Beating a Breach
A data breach can be costly in many ways; in addition to losing important documents and information and damaging hardware and software, it can seriously damage a company’s reputation and put their customers and/or employees at risk. In today’s volatile cyber environment, cyber insurance can be a smart precaution for any size business.
“Really anyone who owns a computer and conducts business on it — from a lawyer to a manufacturing company — should take a look at its insurance,” said Jeff Howard, vice president of Gillis, Ellis & Baker Insurance. “It’s not just the attack itself, it’s the ransomware, where someone is holding your data hostage through encryption and demanding money to release it to you. You literally have to think about every email you send today.”
The cost of cyber insurance is relative to the coverage provided.
“A business could spend around $2,000 to $100,000 a year based on the size and complexity of the business,” Howard said, adding that the cost could be just a drop in the bucket compared to a loss. “A recent study found that it costs business owners about $200 per record breached — that can really add up if you consider how many records/contacts are in your database.”
Howard cautions businesses not to just add cyber insurance to their existing liability insurance, but instead to look at purchasing it as a stand-alone policy in order to assure the best, most comprehensive coverage.
“We have been offering cyber insurance for five years now, it has taken a little while for it to take off,” he said. “Now, we are getting more clients asking for it and we are cautioning current clients and prospects to look again at their coverage to make sure cyber aspects are covered. In three to five years I expect it to be as important as property insurance.”
IBM Security and the Ponemon Institute recently announced the results of their 2017 Cost of Data Breach Study, which found that the average total cost experienced by organizations over the past year increased from $7.01 million to $7.35 million. To date, 572 U.S. organizations have participated in the benchmarking process since the inception of this research.
The number of breached records per incident this year ranged from 5,563 to 99,500. The average number of breached records was 28,512.
As technology continues to evolve, becoming more complex and sophisticated, so do the threats that businesses face. As a result, every business and organization needs to be armed and ready with some form of cyber liability insurance.
In the past couple of years, data breaches have resulted in major fines and legal fees — not to mention heartaches and headaches — for a discount retail chain, one of the nation’s largest banks, a well-known health insurer, an entertainment network and the federal government.
But it’s not just large organizations that are susceptible to being hacked or getting a virus. According to Insurance Journal Magazine, about 55 percent of all small businesses have experienced a data breach and 53 percent have had multiple breaches.
“Cyber insurance is a specialized insurance product designed to financially shield businesses and individuals from many of the risks posed by our ever-changing digital society,” said Jason Lewis, vice president of Noah W. Lewis and Associates, a New Orleans-based insurance services company.
Most notably, but not exclusively, cyber and privacy policies cover a business’s liability for a data breach in which the firm’s customers’ personal information, such as Social Security or credit card numbers, is exposed or stolen by someone who has gained access to the firm’s electronic network.
The policies cover a variety of expenses associated with data breaches, including: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. In addition, cyber and privacy policies cover liability arising from website media content, as well as property exposures from: business interruption, data loss/destruction, computer fraud, funds transfer loss and cyber extortion.
But isn’t this kind of insurance just for companies that handle a lot of personal information and financials? Not according to Harry Kelleher, president of Harahan-based insurance agency Harry Kelleher and Company Inc.
“In the year 2017, most, if not all businesses should have a cyber policy,” advised Kelleher. “Just because a business does not fall under a high-risk area, does not mean they don’t have exposure to loss…Billions of records are stored on the systems of all types of businesses, many of which contain personal information including birth dates, Social Security numbers, bank account numbers, and other personal or identifying information. This information, if made known, could not only be embarrassing, but could be used by unscrupulous individuals to create false identities, steal funds, and even hold business data for ransom.”
It’s not just the big companies that are at risk, either. Kelleher added that according to Travelers Insurance Company, 31 percent of all breaches have occurred in organizations of 2,500 or fewer employees and 30 percent in organizations of fewer than 250 employees.
Ryan Daul, producer at Gretna-based Daul Insurance Agency, says that cyber insurance started becoming more mainstream in the mid-1990s.
“I think Y2K also brought attention to tech risks,” he said. “In the early 2000s, notification laws were enacted and network security policies were being purchased by larger entities to protect against computer viruses. Regulations continued to grow, including the HIPAA rule. Breaches are continuing to happen and I think people are finally starting to understand that everyone has the potential for a data breach and a need for privacy liability.”
Daul added that cyber insurance is not just reactive, but unlike most insurance, it’s also active.
“In the event of a suspected breach, upon notification the insurance carrier will send out a team of experts to identify if a breach occurred, to what extent it occurred, and then advise the insured on the notification requirements. The notification requirements are extremely complicated at this time. Without experts or legal advice, it would be difficult for people to know how to properly notify their customers of a breach.”
Underinsured and Undercovered
Among those that have insurance, only 16 percent said they have cybersecurity insurance that covers all risks.
“Like most insurance, cyber insurance is there to make you whole after the attack,” Daul said. “It does not protect against the attack, but it does provide the notification assistance, business interruption coverage and pays for claims that otherwise would be paid by the business owner. Some policies do provide risk management and assistance with hardening your system, but that’s really more value added. It’s offered by almost all of the major insurance providers. It’s still relatively new and all of the carriers are trying to grab a piece of the market. Once carriers start to drop out of the market, I’m sure coverage will become more restrictive and prices will increase.”
“Additionally, it’s going to be virtually impossible for the insurance industry to continue to respond to an exposure with such a high degree of loss,” he added. “I think it is unfair that the business owners are held responsible for a hack regardless of the precautions that are taken. We’ve seen that it is virtually impossible to stop a hacker that wants to get into a system. Possibly, a legislative change is in order to protect business owners that take proper steps to protect their data.”
“Cyber insurance has migrated from the niche space and is quickly becoming a mainline product for many insurance companies,” Lewis said. “The large, established insurance companies are leading the field in developing and introducing cyber insurance products. The space represents a massive opportunity for insurers as we are constantly uncovering more risks and exposures presented by our increasing online activities.”