As security breaches increase in scale, scope, and frequency, organizations of all types must determine the best way to guard against them. By now, investing in cyber insurance might seem to be a no-brainer, but while interest has risen, skepticism still remains, bolstered by media reports suggesting that the consequences for businesses affected by data breaches are minimal. It falls to the professionals working in the cyber field to effectively communicate the value of cyber insurance to an oft-disbelieving business world.
“It’s sleep insurance. It helps you sleep at night. Because everyone’s a target,” Richard Bortnick, attorney with Traub Lierberman Straus & Shrewsberry LLP, told Advisen, comparing cyber coverage to homeowners insurance. “Insurance is there to mitigate the risk. People aren’t willing to gamble with their homes, but they’d be willing to gamble with their livelihoods.
A host of recent news reports delve into the true cost of data breaches, with some suggesting that the losses incurred by major retailers represent a pittance of companies’ annual earnings and that the Target Corp. consumer class action settlement for $10 million illustrated the dismissible nature of such events. As any insurance professional or attorney will tell you, the true costs of security breaches make the case for cyber insurance, but more work clearly remains.
“The quantification of cyber risk has always been and still is a challenging area,” said Ben Beeson, broker at Lockton. For many organizations, “they increasingly see the risk as something they can’t prevent,” he added. The job of broker has become to more fully explain the cyber risk that any organization that collects personally identifiable information (PII) or personal health information (PHI) accepts.
“The losses from a data breach aren’t just about class actions,” said Beeson. “That isn’t the whole picture — that is part of the picture. If a broker doesn’t explain that, then yes, you can see why they might not understand the whole picture.”
Key to explaining is the understanding, from the industry side, where potential policyholders may be struggling.
“Even as to coverages that have been around for years, such as coverage for class action-related liability arising from data breaches like Target, relatively few understand the substantial differences between and among the different insurance forms offered in the market and whether the coverage adequately addresses, for example, regulatory action and PCI-DSS-related exposures, in addition to notification, forensics, credit monitoring, call centers, and the like,” said Roberta D. Anderson, partner at K&L Gates. “Beyond data breach, there are newer, potentially extremely valuable coverages available to address the various operational risks faced by manufacturing and other critical infrastructure organizations. Newer coverages also are available to provide solid business and ‘contingent’ business interruption coverages, including for non-malicious data-related incidents, and coverage for losses caused by reputational harm in the event of a reported incident. The communication issue is exacerbated with respect to these newer coverages. Likewise, organizations may not be sufficiently educated about the pre-and post-loss risk management services that the coverages typically afford.”
At the outset, such loss mitigation services make the cover worth the cost, according to Christine Marciano of Cyber Data Risk Managers, a specialist agency in New Jersey.
“Most companies don’t have a big budget available to pay for the incident response costs when they start coming in,” she said. “It’s a complement to your security because security is never 100 percent. If you don’t have it, you’re scrambling around, pressing the panic button.”
And brokers benefit when insurers build additional solutions like risk monitoring into cyber policies.
“More value-added benefits can help brokers sell the intangible benefits,” Marciano said. She expressed hope that the National Institute for Standard and Technology (NIST) cybersecurity framework would see wider adoption by organizations, offering both better understanding for businesses and a more streamlined underwriting and pricing process for the insurance industry.
Small to medium-sized enterprises may need to hear the message more than larger ones, say observers, as cybercriminals tend to go for the “lowest hanging fruit” and thousands of data breaches don’t make the headlines as Target and Home Depot have.
“I’ve had dozens of clients that didn’t think it would happen to them until it did,” said Bortnick. “And now they’re paying dramatically more than they would have if they’d had insurance. They’re penny-wise and pound-foolish.”
Once a breach occurs – and it may be discovered only after many months of intrusions – organizations find themselves faced with “dramatically higher” costs that likely would have been covered by insurance and also by remediation efforts that would have been far simpler to plan well in advance.
“Regulators and clients have them in their cross-hairs,” said Bortnick. “They have to be overly cautious from that point on.”
Cyber insurance can offer reassurance in this area, he suggested, noting, “It shows the regulators the companies are sensitive to data security, provides the regulators with some degree of comfort.”
The cyber insurance process, as part of a healthy enterprise risk management structure, can also prompt a closer look at the data an organization maintains and the chance that the data could be lost or stolen.
“Don’t just consider insurance to transfer the risk, consider it to improve your security,” said Beeson. “It can help you manage the risk throughout the enterprise. The value of insurance in many ways is changing into not just risk transfer, but something that can actually improve your security posture.”
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
