Can 'cyberinsurance' protect you from data breach catastrophe?

Business is booming after disasters like the TJX case, but policies can be expensive, complex and hard to get

Laptops are walking away. Hackers are breaking in. Tapes are missing in transit. Any of these developments could lead to a data breach, which, combined with state disclosure laws, could trigger crushing expenses.

A cyberinsurance policy could cover such losses, but they may be expensive, complex and somewhat difficult to acquire -- and it may even be more difficult to determine if they are truly worthwhile.

Cyberinsurance policies emerged about a decade ago with the realization that conventional insurance covered physical damage, but not lost data. Responding to the latest headlines, today's policies focus on the losses associated with a data breach. Such losses usually include the expense of notifying the victims, offering them credit monitoring and other "crisis management" expenses, explained Larry Harb, president of IT Risk Managers, an insurance broker in Okemos, Mich. Defense against the resulting lawsuits and government regulatory action is typically covered.

But while coverage has evolved, prices have remained high, even though there are now about 20 different carriers in the market. Harb recalled presenting a dental association with a privacy policy that offered coverage of $1 million for a yearly premium of $1 per stored name. An established dentist might have 4,000 patient files, for a premium of $4,000. "That was more than all their other insurance put together, including their general property and liability, so they didn't go for it," Harb said.

"I can tell you that there are major health care and financial institutions that have been turned down because they did not pass scrutiny." -- Kevin Kalinich, director at AON Corp.

"A bank will pay more than a pizza shop, but coverage generally runs from $7,500 to $12,000 per million dollars of coverage," said Nick Economidis, vice president at the National Union Fire Insurance Co., an AIG subsidiary in Pittsburgh.

Policies covering network risks could be expected to cost $10,000 to $20,000 per $1 million in coverage, said Kevin Kalinich, a director at the AON Corp. in Chicago, described as the world's largest insurance broker. But the addition of professional services "errors and omissions" coverage will double the cost, he added.

But the variability of cyberpolicies and coverage is apparently as off-putting as the prices. Sharon Nelson, president of Sensei Enterprises in Fairfax, Va., recalled contacting five different carriers about cyberinsurance. "Prices for identical coverage ranged from $16,000 to $70,000 per year. I got the impression that cyberinsurance is a mysterious world, dimly understood by all its participants.

"There are also issues about what is covered," Nelson added. "If you have a blog that offers advice, you might not be able to get coverage. Insiders cause 70% of data breaches, but a lot of policies only cover the direct damage caused by an insider, not the third-party damage."

Better for small firms?

But while small firms may be the least prepared to do the necessary comparison shopping, cyberinsurance is actually better suited to them than large companies, noted Khalid Kark, an analyst at the Yankee Group in Cambridge, Mass. Basically, he explained, coverage limits are usually too small to interest a large firm, but would be sufficient to rescue a small firm.

"I have never heard of a cyberinsurance policy offering more than $10 million in coverage," Kark explained. "But the potential costs facing large corporations as the result of a data breach are of a larger magnitude, so they are better off self-insuring." (The TJX Companies, which in January reported a data breach involving 45.6 million payment cards, has announced that the event has already cost more than $17 million.)

Meanwhile, as Nelson noted, a willingness to buy cyberinsurance doesn't guarantee that there will be a carrier willing to sell a policy to you, as the carriers have their own issues.

"About 10% (of cyberinsurance applicants) are flat-out turned down," said Kalinich. "Another 25% pay much higher premiums, or have coverage restrictions or contingencies written into their policies."

The biggest reason for denial is the buyer's lack of desireable policies and procedures, such as having no disaster recovery plan, or having no monitoring of system usage, Kalinich indicated. "I can tell you that there are major health care and financial institutions that have been turned down because they did not pass scrutiny," he said.

"There are organizations that seek coverage in lieu of having proper policies and procedures," added Toby Merrill, an assistant vice president at ACE Professional Risk, an underwriter in Philadelphia.

"I look for very simple things -- I want to see some sort of management interest in protecting its networks, and its customers' information," Merrill added. "They must have a well-thought-out disaster recovery or business continuity plan, both in terms of physical security and a data breach event. Those who want to withhold information from the public, or bend the rules a little bit to save a dollar, are not the clients that we are interested in. We are interested in firms that will do the right thing and recognize exposure for what it is," Merrill said.

To evaluate the security practices of an applicant, some underwriters use a third-party firm, such as NetDiligence in Philadelphia. Mark Greisiger, the head of NetDiligence, said that, in doing assessments, the biggest problem he sees is firms that aren't patching their perimeter servers in a timely manner, and failing to encrypt stored data. As for retailers, the rate of noncompliance with at least some of the security rules imposed by the credit card industry (via the Payment Card Industry Data Security Standard) is about 90%, he said.

Best practices are changing

Economidis said that his firm does its own assessments. "When we started doing this we had a lot of trouble with firewalls. Over time it changed to disaster recovery planning. They are getting better at that, but today we are talking to our largest customers about encryption," he said.

As for claims, Merrill said that most of the ones he has seen so far have involved first-party expenses, for crisis management, victim notification and public relations expenses. "We have not seen a lot of frequency around legal liability, but I anticipate that will change significantly, as plaintiff attorneys become more experienced and comfortable with these issues," he said.

Apparently, a lot of corporate managers feel the same way, because sources agreed that the cyberinsurance market is growing rapidly. Kalinich noted that sales for the field languished at $100 million yearly for the first several years of the decade, despite initial high-flying projections. With daily news about disastrous data breaches, the volume finally rose to $300 million in 2006.

Then came the widely reported TJX data breach, and as a direct result Kalinich expects sales to double this year. "We started getting calls from companies that previously said it was something they did not need to worry about -- but now the board of directors was asking about it," he said. "The insurance market as a whole should give TJX a commission -- and it may need it."

When called on to shop for cyberinsurance, "Make a list of the types of items where you could incur costs in respect to a data breach, and then carefully compare what the policies cover," said Lisa Sotto, head of the privacy and information management practice at the New York office of Hunton & Williams. "It is very important to pay attention to what a policy covers, and what it does not cover. Policies are different, they are evolving rapidly -- and the details of every policy can be negotiated. But their wording is often so dense that it may be hard to determine what they will actually cover in the end.

Shop around

"Cyberinsurance is worth looking at, but you need to shop around and compare notes," Sotto said. On the other hand, she fears that many smaller businesses assume they are covered because they have general business policies. Such policies cover the cost of their computers if they are destroyed, but not third-party damage from a data breach, she noted.

"Smaller companies often have exaggerated fears about how much a data breach could cost them, since government regulators prefer bigger targets and typically won't bother going after them," noted Kark. "But not all their fears are unfounded, particularly in a regulated industry or a high-profile company. Cyberinsurance may be appropriate for some of those companies, but there is no silver bullet -- you must figure out the potential costs and decide if it is appropriate to buy the insurance."

And then there is the ultimate form of insurance, denial. "Most think it can't happen to them, and for most of them it has not," noted Nelson. "But they have been lucky. And as you learn at a casino craps table, your luck will run out."

More information:

Lamont Wood is a freelance writer in San Antonio.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon