There have been a number of high-profile cyber breaches in recent years that have cost the victims a lot of money to recover. The Target department store, a few major health insurance companies and even the U.S. Office of Personnel Management have all suffered significant data loss as a result of cyber crooks gaining access to their databases. In every case, the organization involved didn’t realize their exposure to attack until it had already happened.
A 2016 study of 383 companies around the world, conducted by IBM and the Ponemon Institute, found that the average total cost of a data breach was $4 million. That study included a lot of big corporations, so to put it in perspective for smaller companies, the average cost for each record lost was $158 dollars; those records include both customer files with personal information (name, address, etc.) and payment card data, as well as corporate information that may compromise competitive advantage.
In addition to the direct costs for finding and fixing the technical vulnerabilities that allowed the breach, the business may also face a mountain of legal fees resulting from lawsuits or even criminal prosecution.
Similar recent studies by Verizon Communication and VMWare, Inc. revealed that retail stores make up 24 percent of reported breaches, and the most important aspect of a criminal intrusion is the loss of a company’s reputation among its customers.
The increasing frequency of cyber breaches has led to a new segment of the professional insurance market. Cyber insurance is now available from a number of underwriters to help businesses deal with a potentially disastrous data loss situation that otherwise might result in closing the company for good.
Now, I’m the first to admit that I’m not an insurance guy. My knowledge of how it works is that I pay my premiums and they fix my fender when need be. In cyber forensics, I can find where the bad guys got in, what they stole, usually where they came from and what they did with the data, but for this particular topic I turned to an old friend and former colleague of mine to discuss the insurance side of things.
Ken Mendelson is the Managing Director of Stroz Friedberg’s D.C. Office, and has been embedded in both the technical and legal side of information security in Washington for years. I asked Ken for his input on this topic.
Q: I know a lot of small, local shops that don’t have websites for selling their gear. Should they be concerned about cyber risk?
A: Cyber risk is a broad concept. There are “first party” risks (i.e., damage caused to your company) and “third party” risks (i.e., damage caused to your customers, suppliers, etc.) as a result of a data breach of any kind. You should be concerned about cyber risk if the data held in your IT systems has value either to you or any third party. Examples may include intellectual property, trade secrets, client lists or personally identifiable information (PII). Other considerations include whether, and for how long, your company will be able to operate if the IT systems are not available. Things like denial-of-service attacks, ransom-ware and other forms of malware can cripple an organization by depriving it of its own IT resources.
Q: That’s a good point – a computer network intrusion might not just be to steal information, but to inflict damage to the victim. So now there’s “cyber insurance” that a business can purchase to help with the costs of a breach. What does a typical policy cover?
A: Cyber insurance is a rapidly evolving field and there is no one “standard” policy. It’s very important to know what you’re buying. A good insurance broker will be able to tell you what is covered and what is excluded and can help design a policy that best meets your requirements. Insurance exists to help you transfer the risks that you cannot effectively mitigate yourself. However, insurance carriers will only cover the risks that you pay them to cover, so it’s important to know what is and is not covered by your cyber policy. Examples of first and third party risks that can be covered include:
1st Party Coverage:
- Business Interruption — loss of income/expenses resulting from network security failure.
- Intangible property — costs to restore or recreate data or software resulting from network security failure.
- Cyber extortion.
- Costs associated with violation of the Payment Card Industry Data Security Standard (PCI DSS).
- Breach event notification/management costs associated with:
- Incident Response/Forensic costs.
- Customer notification requirements, including the hiring of outside law firms and public relations consultants.
- Credit monitoring/protection as may be required.
- Notification hotline/call center expenses.
- Identity theft resources.
3rd Party Coverage:
- Wrongful disclosure of PII, Protected Health Information (PHI) or confidential corporate information in you care, custody and control via a computer network or off-line (e.g., via laptop, paper records, disks).
- Failure of computer network security to guard against threats such as hackers, viruses, worms, Trojan horses and denial-of-service attacks whether or not resulting from the provision of professional services.
- Content liability risks such as defamation and infringement of intellectual property rights arising out of website, marketing and advertising activities.
- Security or privacy breach regulatory proceedings (including associated fines and penalties).
Q: Payment card servicers are pretty quick to reimburse customers when their cards are stolen. Don’t they cover the retail business for cyber crimes too?
A: Generally speaking, no. Any company that processes, stores or transmits payment card information (PCI) must comply with the PCI Data Security Standard. Failure to do so can result in fines and penalties up to and including being prohibited from accepting credit cards as a form of payment.
Depending upon the contract you sign, if you outsource all of your credit card processing to a PCI-compliant servicing company so that your business does not process, store or transmit credit card data, you will likely not be held accountable in the event they suffer a data breach. In that case, the risk would be transferred to the servicing company, but you would possibly have to defend a lawsuit anyway. In addition, in the event of a data breach at your servicing company, your ability to do business in the short term may suffer, and your business’ reputation may be harmed in the process. This is one of those situations where the third-party liability is largely addressed, but the first-party (i.e., harm to your own business) is not covered.
If you choose to purchase cyber insurance, ensuring that the carrier is aware that you don’t process, store or transmit credit card data will likely lower your premiums. Again, a good broker can steer you in the right direction based on your business’s unique requirements.
Q: I’m not required to have cyber insurance. Why should I pay for it?
A: Like all risks you face, there are three choices that are NOT mutually exclusive. You can (1) accept the risk and be willing to pay what it takes to recover from a loss; or (2) mitigate the risk by putting controls in place to reduce the risk of harm; or (3) transfer the risk by paying someone else to assume it in the event there is an incident. A decision to purchase cyber insurance should be made after a determination that you cannot completely accept or effectively mitigate the risks that face your organization. Cyber insurance, when thoughtfully purchased, covers only the residual risk that exists after you have determined what risk you can accept, and what risk you can effectively mitigate.
Mendelson and I have both worked a lot of intrusion cases and have seen firsthand how expensive they can be to the organization and its customers, both in money and time involved. The “post-breach” costs of a cyber breach (the ripple effects to both the business and to its customers) can go on for years; civil litigation brought by affected customers can drag on for decades in the courts.
Whether you have a retail website or not, in today’s day and age you are more likely to suffer some kind of computer-related information theft than not. A quick internet search for “cyber insurance providers” returned more than 600,000 results, so there is a ton of information available to assist you in whether to purchase insurance and what kind you may need. I would start with the American Bankers Association’s “Cyber Insurance Buying Guide,” available at their website, www.aba.com.
As with any service you buy for your business, make sure it’s what you need for the size and scope of your business and don’t be afraid to ask for advice. My own business has cyber insurance, and we review it annually to make sure it includes the coverage we need and nothing we don’t.
You should also go ahead and buy an hour or two of your attorney’s time to discuss this topic and get his or her perspective; in fact, your lawyer may already have someone in their network who specializes in cyber risk and liability issues.
Yes, this is yet another cost of doing business that you may not have factored into your annual budget, but trust me on this: you don’t want to look back and say, “I wish I would have ... ”
Featured photo: iStock