With large-scale data breaches, high response costs, and multi-million dollar judgments[1] in the news, companies are looking for ways to limit potential damage from privacy-related data breaches. Privacy-related breaches cost an average of $204 per customer record that is lost or stolen, according to the Ponemon Institute's First Annual Cost of Cyber Crime Study, published in July 2010. One emerging risk management strategy is cyber liability insurance, and insurers are rushing to fill the demand. The good news is that it's a buyer's market for cyber liability coverage. However, according to experts[2], there is a great deal of “naïve” coverage being offered (insurers that have never had a settlement involving data breach), and some of these offerings may not last beyond the first large settlement.

Given the state of the cyber liability market, how do you choose coverage with staying power and get a fair price? To find out, we interviewed Mark Greisiger, cyber security risk management expert and president of NetDiligence, about the state of coverage and what organizations seeking cyber liability coverage should expect. The bottom line: you can trade assurance of good risk management for good insurance coverage at a good price.

Greisiger says that awareness of the need is growing, but at his company's annual cyber security conference, “Inevitably, 50% of the people are new to the cyber liability space, and no more than 20% to 25% of companies have coverage in place, even though they need it. Often people buy the coverage after they've had an incident. But sophisticated companies are often requiring business partners to carry this insurance in order to work with them.”

Greisiger agrees that that too much naïve capacity in cyber liability coverage makes it a bit easier to get a policy right now. However, he cautions, “Some insurers are free with their money until they sustain a loss. It's the Wild West in the market right now. Some underwriters have been doing this for a decade, and they choose their battles because they've experienced claims large and small. For many of the newer or smaller insurers, however, one loss on a data breach like Sony or TJX[3] could wipe out profits for the year,” and possibly drive that insurer out of the cyber liability business in a hurry.

According to Greisiger, while some brokers may overlook their client's cyber security posture in their eagerness to sell policies, experienced insurers are becoming more rigorous in qualifying organizations to be insured. They are conducting or requiring a focused cyber risk assessment that looks at the people, processes, policies, and systems. For a comprehensive, dependable policy, organizations should look for:

  • An underwriter who cares enough to ask the tough risk management questions. It shows that they've handled some claims, and what happens to your organization will not scare them off. It also means that they won't decline coverage later, claiming that you misrepresented the risk.
  • Insurers who understand that it's not just about electronic data. Risk assessments and coverage should include paper records.
  • Insurers who ask about and cover privacy-related breaches by third-party service providers, often times the most common source of data breach.
  • Insurers that understand not all data breaches are the same and don't require you to handle them in a “cookie cutter” fashion by a firm of their choosing.
  • Insurers willing to cover crisis stage costs incurred while determining whether there are privacy breach-related damages (lawyers, forensics, breach notification). Some will cover these costs as part of the full limit or as part of the sub-limit. An incident may not become a claim, but coverage for discovery costs is valuable.

Your organization can also take steps to make itself more insurable and to gain a good bargaining position in negotiating insurance costs:

  • Get a third-party cyber-risk assessment by an objective expert before seeking coverage. All credible underwriters will ask for this.
  • Know the stats. Underwriters will ask if you hold private data (SSN, health records, credit cards), and many will want to know the number of unique records. That's good to know anyway. If you use the Ponemon price tag of approximately $200 per record, then you know the likely exposure in case of data breach, and the amount of coverage you need.
  • Have the data ready. Cyber liability applications can be lengthy and granular. Doing a cyber risk assessment beforehand will prepare you to answer questions about people, processes, policies, and technologies, and to show how you are complying with state and federal requirements.
  • Think about national exposure, because experienced underwriters will be thinking about it. Very few companies are truly limited to one state, and it's not unusual to fall under jurisdiction of international privacy laws.

Greisiger expects that the cyber liability market could shake out within a few years, as class action suits in large-scale incidents like the Sony breach affect multiple insurance companies. Capacity will harden in the face of large settlements and increased exposure from new regulations such as the Song-Beverly regulation in California and new data models such as cloud computing.

As the cyber liability market shrinks, and even now, organizations may have sticker shock over the costs of cyber liability coverage. Greisiger says costs can run about $10,000 per million dollars of coverage. But while some of today's insurers may be naïve, businesses should not be. Basic business insurance typically doesn't cover breach costs, and the stakes are high. Organizations need to bite the bullet, get their ducks in a row, and negotiate the best coverage and price that they can.

Experienced underwriters are trying to get at the security culture of your organization. “Does the C-level care? Do they fund their security programs and IT cyber-security initiatives? Do you have a breach response plan? Is 'daily vigilance' in place?” If you're ready with answers, you're ready to provide your organization an increasingly necessary form of breach protection at a fair price.

[1] “Mass General takes $1 million hit for losing patient records” February 25, 2011. http://www.infosecurity-us.com/view/16228/mass-general-takes-1-million-hit-for-losing-193-patient-record

“Sony To Lose Billions Of Dollars After Data Breach.” June 11, 2011. http://itsyourcreditreport.com/2011/06/11/sony-to-lose-billions-of-dollars-after-data-breach/

“Citigroup latest to report data breach.” June 10, 2011. http://abcnews.go.com/Technology/citigroup-latest-report-data-breach/story?id=13807277an

[2] Simpson, Andrew. “Expert Assesses Cyberinsurance Market: Demand, Prevention, Recovery.” June 20, 2011. http://www.insurancejournal.com/news/national/2011/06/20/203166.htm

[3] Westervelt, Robert. “TJX to pay $9.75 million for data breach investigations.” June 24, 2009. http://searchsecurity.techtarget.com/news/1360065/TJX-to-pay-975-million-for-data-breach-investigations