NU Online News Service, Oct. 12, 12:02 p.m. EDT
SAN DIEGO—Hackers, known for going after large organizations to steal data, now have an eye toward easy pickings in smaller companies, according to Markel’s IT and data-privacy underwriting expert.
Jake Kouns, Markel’s senior director of technology, left his job in IT to join Markel six years ago and is determined to rid businesses of the “it-can’t-happen-to-me” attitude toward insurance for data breaches.
“The risk is real, and it doesn’t matter what the size of your organization is,” he says from the National Association of Professional Surplus Lines Offices (NAPSLO) convention here.
Although the thefts of records at large corporations such as Sony have garnered headlines, hackers are finding easy pickings, going after small-to-midsize businesses, which Kouns says he wants to educate and insure.
“They [hackers] are finding it easier to steal in small increments,” he explains. “Think about it—people start really looking for you when you take millions of records.”
Kouns points out that news accounts of Sony’s data breach appear to imply there was one breach, but the corporation was actually hacked 21 times.
The tragedy, he says, is that small-to-midsize businesses cannot typically recover from a data breach. Regulations and laws regarding a business’ obligations after a breach are different in each state. There are additional federal regulations for the healthcare industry. Add attorneys’ fees and recovery costs, and the amount can be prohibitive.
On the side Kouns is one of the curators of DataLossDB.org, a research project aimed at documenting known and reported data-loss incidents worldwide.
Kouns’ perspective as an IT security professional appears to drive his desire to create “real insurance” for data-breach risk.
And he has a somewhat different, untraditional take on the insurance that is currently provided—which isn’t worth much, he contends.
“It’s the new, sexy insurance. There are 30 carriers now writing it,” Kouns says. Some carriers are providing what he terms “chop-shop” insurance—multiple exclusions included—and he doubts there is actually much coverage to these policies.
The result is a developing market that can be a “saving grace or a moral hazard,” he observes.
“Right now you can get a policy with a $1 million limit for $1,500 in premium,” Kouns says. “That is worrisome. It’s too cheap. Companies will buy the coverage and think they don’t need to do anything to secure their systems.”
Kouns says work needs to be done with companies before Markel will underwrite the risk. The company also provides consulting and risk-management services.
“We want to improve security across the board because many of these businesses do not have a clue about this risk or what to do about it,” Kouns says.
Other companies are identifying this growing specialty-insurance market trend. Hartford has expanded its cyber-risk coverage to include data-breach coverage designed for small businesses.