Cyber-Insurance: Assess Risk, Policy & Obligations

By Greg Reber

The threat of cyber-incidents is a top concern of businesses around the world, and insuring companies against data breaches is becoming a huge industry. The cyber-insurance market has been growing approximately 40 percent a year for the past three years, with a lot more room to expand.

In fact, a recent Fitch Ratings report found that in 2015, 120 U.S. insurance groups wrote cyber- coverage totaling $1billion (direct written premiums volume). Some estimates put the global cyber- insurance market at $20 billion by 2020.

The Ponemon Institute’s 2016 study pegs the average cost of a data breach at $4 million, with per-record costs rising slightly to $158 each. The study covers breaches in which 3,000 to 100,000 records were lost, but for larger companies, the number of records exposed is often much higher. Perhaps more alarming is the likelihood of a breach occurring: The study estimates “a 26 percent probability of a material data breach involving 10,000 lost or stolen records.”

Deciding how much cyber-insurance to buy is not a trivial matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives have the highest-level view of cyber-risk across the organization, and they are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

Not all breaches are limited to data exposure. Ransomware, advanced persistent threats (APTs) and distributed denial of service (DDoS) attacks can also interrupt the course of business. How much does your organization stand to lose from a supply chain shut down, a website outage or service downtime?

Assessing Risks and the Associated Costs

Recent data points resulting from breach investigations can be used to frame the discussion around risks and the associated costs. For more recent breaches, information about the full expense compared with insurance payout is not yet available. Following the outcome of a variety of high-profile breaches is an effective way to ensure that your projected coverage requirements continue to match up with reality.

In the fourth quarter of 2013, Target suffered a very public breach that resulted in the resignation of their CEO, a 35-year employee. Target had purchased $100 million in cyber-insurance, with a $10 million deductible. At last count, Target reported that the costs of the breach totaled $252 million, with some lawsuits still open.

Home Depot announced in late 2014 that between April and September of that year cyber-criminals stole an estimated 56 million debit and credit card numbers—the largest retail card breach to date. The company had procured $105 million in cyber-insurance and reported breach-related expenses of $161 million. A consumer-driven class action lawsuit was settled for $20 million as part of those expenses, with $9 million of the settlement going to lawyers.

In both cases, as with most breaches of publicly traded companies, stock prices took a hit immediately after the breaches were announced, but bounced back to pre-breach levels within a quarter.

These cases illustrate the need for thoughtful deliberation when contemplating how much breach insurance to buy. The costs incurred in the fallout of a major breach depend on multiple factors, are not entirely predictable, and can rise quickly due to lawsuits and cascading effects. A case in point: the bizarre events surrounding Sony’s breach.