In its 10th annual Cost of Data Breach Study in 2015, the Ponemon Institute found that the average cost of a data breach was $3.8 million, up 23 percent since 2013. On average, each lost or stolen record costs around $154. Hacking isn’t new. For as long as the Internet has been a part of the personal and professional world, cybercriminals have found ways to infiltrate the system. Unfortunately, the Internet also makes it easier for hackers to exfiltrate systems as well, disseminating information that shouldn’t be shared with the general populace. Cybersecurity has become one of the top concerns among business leaders and government agencies today. More and more insurance companies are now offering cyberinsurance as a result, a product that’s been in the market for at least 20 years but which now takes on new meaning in light of recent threats.
Cybersecurity – What are the Risks?
Between December 2012 and May 2014, some of the largest retailers and businesses in the world were hit by unparalleled data breaches and other cyber crimes. The Insurance Information Institute offered a detailed analysis of the state of cyber risk in 2014, outlining certain high-profile instances of cybercrime, including:
- The theft of 2 million passwords from Facebook, LinkedIn, Twitter, Yahoo, Google and ADP in December 2012
- A malware incident in Target’s register system that impacted up to 70 million customers, including credit and debit card information for 40 million accounts, between November and December 2013
- The data breach of JPMorgan Chase, which compromised the personal information of about 465,000 cardholders in December 2013
- A sweeping data breach at eBay in May 2014, which exposed personally identifiable information for all 223 million customers, including full names, addresses, phone numbers and more
Additionally, the Ponemon Institute conducted a benchmark study to analyze the financial impact of data breaches on 10 countries, including the United States. The U.S. ranked highest for total cost at an average of $5.9 million per company in 2014. This is higher than the cost of data breaches in 2011 and 2013, but it’s actually lower than the average cost of a data breach in 2010, which was $7.2 million. This may be attributable to increased awareness of cybersecurity risks and an upswing in the purchase of cyber insurance policies.
The three main causes of data breach on a global level are malicious attack, human error and system glitches, with malicious attack accounting for a majority of cybersecurity issues at 42 percent. The U.S. sees the greatest financial impact due to data breaches, averaging about $246 per lost record, and suffers the most in terms of lost business – including reputation damage and abnormal customer turnover rates. Here are just a few of the many cyber risks lurking in today’s online world:
- Data breaches that lead to loss of customer information, including social security numbers, credit card numbers, birth dates and other sensitive data
- Theft and dissemination of key business information, such as trade secrets and client lists
- Significant damage to the business’s reputation and consequent customer loss
- Lawsuits for various damages
- Substantial financial costs, including credit monitoring services for customers affected by a data breach, replacement costs for a broken or damaged network, and business interruption following a network shutdown
- Malware and other malicious codes that weaken or permanently destroy a company’s network
In addition to the physical risks associated with cybercrime, such as intrusion into hard drives or damage done to tangible network computers, there’s also a growing concern regarding cloud computing. Virtual storage is an increasingly popular option as business files grow, but cloud computing opens up an entirely new set of cyber risks in an age where hackers can break down most barriers with enough consistent effort.
How Cyber-Insurance Addresses the Problem
With increased cyber security risks around the world, it’s imperative that businesses take proactive measures to safeguard their and their clients’ data. One way to do this is through the purchase of cyber insurance. Known as cyber liability insurance, network security policies, Internet liability coverage and other similar names, cyber insurance covers losses related to data breaches. It differs from traditional technology errors and omissions (E&O) insurance in that cyber coverage protects both first-party entities (businesses) and third-party victims (consumers) while tech E&O protects the providers of technology products, such as web designers and computer software manufacturers.
Cyber insurance has been available since the late 1990s. In its early days, this commercial product served the needs of limited corporations, those just starting out when the Internet was relatively new. Early forms of coverage were actually ad-ons to existing E&O protection. Most companies have been slow to adopt cyber coverage because until very recently, it’s been largely untested in the market. With bigger virtual break-ins happening every month, the product itself has evolved along with the industries that it serves. From small businesses to large-scale retail chains, cyber insurance policies address the increased demand for better online protection from hackers, cybercriminals and political activists.
Cyber protection policies cover different areas of cybersecurity, and because there’s no standard underwriting procedure in place yet, insurers are left to customize specific plans for different companies. This can be a costly investment for businesses, but the out-of-pocket costs of a data breach are substantially higher. Plus, customized plans enable a business to purchase exactly what it needs, assuming that the organization can assess its own risks. According to The National Association of Insurance Commissioners, coverage varies widely in the cyber insurance industry, but businesses may find policies that cover one or several of the following:
- Initial costs related to forensic investigations following a data breach
- Data breach-related costs, such as costs needed to notify consumers, provide support for those affected and pay for credit monitoring
- Liability coverage due to negligence, as in the case of a company unintentionally or intentionally allowing unauthorized users to access their computers
- Liability coverage for issues such as copyright infringement, libel, slander and product disparagement if a business’s website, print media publication or social media account is involved
- Expenses for issues of cyber extortion or cyber terrorism
- Recuperation for business interruption and related expenses, including the cost to restore, upgrade or replace business assets that were stored electronically
In essence, there are four primary elements of cyber-insurance: coverage for data breaches and privacy crisis management, multimedia and media liability protection, extortion liability coverage, and coverage for network security liability. As with any type of insurance, however, there are exclusions in cyber policies. Finding a comprehensive plan may not be feasible in the burgeoning cyber liability insurance market, but companies are constantly reassessing their offerings to meet increased global demand. Exclusions typically include:
- Acts of terrorism or war
- Coverage for devices that aren’t encrypted
- Security shortcomings, such as not keeping devices up to date or failure to install appropriate levels of antivirus protection on company computers
- Protection for loss that occurs outside of the U.S.
- Third-party acts and omissions, such as data breaches that happen with a company’s cloud computing vendor
The NAIC is actively working with private industries, insurers and the federal government to standardize cyber-insurance in an effort to make it a more attractive and viable option for companies today. They’ve put together a “Roadmap for Cybersecurity Consumer Protections” outlining key rights of individual insurance consumers. They include the right to know how a company intends to use sensitive information, such as social security numbers and contact information; the expectation that insurance agencies will make privacy policies available online and in hard copy form by request; the right to a notice should a data breach occur, including steps that consumers should take; and various rights related to credit monitoring following a data breach incident.
In the aftermath of a cybersecurity breach or threat, confusion reigns for both businesses and consumers. Cyber insurance policies help to mitigate some of the financial costs, but they also ensure that there’s a set procedure in place to guide first and third-party beneficiaries through an ordeal of this magnitude.
Cyber Insurance’s Size, Scope and Future
As it stands today, the cyber insurance industry is relatively small compared with other types of business coverage. Many companies have yet to agree that the cost of purchasing cyber protection would offset losses due to data breaches and other cybersecurity threats. Small and midsize businesses, those that would benefit the most from cyber coverage, are less likely to purchase this type of protection because their budgets are smaller – and they don’t understand the risks involved. Despite the availability of cyberinsurance over the past 20 years, companies have been slow to adopt it as standard practice.
But that attitude is changing in the wake of high-profile cases, like those of Target, eBay and Sony Pictures. Hackers are targeting bigger brands and larger corporations, and they’re successful. In its paper on the growing threat of cyber risk, the Insurance Information Institute noted that cyber risk ranked 8th in a list of the top 10 business risks according to the annual Allianz Risk Barometer Survey in 2014. In 2013, cyber risk ranked 15th, indicating a growing concern for cybersecurity among business leaders. A separate report in May 2014 by PWC also found that cyber crime ranked as a global high-level threat. And it’s not just businesses that need protection. Governments around the world continue to face increased threats by hackers, who attack for monetary, personal and political reasons.
As more companies get hacked and more businesses have to shell out the funds to recover from substantial losses, cyberinsurance will see a surge in popularity. In 2014, U.S. insurers underwrote $2.5 billion worth of cyber policies. By 2020, cyberinsurance premiums are projected to increase to $7.5 billion annually, a three-fold boost in just six years. In a separate report, German insurance company Allianz estimated that cyberinsurance could grow to about $20 million by 2025. More businesses are taking note of the threats posed by cybersecurity issues, and they’re signing up for cyber liability insurance before it’s too late.
Still, there’s a lot of ambiguity when it comes to writing policies, especially when it comes to risk assessment. Businesses aren’t sure how to gauge their threat levels, and insurers don’t have a standard model by which to estimate risk. In the past, insurers have been just as hesitant to offer cyberinsurance as businesses have been to adopt it, largely due to the uncertainty that comes from underwriting an unspecific area of disaster.
Cyber risk is also difficult to calculate as each instance of theft or breach has different consequences depending on business size and scope. Unlike other forms of insurance, cyber insurance has relatively little precedent and no standard cost. The landscape is changing, however, as bigger data breaches affect larger companies and cyber risks escalate around the globe.
Insurers could face another sort of problem over the next five years. Non-insurance competitors, like Google and Yahoo, may roll out their own cyber insurance initiatives to compete with an unknown market. Today’s young professionals, those in their upper twenties to mid-thirties, implicitly trust entities like Google over traditional insurance companies, which could make it harder for, say, AIG to sell cyber products. Plus, technology companies may be better suited to offer these products because they can more accurately assess risk.
With the high cost of cyber insurance and its unknown intrinsic value, at least according to many businesses, there’s still substantial room for improvement in this ever-growing industry. Cost may be one of the biggest arguments against cyber protection, but there are ways that companies can reduce their premiums and mitigate the cost of coverage. These include:
- Installing high-level security software packages on all company technology, including in-office computers and mobile devices
- Regularly updating computer systems and replacing outdated or malfunctioning equipment with safer upgrades
- Running routine scans to prevent, catch and destroy incoming threats as they happen
- Complying with all local, state and federal regulatory procedures regarding cybersecurity
These suggestions will not only lower the cost of monthly premiums, but they’ll also reduce the risk of cybercrime in general. Just as individual consumers get discounts for safe driving practices, commercial clients will be rewarded for consistent effort in reducing the extent of cyber-security risks.