Hacking It

Cyber Liability Is the Hot Trend in Business Insurance

Even one electronic security breach is a headache for businesses that store their customers’ financial records. Millions of thefts? That’s much worse.
“They’re like mosquitoes,” said William Trudeau, president of the Insurance Center of New England in Agawam. “It’s one of those things where one or two bites isn’t too bad, with five bites, you’ve got an itch, but if you have 5,000 bites, you might die. For a small bank, if someone steals 100 ATM cards, it’s going to be not fun. But if, all of a sudden, they steal the records of 20,000 ATM cards and are withdrawing money all over the world for two days, it could get ugly.”
It’s not just banks that worry about such breaches. Large retailers, which keep the credit-card records of their customers on file, are at risk as well, as the TJ Maxx incident that came to light six years ago.
In that case, hackers gained access to company databases in 2005 and stole the personal information of more than 45 million credit and debit cards — but the company didn’t discover the theft until two years later. TJ Maxx later claimed that 75% of the cards were either expired at the time of the breach, or the personal information on them was masked. But the international ring of thieves did use much of the data to enrich themselves before they were arrested — and the various consequences of the incident eventually cost the clothing chain more than $130 million.
“After the TJ Maxx incident, Massachusetts law mandated self-reporting and potential fines per incident,” Trudeau said, but the costs stemming from such a breach can range widely, from PR work to restore brand reputation to individual and class-action lawsuits.

“Say a company wants to rectify things, says that it won’t happen again,” he continued. “So they pay for two years of ID theft protection for anyone who wants it. Then you need to do notification by third-party certified mail to all customers. Say I’ve got 30,000 records, so I’ve got to send out 30,000 pieces of mail from a certified facility, costing maybe $90,000. Then, how many will take me up on two years of identity-theft protection? Maybe 10%?
“What you have here are first-party costs,” he went on. “It’s not someone saying, ‘OK, I lost 20 grand, and now I’m suing you.’ You’ve got a lawyer in your office saying you need to do certain things now, even though there’s no lawsuit yet. But who’s going to pay the $90,000 for mailings? Who’s going to pay for the ID-theft protection? There’s a huge potential for loss, even before the lawsuits arrive.”
As a result, cyber liability is one of the hottest terms in the insurance world, one that agents have been busy telling their clients about.
“We’ve been concentrating on this kind of insurance,” said Robert Gilbert, president of the Dowd Insurance Agencies in Holyoke. “I read four trade publications each week, and every single one, every week for the past year, has had an article about what we call cyber-liability insurance. That includes Internet liability, cyber-security … anything that can attack your computer and cause loss of data.”
And businesses make a mistake if they assume that large, national retailers are the only ones at risk. Verizon issued a report on data-breach investigations last year that analyzed data from 855 reported incidents that resulted in 174 million compromised records in 2011. That study revealed that 71% of breaches struck organizations with fewer than 100 employees.
As a result, Gilbert said his agency has been busy notifying its clients about cyber threats and the insurance products available to protect them, noting that banks, retailers, restaurants, and medical businesses are among those with the most potential threat exposure. “We’re talking about businesses where customers are using credit cards. That data is capturable. Large retailers are constantly taking credit cards because that’s how most people pay for things. So it’s significant.”

Growing Concern
Earlier this spring, Best’s Review cited several recent surveys that shed light on the extent of the cybercrime problem and how it concerns businesses. For instance, a survey by American International Group found that corporate executives are more concerned about cyberthreats than any other major business risk, with 85% of the 258 surveyed saying they are ‘very’ or ‘somewhat’ concerned about it.
Meanwhile, a Deloitte Tech Trends poll of 1,749 business professionals found that 28% of those surveyed reported at least one known cyberattack in the past year; 9% reported more than one breach. And those are just the known cases.
According to the Ponemon Institute, which has been reporting on the cost of cybercrimes for the past three years, the average cost to a company from data theft is $194 per record breached — meaning it takes just 515 such records stolen to reach a six-figure loss, a tough pill to swallow for small to mid-sized companies.
That’s why cyber-liability insurance is so important. Trudeau cited one product his company promotes, Beazley Breach Response, which covers many of the first-wave expenses of cybercrime, including notification and credit-monitoring services for up to 5 million affected individuals, as well as forensic and legal assistance, PR costs, and other benefits, with separate coverage limits for third-party claims.
“Many policies offer first-party coverage — that is, they will pay you for things like business interruption, the cost of notifying customers of a breach, and even the expense of hiring a public-relations firm to repair any damage done to your image as a result of a cyber attack,” business-technology writer Minda Zetlin noted recently in Inc. magazine. “Having this cash available in the event of a crippling hack can keep the lights on until you’re able to resume your normal cash flow. A good policy can even cover any regulatory fines or penalties you might incur because of a data breach.”
Early response, aided by such coverage, can be critical, Trudeau said. “Depending on how good the response is, you don’t always get to the liability point if you self-report that you’ve had a breach.”
Considering the rate at which businesses are attacked and hacked, Gilbert said, it’s tremendously risky for companies that store sensitive data to ignore their need for cyber-liability coverage.
“When private data has been hacked, the expense to go through it is tremendous — you have notify all the people in the database, there are advertising expenses, possibly litigation,” he explained. “As technology has changed so rapidly, so has the expertise of criminals. The insurance marketplace never anticipated the seriousness of these crimes.”
But it’s certainly paying attention now. “When you’re hacked, and someone has access to everything in your computer, they can throw viruses in there or extort your business with the threat of viruses,” Gilbert added. “There are so many different areas of exposure, so it has become a very big issue.”
Customer notification alone can be a major hassle, considering that 46 of the 50 U.S. states have notification laws, the details of which vary by state — and many breaches affect customers in multiple states. “You should talk to your risk manager or agent,” Gilbert tells clients. “Do you have this coverage? What do you need to secure it? If nothing else, we make them aware of the exposures they face.
“It definitely interrupts your business. You have a loss of income, a loss of profits,” he added. “We talk to clients about what their exposures are today and what to do about it.”

Constant Threats
In a world where data theft is pervasive — from restaurant waiters carrying ‘skimmers’ in their pockets to lift debit-card information to international hackers hammering their way into large corporations — companies increasingly realize that it’s up to them to both better secure their data and seek out a realistic level of coverage, Trudeau said.
“When doing an assessment, ask, what’s the exposure risk? What exposures do we have, and how could we get in trouble?” he said, re-emphasizing that those risks run from the debit-card information stored at Big Y to the HIPAA-protected patient data at medical practices.
“It doesn’t matter if you’re a big company or a small company,” Kelly Bissell, who heads Deloitte’s Information Technology Risk Management Team, told Best’s Review. “It matters what data you have that’s valuable to them. The bad guys don’t discriminate.”
It’s also dangerous for businesses to assume they’re protected against data breaches of third-party vendors, experts say, since they provided them that information in the first place. Nor is there any guarantee a cloud provider will cover a company against a data breach in the cloud. It all comes back to speaking with an insurance agent to make sure all contingencies are accounted for.
“Every time you open the paper, another bank has gotten hacked,” Gilbert said. “Criminals today are pretty smart. They’re not using guns and knives anymore; they’re sitting somewhere in Russia or somewhere in Oklahoma — it doesn’t matter where.”
And that changing world has forced changes in the insurance realm, with the advent of products that are becoming an increasingly necessary part of companies’ risk-management strategies.
“This type of coverage has been developed to meet a need,” Gilbert said. “With what’s going on with cybercriminals, it’s very important that, every account we go out on, we’re bringing up things they don’t have. That way, at least we’ve done our job.”

Joseph Bednar can be reached at [email protected]