There’s a good reason why 2011 is known among security professionals as the Year of the Data Breach.
The antics began in April, with a bold, high-profile data raid on Sony’s Playstation Network database—and ended with hackers scamming credit-card details, passwords and home addresses from the systems of intelligence-analysis firm Stratfor in December.
In between were breaches at the IMF, Citigroup, Lockheed Martin and several others. Health-care data breaches alone were up 32 percent over 2010, says the Ponemon Institute. The diversity in the types of businesses targeted in the past year by online criminals shows that not a single sector of business is truly safe.
“Most companies are coming in contact with or storing private information, whether it’s credit-card information, employee information or HIPAA (Health Insurance Portability and Accountability Act) data, so they’re at risk,” says Thomas Herendeen, vice president of underwriting for Philadelphia Insurance.
Adds Steven Haase, president of INSUREtrust, a national insurance wholesaler that focuses on emerging risks: “If you saw the terabytes of data that hackers have already accessed, [you’d realize] they have all the passwords and IDs they need for the next 10 years—they just can’t get to [using] them all today.”
PRICEY EXPOSURES SPUR POLICIES
Disclosure of private information exposes companies to liability for damages, breach-notification costs and remediation. Businesses must navigate breach-disclosure laws in 46 states, and companies dealing with health-care records contend with HIPAA and its HITECH (Health Information Technology for Economic and Clinical Health) modification of 2009, which specifically addresses extra secrecy protections for a person’s medical data.
“You might be a relatively small company, but the liability you might have through a breach could be significant,” says Herendeen.
How much liability? A study of paid cyber-insurance claims, compiled in 2011 by NetDiligence, reported an average incident cost of $2.4 million.
However, the most recent annual study of data loss by the Ponemon Institute—which took into account detection, notification, post-response and lost-business costs—puts the average full cost of a data breach at a whopping $7.2 million.
RISING AWARENESS AMONG RISK MANAGERS
Eighty-six percent of risk managers say that cyber-security risks pose at least a moderate danger to their organization, according to a 2011 survey sponsored by Zurich.
Companies have also become more cognizant of third-party liability arising from breaches at outsourcers and service providers, particularly as the growing acceptance of cloud computing has moved more data beyond the walls of corporate centers.
Ponemon reports that third-party mistakes now account for nearly half (46 percent) of data breaches, and data-services providers observe that their customers aren’t just requesting SAS 70 or SSAE 16 audits (both of which offer assessments of a company’s ability to protect sensitive data); they’re taking the time to personally vet their vendor’s security practices.
“Clients have become much more aware of their liabilities associated with losing data,” says Frank Mobley, CEO of data-center-services-provider Immedion. “They are asking us where our responsibilities end and theirs start for protecting data.”
As awareness of risk has increased, so has interest in Cyber Liability insurance—the catch-all term for policies that deal with first- and third-party risks arising from information assets and can include coverage associated with both electronic and physical records.
“We brand our product as ‘privacy protection,’” explains Jim Whetstone, senior vice president and U.S. technology and privacy manager at specialty-insurer Hiscox. “We make the point that [coverage] is not just about the Internet and not just about electronic data. It is for anyone dealing with sensitive records.”
Haase says that INSUREtrust’s Cyber Liability business increased by more than 20 percent in 2011 alone, and he expects similar or better results in 2012. Philadelphia has grown its business in double-digits over each of the past three years and predicts a 30 percent increase in 2012, mainly due to first-time buyers.
Even so, only 35 percent of risk managers in Zurich’s survey reported that their companies carried Cyber Liability coverage—a number that Philadelphia’s Herendeen believes is actually high. “The industry estimate is that less than 5 percent of accounts with cyber exposure are actually purchasing the coverage now,” he says.
As a result, Herendeen adds with some understatement, “There is a pretty large growth potential.”
CARRIER COMPETITION HEATS UP
Given the perception that a huge amount of potential cyber business is there for the taking, it should come as no surprise that carriers are rushing to provide coverage.
“Three years ago, there were probably five or 10 main carriers for this business. The latest estimate of the current capacity is there are 30-plus carriers,” says Herendeen.
“The cyber market is irresistible to insurers,” Haase adds. “It’s almost like crack cocaine.”
Increased capacity is being seen in higher primary limits as well as the expanded ability to layer coverage.
“The largest players are putting up [as much as] $25 million. More underwriters are willing to put up $15-$20 million on primary, and we can build layers up to $300 million,” reports Willis Group Executive Vice President Peter Foster.
“It’s a buyer’s market,” adds Haase. “There are carriers fighting over these risks. There are always three to five carriers interested in a particular account.”
Most Cyber Liability policies include coverage for breach-notice costs, business interruption and data restoration.
But as with any specialty coverage, especially newer ones, there is a disparity among carriers in terms of included coverage and available endorsements for events such as cyber extortion; breach of commercial information and nondisclosure agreements; intentional acts; and domain-name infringement, to name just a few.
“The Cyber Liability insurance market is the ‘Wild West’ of insurance,” observes Scott N. Godes, counsel at Dickstein Shapiro LLP. “It’s worthwhile going through a policy with a fine-toothed comb with someone who truly understands Cyber Liability.”
As the risks become better understood, the market is trending toward broadening of coverage—which is good news for buyers. Yet even with broader forms and aggressive pricing, underwriters of Cyber Liability are still finding such business profitable.
For instance, Haase reports that INSURETrust has generated just $30 million in losses on more than $100 million in premium since the company has been in the cyber business.
But underwriters don’t expect these good times to last forever.
“We’ve seen an increase in the number of paid claims, particularly with the HITECH modification to HIPAA,” says Whetstone. “The industry will eventually need to re-evaluate the coverage, particularly as carriers just coming into the market experience some lessons learned.”