Posting in Government
Despite the high incidence of data breaches and attacks on business and government computer networks, few companies have invested in coverage to help with the clean-up costs.
Barely a week goes by when we don't collectively cringe reading about an information security breach at some high-profile business or government agency, often something related to the pilfering of millions of personal records that are then used later for some identity theft scheme.
This month it is the U.S. Environmental Protection Agency's turn to be redfaced over a basic lack of cybersecurity, one that exposed social security numbers and banking information.
One U.S. government official estimated in a speech this summer that cyber attacks on U.S. computer networks rose by 17-fold from 2009 through 2011, resulting in approximately $1 trillion of U.S. intellectual property.
All those incidents of tax refund fraud you're reading about this year, in which criminals use stolen social security numbers to file fake claims? After cursing the criminals that are giving average citizens a really hard time, you can blame all the businesses that have failed to put proper technology security measures in place.
But despite the rising awareness about just how vulnerable they are, very few businesses have invested in so-called cyberinsurance that could help with the clean up and with some of the intellectual property losses.
The Cyberinsurance Concept
Let's be clear: cyberinsurance isn't meant to prevent the break-ins in the first place. That's a job for IT security teams, which are supposed to be putting proper technology measures and behavioral policies in place.
What is covered under cyberinsurance policies differs depending on the carrier but it often extends to the cost of forensics that help finger the cause of a breach (and what was lost), the costs related to disclosing what happened (46 states have disclosure laws, usually the threshold is $1 million in annual revenue), expenses that might arise out of related lawsuits, and some of the services needed to repair and remediate the affected computers.
Whether or not the cyberinsurance covers potential losses associated with stolen intellectual property is a matter for debate. The stock answer is, it depends.
Among the high-profile companies that offer cyberinsurance are ACE USA, Chubb, The Hartford and St. Paul Travelers Co. But for most insurance companies it is still a niche line.
Advisen, one firm that follows this area closely, estimates there is only about $600 million in written premiums for cyberinsurance although other figures suggest the number is closer to $750 million. Companies in the United States and the United Kingdom tend to be most vigilant.
Other specialty insurance, such as policies covering corporate directors or officers, represents at least 10 times that amount, said David Bradford, president of research and editorial for Advisen.
Broadly speaking, Advisen estimates the potential market for cyberinsurance at about $4 billion, when you consider all the companies with more than $1 million revenue in certain industries that should have coverage.
"The thing that is really driving the uptick in the number of companies is the reporting requirements," Bradford said. "This can be a really onerous and difficult process."
How Much Coverage?
Who really needs cyberinsurance? And, beyond that, how much coverage is necessary?
Cyberinsurance experts point to breach breach cost estimates gathered by the Ponemon Institute. in 2011, for example, the median damages related to cyber crime were about $5.9 million. The costs vary dramatically depending on the number of records involved, though, so they could be much lower or higher than that number. Generally speaking, many people use a figure of approximately $200 per record to figure the cost of coverage.
That can add up really fast.
"Anybody who controls sensitive data should be thinking about it," said Jeremy Henley, insurance solutions manager for ID Experts, a "data breach care" company. "They are the one that are most vulnerable, and they usually come from regulated industries like health care, financial services or online retail."
Here are some things companies should consider when evaluating how much coverage to get:
- The cost of a legal retainer and forensics experts to figure out what happened and what, exactly, has been lost
- Potential exposure from identity theft or pilfered credit cards or bank account information or whatever
- Expenses related to a marketing or public relations campaign to help disclose the damage, and mitigate the potential brand damage
- The costs of fixing the damaged networks and computers, and restoring them
- The extent to which customers or business partners rely on this information
Ken Goldstein, vice president of Chubb Group of Insurance Companies, responsible for its cybersecurity line, said any company that collects, stores or transmits information of its own or on behalf of business partners should check into cyberinsurance coverage.
Sometimes, smaller companies overlook their potential vulnerability: when doing a risk assessment, executives should also consider data that they don't necessarily own but that could be stored on their corporate networks or computers.
"You really need to concentrate on getting a full appreciation of the proprietary and private information that you have at your disposal," he said.
Aug 20, 2012
Whether somebody pursuit of his vital thing, hence he or she desires to be accessible that at length, hence that thing is maintained over here.
Well there are still controversial issues on the matter that cyberinsurance covers or not the losses of stolen intellectual properties, I enjoyed reading it. http://www.ppiclaimuk.org.uk/ppi-compensation
I found this blog worthy but can you tell me how much cyberinsurance is needed and who really should have it, I am not getting it properly. http://www.absolutesurety.com/states/alabama-surety-bonds/
Great blog post! I donât understand how long it will require me to obtain through all of them! http://www.wisconsinhouseinsurance.com
Heather, cyber insurance makes sense but certainly isnât a replacement or excuse for cutting corners on data security. I suspect that the insurance companies who offer these policies perform stringent due diligence to make sure a company has appropriate security mechanisms in place. Likewise, a more secure IT environment is likely to result in a lower premium. Making data unreadable if it is stolen â by using encryption â is another form of insurance protection. @Socialtis @Vormetric
Cyber insurance is an odd product. It is not that expensive for what you get, but all insurance companies that sell it have extensive screening processes to ensure a companies IT infrastructure is well protected before they will cover you. Such standards are good for the IT industry, but many IT experts are offended by being required to go through more such testing after they have been through ePCI , HIPA, Sar-Ox and other industry, government mandated certification processes. While each process is great for its focused scope, cyber insurance screening can get into the nuts and bolts of a network in ways the others have not. Another set of eyes is always good when the insurance company has potentially huge pay outs on the line.
You are very correct when you say "perform stringent due diligence" and " a more secure IT environment is likely to result in a lower premium." Chubbs review made ePCI compliance look like childs play. We were told they would not secure a weak network because companies could not afford the premiums. It is a much more comprehensive security standard you must meet.