The retailer was quick to point out, however, that when all is said and done, that $61 million will be more like $17 million, because Target, like more and more companies these days, has something called "cyber insurance."
This type of coverage is not new. Emily Freeman is a cyber risk specialist for Lockton, a global insurance firm. She was helped draft some of the first cyber-risk policies in 1999, and according to Freeman, demand is way up.
“We’re getting calls every day from companies that want to buy cyber insurance to protect themselves,” she says.
A policy could cover civil penalties and legal fees. Policies also pay for forensic investigations.
Scott Godes, a lawyer with Barnes and Thornburg, focuses on corporate insurance. He says that after a data breach, there are lots of questions: “Are there people that are in your system? When did they get in there? Are they still in there? And how do you get them out?”
It costs a lot of money to answer those questions. Cyber insurance can take care of the costs of notifying customers and giving them credit protection. “Just generally needing to clean up the mess that’s been created,” says Tyler Moore, a computer science professor at Southern Methodist University.
But these policies have limits.
"The reputational damage to a company following a high-profile breach, for instance, is not typically covered," he says.
Companies don’t like to advertise what kind of coverage they have. Today, Target said its insurance helped offset costs, but it did not go into detail. Freeman says it is important to remember that cyber insurance is meant to be a backstop for companies.
"We sit on the shoulders of their best efforts to prevent the event from happening in the first place,” she explains.
As insurers draft policies, they want to know companies are doing all that they can, that they are investing heavily in security, because when that security fails, it is the insurers who will have to pay.
