much broader than that. Historically, cyber liability insurance has also piqued the interest of medical organizations, which have privacy compliance to consider. More recently, manufacturers that want to protect drawings or prototypes and service businesses with intellectual property or other proprietary information have inquired about it.
“It’s of interest to any organization that stores data and has data online or has a website, which is a great number in Wisconsin,” Green says. “These are privately held businesses with that type of exposure. They may not have the same exposure to the same degree as others, but everyone has exposure to it.”
2. Expect a white-glove test
Since cyber liability insurance is still in its infancy, the underwriting process for this coverage is hardly standardized. Hausmann compared it to a similar experience with employee practices liability because when the insurance industry is uncomfortable with the ability to quantify the exposure, its tendency is to ratchet up underwriting. Therefore, a cyber liability policy is not limited to a one- or two-page document; it includes a substantial list of questions that attempt to ferret out where companies are in terms of best practices in data protection and disaster/breach response.
For the insurance industry, there is a regulatory cost related to notification and a cost associated with making people whole in terms of “the expenses associated with trying to clear their good names,” Hausmann said. “So there is a whole host of issues, or exposures, that unfold if you have a claim of this sort.”
Depending on the carrier, policies are rated on considerations like revenue, record count, industry, and risk management. Insurers seek to learn more about technology systems, processes for business recovery, and the type of information being held by asking questions like: Do you keep credit card numbers? Do you keep health information? Where are you keeping it?
“As with other types of insurance, the carriers have an application process,” Koenig explained. “They are trying to capture a number of considerations. They start with revenue, and then the next biggest area is record count — the number of unique individual records you have on your system. Then they are going to focus on what kind of management oversight you have, what your IT controls are, and if you’ve got any prior losses. They do get into your actual experience and your use of encryption [the process of encoding information so that only authorized people can read it].
“Certainly, companies that have personal health information are going to pay more than a company that just has online sales. They will be looking at personal health information, personally identifiable information, and more critical components.”
Insurance underwriters also will be interested in practices like the proper disposal of IT equipment and the thoroughness of breach incident response plans, neither of which is optional. In addition to the use of encryption, they might also inquire about standard practices like data-access limitations, firewall redundancy, and remote data-wipe capabilities, which enable users to remotely erase data on stolen smartphones and tablets.
“They all have pretty in-depth applications, ranging from three to 20 pages,” Murray added, “and they are very in-depth in terms of what you have in place.”
Murray added that a lot of companies Cottingham & Butler works with go through the application process with no intention of buying coverage, but to engage in an assessment process. “They will say, ‘We don’t think we’re going to buy cyber insurance. We don’t see the exposure, and we don’t want to pay the money for it.’ But a lot of them say, ‘Send us the application, we’ll go through it as a risk-management tool,’ and use it to determine what they need to shore up.”
3. Test your vulnerability
With larger companies, insurance carriers demand — and third-party technology vendors perform — vulnerability testing before selling coverage. When companies conduct a forensics investigation through a third-party vendor, they perform “pseudo attacks” to find cracks in data protections. Infrastructure repair and process improvement could be part of the cost outlay.
“Certainly the companies that are selling cyber-liability products want to have a high degree of confidence that the policyholder does its very best to manage the risk,” Hausmann stated. “They are trying to avoid claims and identify organizations that have good policies and procedures to support underwriting for the cost of the insurance premium being charged for the risk at hand.”
For smaller clients, insurers may not ask the same questions, or the same number of questions. Those policies are underwritten in a much less rigorous environment than “where you have a hospital, and they have patient records and loads of confidential information in their management systems, and when you think about it, people running around with laptops on occasion,” Hausmann said. “Then, it’s a whole different level of scrutiny.”
Felker suggested that businesses are in denial about their true risk, especially given the hyperactivity and increasing sophistication of cyber criminals. “Even though businesses will say, ‘Oh, that’s not me,’ we here at Murphy get a ridiculous amount of phishing emails each day from people who are trying to get into our system,” he noted. “We have a pretty robust firewall, but all of our clients are getting the same thing. People are trying to hack in and get data. What we try to do is sit down with our clients and say, ‘Hey, what truly is the risk? What would be the financial obligation if there is a data breach?’”
4. Don’t count on pegging price
Since cyber liability insurance coverage is still in a formative stage, pricing is “all over the board,” Felker said. Insurers are still trying to fully understand the risk, and they don’t have the data to quantify and predict the kinds of losses they are accustomed to with other lines of insurance.
“That’s an issue that I think will be overcome in time as companies become more familiar with the risk, and the rates moderate,” Hausmann added. “In theory, they should drop over time.”
Whatever the premium costs, they likely pale in comparison to the cost of dealing with a breach. According to Hausmann, just the cost of meeting regulatory notification requirements is about $225 per person, so when you hear of a breach with millions of affected consumers, “you can do the math in your head in terms of the cost of notification.”
5. Vet third-party vendors
Koenig recommends that close attention be paid to third-party vendor contracts because vendors with physical or digital access to sensitive data should be required to carry cyber liability coverage, and their level of preparation will be reflected in your pricing. He noted that Target’s breach was a result of access granted to an HVAC contractor.
Koenig also advises that new entrants into the “cloud” provider marketplace be greeted with caution because the industry boasts a low barrier to entry (with under-protected and undercapitalized options). Vetting a potential cloud provider should be handled with the same care as a banking relationship, he stated.
With more businesses, especially small businesses, going to the cloud, Felker said the Murphy Insurance Group is asking clients whether cloud vendors are contractually required to notify them in the event of a breach. “The question has to be asked of clients that move data away from their office and store it at an offsite data center,” he noted.
“It’s really important, as you’re vetting that vendor that’s going to be managing your data, that they really have good protocols in place. If there is a breach, there must be a good hold-harmless agreement or indemnification agreement with that vendor.”
How a company protects itself contractually and through internal controls can limit the depth of a breach, so access to information should be limited where possible, and contractual insurance requirements should be enforced, Koenig advised.
6. Don’t settle for cookie-cutter coverage
Even though the insurance industry has a lot to figure out about cyber liability, carriers already know it’s not a one-size-fits-all proposition. There are very basic cyber programs that provide low limits, and no resources, at a lower price, and there are robust products that offer more comprehensive coverage and benefits. Those benefits might include large-limit availability, crisis response assistance and, in some cases, the provision of forensic investigators.
Businesses should consider the use of higher deductibles to reduce cost because many breaches are smaller and do not result in litigation, and because insurers will offer savings in exchange for higher deductibles.
According to Koenig, some policies sublimit key coverages like notification costs, crisis-management costs, forensic expense, and data restoration, so it’s wise to match exposure with limit selection. The limits should be based on the type of data exposed — including personally identifiable information, health information, and intellectual property — plus the amount of data, and the level of security used to protect data.
It’s important to note that class-action suits for breach of privacy have been brought with as few as two plaintiffs. Outside of a potential settlement, Koenig says limit allocations should be considered with the following ranges: for notification costs, $3 to $10 per record; credit monitoring, $3 to $5 per record; and data forensics, over $500 per hour.
Bundling professional liability insurance with cyber liability offers the advantage of consolidation and underwriting leverage. Insurers like Chubb, Travelers, and AIG build cyber liability products into an executive liability platform; within that insurance platform, clients can buy a variety of coverages, with cyber liability being part of a suite of coverages available on the platform.
7. Expect regulation to intensify
Most states, including Wisconsin, have a law mandating breach notification. Under Wisconsin law, a business has 45 days to notify affected consumers of a breach, and if a business is required to notify more than 1,000 people about a single incident, it must notify the individual consumers and several consumer-reporting agencies.
Due to a lack of penalties, the 2006 law did not impress many consumer advocates, and the continuing litany of high-profile breaches is ratcheting up the pressure for stronger consumer protections.
Elsewhere, state attorneys general are looking to fine and prosecute negligent companies; with each new breach, the federal government moves closer to establishing additional mandates for companies in industries with critical infrastructure and sensitive data.
Cyber liability coverage might be new, but it eventually will be viewed as a standard form of business insurance coverage. The same cannot be said for other lines of business insurance we came across during our research.
Some policies made us scratch our heads just a bit, but they all say something offbeat about the risk faced by today’s businesses, and why risk management executives must have their heads on a swivel in today’s environment. We don’t see a lot of these kinds of coverages around Madison because, fortunately, area businesses have fairly typical risks.
When this coverage was mentioned, our first thought was whether the clients had ever heard of electronic money transfers. But cash-in-transit insurance is offered by Lloyds of London and typically is purchased by companies that move large amounts of cash to big banks and by organizations that insist on dealing in cash. “Huge amounts of cash, like $1 billion,” says August Felker, CEO of The Murphy Insurance Group.
Have you heard of alien abduction insurance? Well, believe it or not, some insurers offer this line in case of a UFO crash, but there’s sort of a business equivalent in a coverage called random reimbursement. Multinational corporations buy it in the event key executives are kidnapped on a business trip. The executive hostage really has to be worth it because insurance companies will send a negotiation team to haggle over the ransom price, which is reimbursed up to policy limits.
If your company has one or a handful of employees who are indispensable to its success — people whose loss would be catastrophic (you know who you are) — employers can protect themselves with star-employee insurance. Of course, indispensability is in the eye of the beholder, which might explain why some refer to this as “prima donna” insurance, but it’s designed to mitigate any bottom-line damage caused by the loss of Mr. or Ms. Wonderful.
We all rely on our senses to make a living, but Dutch winemaker Ilja Gort apparently worried that some day, he wouldn’t get a sniff. Gort, owner of Chateau de la Garde in Bordeaux, France, took out an $8 million insurance policy on his nose after hearing about a man who lost his sense of smell in a car accident. He had to give up some potentially interesting pursuits, however. Under the policy, he cannot ride a motorcycle or work as a fire-breather. We trust he has the good sense to avoid both.
Not feeling the cyber need
Risk managers have got a handle on the need for cyber liability insurance, according to M3 Insurance Solutions, but organizations in general have some catching up to do. M3 recently reported the following:
- 56% of risk managers cite cyber security and cyber risk as their top concern.
- 48% of companies either do not have a cyber insurance policy or are “not sure.”
- 61% of companies list “insufficient personnel” as their barrier to managing cyber security.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.