The $10 Million Deductible - By Josephine Wolff
Do you still shop at Target? There’s been controversy over how much of an impact the massive breach of 40 million credit and debit card numbers in late 2013 had on the company’s shareholders and customers. And that controversy speaks to a larger cybersecurity problem plaguing industry today: the difficulty of assessing the impact and costs of these sorts of security breaches and the challenges that presents when it comes to trying to buy and sell cyberinsurance. Yes, that’s a real thing—and a great business to be in, at the moment, if you can figure out how to develop accurate actuarial models, that is.
A recent New York Times article touted cyberinsurance as the “fastest-growing niche in the [insurance] industry today.” Nicole Perlroth and Elizabeth Harris report: “[A]fter the breach at Target, its profit was cut nearly in half—down 46 percent over the same period the year before—in large part because the breach scared away its customers.” These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Timescites statistics showing a 21 percent increase in demand for cyberinsurance policies from 2012 to 2013, with total premiums reaching $1.3 billion last year and individual companies able to acquire a maximum of roughly $300 million in coverage.
At the time of its breach, Target had only $100 million in coverage, with a $10 million deductible, and had been turned away by at least one insurer when it tried to acquire more cyberinsurance, Perlroth and Harris report. They suggest that this coverage may fall well short of the massive losses incurred by the company when it saw its profits nearly halved.
But their piece comes less than a month after Eric Chemi argued exactly the opposite about the impact of Target’s security breach in a piece for Bloomberg Businessweektitled “Investors Couldn’t Care Less About Data Breaches.” He wrote:
Consider Target and its own well-publicized data breach that happened back in December. Target’s stock didn’t really move at all. Investors sent a clear message they didn’t care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks. Target shares have been falling since last year, for a lot of reasons unrelated to the data breach.
So were Target’s losses tied to the data breach, as Perlroth and Harris claim, or largely unrelated to it, as Chemi argues? There’s no way to know for certain, but looking at historical data suggests that the stock drops that follow data breaches have been fairly short-lived for many companies. One 2006 study by researchers at Carnegie Mellon and Harvard found that a company was likely to lose value on the day when it announced a breach and the following day, but after that the impact quickly disappeared into statistical insignificance. More recent research from SUNY Binghamton and Iowa State University suggests that the impact of security breaches on companies’ stock value may be diminishing. That is, more recent security incidents appear to have less impact on stock prices than older ones did. So we may care less about cybersecurity incidents than we used to—or perhaps we’re just inured to them now.
I still shop at Target. To calm my nerves, as I swipe my credit card through those ominous red kiosks and picture my card number flying off to Eastern Europe to be counterfeited, I tell myself that a company that was just recently in the news for its poor computer security is likely to now have stronger security in place than just about anyone else. And indeed, the companyannounced a new program this spring to replace its payment terminals and issue more secure credit cards with chip-and-PIN technology. I think it’s probably true that Target is more security-conscious than most of its competitors at the moment, but it’s also true that, even as someone who spends many of her waking hours thinking about and studying cybersecurity, it doesn’t really guide my personal shopping. When I’m deciding whether to buy a new water bottle or lip balm, I’ll weigh its price, its color, its design—but not the data practice and protections of the seller. Of course, part of the problem is that often I have no way of knowing what those practices and protections are. I like to think that if I had all that information available at my fingertips I would be able to make some judgments about whom to hand my credit card to. But even then, would I really bother?
These are not merely cybergeek soul-searching questions—it matters whether we care about companies’ cybersecurity because it helps determine how much they care about cybersecurity and also, as the Times article points out, how much insurance they need to protect against computer security breaches.
A central thesis of the Times article is that many of the losses caused by these incidents are intangible damages to a company’s reputation that result in lost sales: Customers who would otherwise have been happily patronizing the business decide they no longer trust it. “The loss to the brand is essentially unmeasurable,” the reporters write of the Target breach. Yet it doesn’t seem quite right that these losses should be either immeasurable or unmeasurable. Of course, it’s not possible to say exactly where Target’s stock would be today if the company had not been breached last year. But there have been enough of these breaches over the years for researchers to look at the data from different victims and say that the incidents have negative short-term and negligible long-term effects on the stock value of the targeted firms.
So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible—and perhaps largely imaginary—losses to brands’ reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers—just like the rest of us—don’t have a good handle on what security practices and controls are most effective, so they don’t know what to require of their customers. If I’m going to insure you against some type of risk, I want to know that you’re taking appropriate steps to prevent that risk yourself—installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there’s a worry that you’ll be so reliant on the insurance coverage that you’ll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works—and what doesn’t—to prevent security breaches.
Moral hazard isn’t the only thing cyberinsurers have to worry about—there’s also theinterconnected nature of cybersecurity threats. Insurance companies rely on being able to use the fees paid by customers who don’t suffer accidents to cover the costs of those who do. But many computer security risks are not isolated to one victim—a single virus or vulnerability can be used to compromise many targets simultaneously. That’s a serious concern for insurers, who don’t want to be faced with paying out large claims to multiple customers at the same time.
Improving the cyberinsurance market will require addressing these problems—figuring out which defenses are most effective, how interconnected the threats truly are, how often breaches occur, and whether they really do scare off customers. Until we have better answers to those questions, the cyberinsurance business, booming though it may be, will be a risky one for both buyers and sellers, driven by fear instead of facts.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.