Using Cyber Liability Insurance to Help Manage Data Breach Risks
By Doug Pollack - Article on July 08, 2011
With large-scale data breaches, high response costs, and multi-million dollar judgments in the news, companies are looking for ways to limit potential damage from privacy-related data breaches. Privacy-related breaches cost an average of $204 per customer record that is lost or stolen, according to the Ponemon Institute's First Annual Cost of Cyber Crime Study, published in July 2010. One emerging risk management strategy is cyber liability insurance, and insurers are rushing to fill the demand. The good news is that it's a buyer's market for cyber liability coverage. However, according to experts, there is a great deal of “naïve” coverage being offered (insurers that have never had a settlement involving data breach), and some of these offerings may not last beyond the first large settlement.
Given the state of the cyber liability market, how do you choose coverage with staying power and get a fair price? To find out, we interviewed Mark Greisiger, cyber security risk management expert and president of NetDiligence, about the state of coverage and what organizations seeking cyber liability coverage should expect. The bottom line: you can trade assurance of good risk management for good insurance coverage at a good price.
Greisiger says that awareness of the need is growing, but at his company's annual cyber security conference, “Inevitably, 50% of the people are new to the cyber liability space, and no more than 20% to 25% of companies have coverage in place, even though they need it. Often people buy the coverage after they've had an incident. But sophisticated companies are often requiring business partners to carry this insurance in order to work with them.”
Greisiger agrees that that too much naïve capacity in cyber liability coverage makes it a bit easier to get a policy right now. However, he cautions, “Some insurers are free with their money until they sustain a loss. It's the Wild West in the market right now. Some underwriters have been doing this for a decade, and they choose their battles because they've experienced claims large and small. For many of the newer or smaller insurers, however, one loss on a data breach like Sony or TJX could wipe out profits for the year,” and possibly drive that insurer out of the cyber liability business in a hurry.
According to Greisiger, while some brokers may overlook their client's cyber security posture in their eagerness to sell policies, experienced insurers are becoming more rigorous in qualifying organizations to be insured. They are conducting or requiring a focused cyber risk assessment that looks at the people, processes, policies, and systems. For a comprehensive, dependable policy, organizations should look for:
Your organization can also take steps to make itself more insurable and to gain a good bargaining position in negotiating insurance costs:
Greisiger expects that the cyber liability market could shake out within a few years, as class action suits in large-scale incidents like the Sony breach affect multiple insurance companies. Capacity will harden in the face of large settlements and increased exposure from new regulations such as the Song-Beverly regulation in California and new data models such as cloud computing.
As the cyber liability market shrinks, and even now, organizations may have sticker shock over the costs of cyber liability coverage. Greisiger says costs can run about $10,000 per million dollars of coverage. But while some of today's insurers may be naïve, businesses should not be. Basic business insurance typically doesn't cover breach costs, and the stakes are high. Organizations need to bite the bullet, get their ducks in a row, and negotiate the best coverage and price that they can.
Experienced underwriters are trying to get at the security culture of your organization. “Does the C-level care? Do they fund their security programs and IT cyber-security initiatives? Do you have a breach response plan? Is 'daily vigilance' in place?” If you're ready with answers, you're ready to provide your organization an increasingly necessary form of breach protection at a fair price.
 “Mass General takes $1 million hit for losing patient records” February 25, 2011. http://www.infosecurity-us.com/view/16228/mass-general-takes-1-million-hit-for-losing-193-patient-record
“Sony To Lose Billions Of Dollars After Data Breach.” June 11, 2011. http://itsyourcreditreport.com/2011/06/11/sony-to-lose-billions-of-dollars-after-data-breach/
“Citigroup latest to report data breach.” June 10, 2011. http://abcnews.go.com/Technology/citigroup-latest-report-data-breach/story?id=13807277an
 Simpson, Andrew. “Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery.” June 20, 2011. http://www.insurancejournal.com/news/national/2011/06/20/203166.htm
 Westervelt, Robert. “TJX to pay $9.75 million for data breach investigations.” June 24, 2009. http://searchsecurity.techtarget.com/news/1360065/TJX-to-pay-975-million-for-data-breach-investigations