Over time, the probability of being hacked goes to 1. Like those of us living along the San Andreas fault and hoping for the best, we’ve chosen to build our businesses on the backbone of the internet; while we do as much as we can to shore up foundations and invest in early warning systems, at some point trouble is coming.
Just as most homeowner’s insurance doesn’t cover earthquakes, most general liability insurance doesn’t cover data breaches: cyber insurance has to be bought as an add-on. Cyber insurance can cover the initial investigation after a data breach, the costs associated with breach notification and that ubiquitously offered credit monitoring, fixing any security holes that led to the breach in the first place, and addressing reputational damage and lawsuits. These lawsuits can come from financial institutions that took on the costs of protecting affected customers, or from business partners whose information may have been put at risk because of your breach. Getting a good estimate of these costs ahead of time is difficult, as the scope of the data involved in a breach can cause a great deal of variability.
Let’s take beleaguered Target as an example, as many already have. Target’s costs from its 2013 breach of 70M customer records exceed $250M, and more are coming. Target’s cyber insurance covered $90M of that total thus far. Prior to the breach, Target had $100M of cyber insurance coverage, and $65M of directors and officers liability coverage, which was provided by multiple insurers:
Target is self-insured for the first $10 million of cyber coverage. On top of that, there’s additional cyber insurance through: $15 million of excess coverage with Ace Ltd.; then a $15 million layer with American International Group Inc.; a $10 million layer with Bermuda-based Axis Capital Holdings Ltd.; another $10 million coverage layer with AIG; then a quota share for the next $40 million of cyber insurance divided among four unidentified insurers.
To protect against executive liability, the third-largest U.S. retailer has a $10 million self-insured retention, followed by $25 million in primary D&O coverage with AIG, followed by an additional $15 million of coverage with Ace, then $15 million of coverage with the Hartford, Conn.-based based Travelers Cos. Inc.
Even with all of this coverage, Target had approached at least one insurer about acquiring more cyber insurance, and had been turned down. This may point to the company’s knowledge that its security had some weak spots, or it could be due to a prescient attempt to cover a growing supply of customer data. The fact that Target’s breach costs exceeded its coverage, and the subsequent prediction that the Anthem breach will also generate costs that exceed its policy, have alerted the market to the need for more coverage and larger policies. Among a survey of cyber insurance clients, and underwriters and brokers working in cyber insurance, the biggest driver of demand by far was news of others’ cyber-related losses and data breach experiences. Brokers noted that the biggest obstacle to selling coverage was the customer not understanding exposure, a state of blissful ignorance that can be shaken by headlines involving high-profile hacks.
Unless you believe that earthquakes are an act of Zeus’ retribution, building a tall mansion won’t invite an earthquake any more than building a humble bungalow. But cyber attacks are in part motivated by greed, and bigger, more successful businesses do draw the attention of proportionally more malefactors. Large businesses that, unlike Apple and Google, aren’t themselves in the security business have a lot to gain from cyber insurance, and from an honest third-party assessment of the gaps in their security infrastructure. Cyber insurance won’t stop determined attackers, and may not even cover the costs of a breach, but it’s worthwhile to be aware of your cyber risk.
Join the conversation at Medium