The Need for Cyber Insurance

Cyber Insurance

The Need for Cyber Insurance:

The October 20, 2014 headline in “USA Today” read “Officials Warn 500 Million Financial Records Hacked.”[1] This is just in the past 12 months and when one considers the entire population of the United States is 316 million, this is an astounding and even frightening statistic. In the article Joseph Demarest, Assistant Director of the FBI’s cyberdivision stated bluntly, “You’re going to be hacked. Have a plan.” One critical aspect of planning is consideration of cyber insurance.

A common rationalization for those associated with small firms is “we are too small and don’t have the high-value targets that hackers covet.” We will bust this myth with a hypothetical scenario. JP Morgan was in the news and announced they had 76 million individuals and 7 million businesses compromised in a cyber attack allegedly carried out by the Russian government in retaliation for U.S. sanctions related to the Ukraine conflict. It was also disclosed that the breach occurred through an employee’s personal computer.[2] Most firms have a client or investor who is an employee of a Fortune 500 company, or the friend / relative of an employee at a Fortune 500 company. Consider the possibility that the easiest way into that employee’s computer may be through your firm. Even worse, if an attack were successful, the hackers often don’t stop with what they wanted, the will post the hack for sale on the dark web. There someone who may want the identities of all of your clients/investors could purchase the information with very bad intentions for your firm. If you are not fearful of a cyber attack, you are simply ignorant.

According to the 2014 Ponemon Institute study[3], the cost of a data breach was up 15% from 2013 and cost $201 per record versus $188 in 2013. Moreover, Ponemon reported that the rate of customers terminating their relationship after a breach increased 15% over 2013. Multiply your number of clients / investors times $201 and you get a sense of how costly a breach could be and this does not include lost business.

Risk Transfer:

Insuring a risk is simply a way to transfer the risk to an insurance company in exchange for the premium payment. If a covered risk occurs the cost would be paid by the insurance company per the terms of the insurance policy. Risks can be insured (transferred), accepted, avoided or mitigated. Two factors that weigh heavily in the decision of whether or not to insure are the frequency of the risk and the severity of the risk. Since cyber attacks are both frequent and costly, cyber insurance should be considered.

Cyber Insurance – Covered Risks:

Cyber insurance can cover a myriad of risks including:

• Crisis management coverage. This would include expenses related to the investigation, remediation, notification, communication, credit monitoring for victims, legal and court costs, and regulatory fines. Although we are using the term “Cyber Insurance” most policies define a breach to include physical theft and thus the breach does not need to occur electronically to be covered.

• Multimedia liability coverage. This covers infringement of intellectual property rights, disruption of e-commerce, or defacement of the victim’s web presence.

• Cyber terrorism coverage. This primarily covers losses due to extortion and the costs related to the event. One common manifestation of this risk is called “ransomware” where the victim’s data is encrypted and the perpetrator demands a ransom to unlock the data.

• Network and Data security coverage. This covers denial of service attacks as well as data breaches from third-party vendors.

Considerations in Purchasing Cyber Insurance:

First, inventory your information assets. Any databases, electronic files, and program data need to be identified. Next, attempt to assess the risks by quantifying the value of the data and anticipating potential threats. This risk assessment will provide the foundation for the type of coverage to consider as well as a cost-benefit analysis of the coverage. Finally, work with a knowledgeable insurance agent. A good agent will be invaluable especially since cyber insurance policies tend to be non-standard and have many different features and benefits.

[1]“Officials Warn 500 Million Financial Records Hacked” by Erin Kelly, USA Today, October 20, 2014

[2]“J.P. Morgan Says About 76 Million Households Affected by Cyber Breach”, by Emily Glazer and Danny Yadron, The Wall Street Journal, October 2, 2014

[3]“2014 Cost of Data Breach: Global Analysis”, by the Ponemon Institute, May 5, 2014