Should Your Business Buy Cyber Insurance? by Jeff Peters
Despite recent growth in the cyber insurance market, driven in part by a half dozen high-profile breaches making headlines in 2014, there's still a high level of confusion about coverage from business owners and even those who write the policies – as new attacks and new court cases continue to define the market.
As a recent Marsh & McLennan Agency (MMA) survey on the subject put it, "Respondents overall do not consider themselves well-informed of this type of coverage."
"Look at the Sony malware case," said Greg Schaefer, president and founder of Schaefer Enterprises Inc., a Manhattan-based insurance agency, on last week's Cybercrime and Business Podcast. "Trying to determine the cause of loss and how the policy language is going to react to these situations and ultimately pay back and reimburse the insured, which is Sony – these are all things that are new to the industry, and they haven't been time tested."
In a similar vein, just two weeks ago, a federal judge rejected Target's attempt to dismiss lawsuits from financial institutions affected by the theft of 40 million payment cards. Just replacing all those cards comes with a whopping $400 million price tag, The New York Times reported.
The ruling, one of the first of its kind, makes it clear that banks have a right to go after merchants if they can provide evidence the merchant may have been negligent in securing their systems, the Times wrote.
Yet many smaller merchants don't even realize that they are responsible for the security of the transactions they process.
"A lot of people who take a credit card think the merchant company is responsible if something happens," Schaefer said, adding that he encourages business owners to simply call them and ask. "What they found out 100% of the time is that it is their responsibility."
A Growing Market for Cyber Insurance
These cases simply highlight the growing pains of an expanding market.
A Ponemon study of 567 U.S. executives published in September found that the percent of respondents that had purchased a policy had more than doubled from 10% in 2013 to 26% this year.
Likewise, the MMA survey of 582 small and midsize employers in the U.S. found that a third of respondents had purchased a cyber liability policy, though there was significant variation between industry sectors.
Financials (88%) and healthcare (53%) had the highest percentage of those with cyber insurance, while sectors like construction (17%), real estate (17%), and agriculture (0%) had the lowest.
Interestingly, the retail sector, which has dominated the news cycle in terms of breaches, is actually 3 points below the survey's average, at 30%.
As an example, Target has incurred $248 million of cumulative expenses since its data breach, with $90 million of that expected to be offset by insurance, lowering its breach expenses to $158 million.
"Cyber-insurance helped Target and Home Depot lower their breach-related costs substantially, and, thus, converted market participants from former skeptics to current believers in cyber-insurance policies," financial fraud expert and Gartner analyst Avivah Litan told BankInfoSecurity.
"Over the past few years it's been a tougher sell for us, as agents, especially when it comes to the smaller and mid-size company," said Schaefer, adding that over the past few years about one in four of his clients, often urgent cares or healthcare institutions, would purchase a policy.
Now it's one in two, and he only expects that to increase.
Should You Buy Cyber Insurance?
Answering that question always starts with first understanding what are the risk exposures for your business.
Some of the most common cyber exposures from respondants to the MMA survey are:
- Computers connected to the Internet (95%)
- Process/access banking information (85%)
- Hold client or customer information (75%)
- Holds past or present employee records (73%)
- Employees use devices connected to our network (70%)
More specific exposures like HIPAA information and processing credit card transactions are also important, as well as looking at any risk from third-party vendors and business partners.
"You have to sit down and take a real look and say, 'Worst case scenario, what would I be able to incur if we did have a loss?'" Schaefer said.
It could make sense to have a small $5000 deductible to limit any potential costs, or a larger $50,000 deductible with more protection may be a better fit. Naturally, this can vary wildly depending on the company and policy (Target has a $10 million deductible).
One easy calculation is to take the average cost to notify a customer of a breach ($195 in the U.S., according to a recent study), multiply that by the number of customers you have, and then ask yourself, "Could this put me out of business?" Schaefer said.
If you decide to purchase, the best place to start is with a phone call to your current broker as they already understand your business, and you may be able to add cyber coverage to an existing package.
Schaefer added this may not be the most robust solution, but it's likely the most cost effective.
From there you can look into various options and any additional coverage specific to your business (fines for HIPAA violations, for example). And remember to always ask questions and know what is and what isn't covered under the policy, especially as things can change quickly in the cyber world.
"What's going on with Sony is actually one of the craziest cases to me," Schaefer said. "It's just kind of changing the way things are now. The threats are completely different every time."
He added, "Who knows what the next threat is going to be?"