Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare.
Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties.
"Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides," says David Bradford, who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society (see Coming of Age of Cyber Insurance).
"So far, that's been a little bit of a difficult sell for brokers," Bradford says. "Partially it's because it's a new product with brokers as well. A lot of them just don't really understand the products that well themselves. They don't do an effective job of indicating the need to the buyers."
A 2012 survey of more than 100 global Forbes 2000 corporations by Carnegie Mellon CyLab shows that many board members and executives incorrectly believe that other types of corporate liability insurance cover losses due to data breaches, says lab official Jody Westby.
"That's pretty stunning because most corporations, especially large global corporations, should understand that cyber-risks generally are not within property and general corporate liability policies," Westby says.
It's not just executives and board members who have yet to see a need for cyber-insurance. Corporate risk managers in many organizations, as well as a large number of the insurance brokers that corporations rely on to tailor coverage to meet specific exposures, don't fully appreciate what cyber-insurance offers.
Bradford estimates that 40 insurers offer cyberliability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States.
Because the cyber-insurance industry continues to mature, its offerings aren't as consistent from provider to provider as they are with other types of insurance. "There are so many material differences between the coverages available that there is no real one-size-fits-all approach," says Richard Bortnick, an attorney at the law firm Cozen O'Connor.
What's covered by most cyberpolicies? Generally, they fall into two areas: first-party coverage, which covers direct expenses, and third-party coverage, which covers payments made to others.
Examples of first-party coverage include notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit-monitoring services, which insurer Chubb estimates could cost up to $30 a customer. Other first-party expenses include repairing reputation harmed by a breach, including public relations costs; restoring systems and data; repaying funds stolen through fraud or extortion; and covering revenue losses associated with computer system disruptions.
Third-party coverage encompasses court-imposed damages, regulatory penalties and defense costs associated with lawsuits alleging the disclosure of customers' personally identifiable information or harm to business partners' systems.
An organization's decision on what type of policy to buy and what it should cover depends, in part, on the type of information that could be exposed.
"To the extent that an entity has a large number of personally identifiable information records, then there's a much bigger chance of exposure," says Kevin Kalinich, global network and cyber-risk practice leader for Aon Risk Solutions, an insurance brokerage. In general, businesses with such exposures include retailers, hospitality providers, healthcare providers, health insurers, financial institutions, payment processors and educational institutions, including colleges and universities.
Assessing Existing Coverage
Temple University sought cyber-insurance after other schools suffered breaches and its director of risk management and insurance, Lisa Zimmaro, realized that its general liability policies didn't protect it from losses related to its computers and information systems.
"There are a lot of exclusions in general-liability policies that made us think that had we had a breach, our general liability carrier would deny coverage," Zimmaro says.
Temple's cyber-insurance protects the school from breaches caused by outsiders as well as those involving insiders, whether or not their intent was to intentionally cause the university harm. The insurance covers Temple for consequences of a breach, such as credit-monitoring services for those whose personally identifiable information is exposed, as well as legal costs to defend the school against liabilities resulting from, for example, exposure of sensitive data.
But businesses that don't retain a lot of personally identifiable or sensitive information on their computers would likely choose far more limited cyber-insurance coverage, if any at all.
Ace Hardware, a cooperative of 4,500 stores owned by individual retailers, bought a limited policy because the parent organization stopped processing credit card information several years ago, says William Montanez, director of risk management. Its cyber-insurance is limited to coverage of legacy exposures.
The Cost of Breaches
Still, for many organizations, data breaches and exposures can prove costly.
A hack of South Carolina's tax system in 2012 is expected to cost the state at least $20 million, mostly for the costs to notify 4 million taxpayers whose personally identifiable information was exposed and provide them with free credit-monitoring services. The federal and state governments generally self insure, but smaller local governments often rely on insurance (see $20 Million Loan to Cover Breach Costs).
Although most data breaches aren't as costly as the one South Carolina experienced, they can make a dent in an enterprise's coffers. The average breach costs an organization $5.5 million, according to the 2011 Cost of Data Breach Study conducted by the Ponemon Institute. The typical breach exposes more than 28,000 records at a cost of $194 a record that includes notification, call center, forensics and other direct expenses (see The Cost of a Data Breach).
Those types of losses may eventually prompt more organizations to seek cyber-insurance. But John Wheeler, a research director at IT consultancy Gartner, cautions that cyber-insurance isn't a stopgap measure to compensate for weaknesses in an IT security program.