Barely a week goes by when we don’t collectively cringe reading about an information security breach at some high-profile business or government agency, often something related to the pilfering of millions of personal records that are then used later for some identity theft scheme.
This month it is the U.S. Environmental Protection Agency’s turn to be redfaced over a basic lack of cybersecurity, one that exposed social security numbers and banking information.
One U.S. government official estimated in a speech this summer that cyber attacks on U.S. computer networks rose by 17-fold from 2009 through 2011, resulting in approximately $1 trillion of U.S. intellectual property.
All those incidents of tax refund fraud you’re reading about this year, in which criminals use stolen social security numbers to file fake claims? After cursing the criminals that are giving average citizens a really hard time, you can blame all the businesses that have failed to put proper technology security measures in place.
But despite the rising awareness about just how vulnerable they are, very few businesses have invested in so-called cyberinsurance that could help with the clean up and with some of the intellectual property losses.
The Cyberinsurance Concept
Let’s be clear: cyberinsurance isn’t meant to prevent the break-ins in the first place. That’s a job for IT security teams, which are supposed to be putting proper technology measures and behavioral policies in place.
What is covered under cyberinsurance policies differs depending on the carrier but it often extends to the cost of forensics that help finger the cause of a breach (and what was lost), the costs related to disclosing what happened (46 states have disclosure laws, usually the threshold is $1 million in annual revenue), expenses that might arise out of related lawsuits, and some of the services needed to repair and remediate the affected computers.
Whether or not the cyberinsurance covers potential losses associated with stolen intellectual property is a matter for debate. The stock answer is, it depends.
Among the high-profile companies that offer cyberinsurance are ACE USA, Chubb, The Hartford and St. Paul Travelers Co. But for most insurance companies it is still a niche line.
Advisen, one firm that follows this area closely, estimates there is only about $600 million in written premiums for cyberinsurance although other figures suggest the number is closer to $750 million. Companies in the United States and the United Kingdom tend to be most vigilant.
Other specialty insurance, such as policies covering corporate directors or officers, represents at least 10 times that amount, said David Bradford, president of research and editorial for Advisen.
Broadly speaking, Advisen estimates the potential market for cyberinsurance at about $4 billion, when you consider all the companies with more than $1 million revenue in certain industries that should have coverage.
“The thing that is really driving the uptick in the number of companies is the reporting requirements,” Bradford said. “This can be a really onerous and difficult process.”
How Much Coverage?
Who really needs cyberinsurance? And, beyond that, how much coverage is necessary?
Cyberinsurance experts point to breach breach cost estimates gathered by the Ponemon Institute. in 2011, for example, the median damages related to cyber crime were about $5.9 million. The costs vary dramatically depending on the number of records involved, though, so they could be much lower or higher than that number. Generally speaking, many people use a figure of approximately $200 per record to figure the cost of coverage.
That can add up really fast.
“Anybody who controls sensitive data should be thinking about it,” said Jeremy Henley, insurance solutions manager for ID Experts, a “data breach care” company. “They are the one that are most vulnerable, and they usually come from regulated industries like health care, financial services or online retail.”
Here are some things companies should consider when evaluating how much coverage to get:
- The cost of a legal retainer and forensics experts to figure out what happened and what, exactly, has been lost
- Potential exposure from identity theft or pilfered credit cards or bank account information or whatever
- Expenses related to a marketing or public relations campaign to help disclose the damage, and mitigate the potential brand damage
- The costs of fixing the damaged networks and computers, and restoring them
- The extent to which customers or business partners rely on this information
Ken Goldstein, vice president of Chubb Group of Insurance Companies, responsible for its cybersecurity line, said any company that collects, stores or transmits information of its own or on behalf of business partners should check into cyberinsurance coverage.
Sometimes, smaller companies overlook their potential vulnerability: when doing a risk assessment, executives should also consider data that they don’t necessarily own but that could be stored on their corporate networks or computers.
“You really need to concentrate on getting a full appreciation of the proprietary and private information that you have at your disposal,” he said.