Heartland Payment Systems figured it was in pretty good shape when it took out a $30 million cyber insurance policy. Unfortunately, the credit card transaction processor was the victim of a massive data breach in early 2009 that resulted in losses estimated at $145 million. The insurance company did pay Heartland the $30 million, but the company was on the hook for the remaining $115 million.
So, is cyber insurance worth it? Is it right for your company? What type of coverage should you get? How much is enough? And what are the gotchas to watch out for?
The first point to understand is that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible.
For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.
“After that, the insurance firms changed their policies to state that data is not considered tangible property,” says Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.
The resulting complexity is a major source of push-back by potential buyers, according to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection.
“The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Ponemon says. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.
Types of cyber coverage currently available include:
Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring and credit restoration services for the victims, and other crisis management services, says Ken Goldstein, vice president at the Chubb Group, an insurance vendor. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts. The more thoughtful ones respond in a way that shows they are taking the situation seriously,” he says.
Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA,) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.
Cyber extortion coverage: For cases where a hacker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the expense of offering a reward leading to the arrest of the perpetrator, Goldstein says.
Virus liability: Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder’s system.
Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policy holder. Such coverage should also cover copyright claims and domain name disputes, Haase says.
Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.
Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.
Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.
As for what coverage costs, Kalinich says that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range.
Robert Parisi, senior vice president with Marsh, an insurance broker and risk advisory firm, put it simpler, saying the cost is between $7,000 and $35,000 per million. Of course, the lower ranges are for buyers who look like better risks – and deciding who is a better risk is another factor that makes cyber insurance a complex topic. “You cannot get good insurance unless you have good security practices,” Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.” “Applications are not turned down very often,” adds Haase. “But ‘do you encrypt your data?’ is a common question on an application, and 95% of the prospects don’t. They get scared, and the application process stalls. But almost every insurer will offer coverage anyway – although, for a healthcare firm especially, the policy would be considerably cheaper if it does encrypt.” “No one question is going to knock you out of consideration – unless you’ve already had millions in losses, or demonstrate extremely poor controls,” agrees says Toby Merrill, vice president of insurer ACE Professional Risk. But being accepted does not mean that the insurance that is offered will be worth having, cautions Kalinich. “Some insurers will slap on all sorts of exclusions to make the insurance worse than worthless while they still collect the premium,” he says. “They may say that you are excluded if you don’t stay updated with the latest security software. But no one can stay patched 24-7. If they find that you don’t encrypt your laptops, then they will exclude laptops that are not encrypted. But that is where you need the insurance. So the specific wording of a policy is very important,” he says.
The more sophisticated buyers, says Merrill, are concentrating on what he calls the quality of the coverage. This would include the insurer’s ability to refer the policy holder to legal and forensic experts if there is a breach, how liberal the insurer is in terms of what it will pay for, and whether prior approval is required before outlays are made, he says.
But, apparently, sophisticated buyers are not the norm, if only because the rapid uptake means there are a lot of first-time buyers.
“For the last five years the market was been rocking along with annual growth of 10 to 15 per cent, while this year it’s 30 to 40 per cent,” Haase says.
“Of the top 100 corporations in a given industry,” estimates Parisi, “Twenty-five percent have bought it, 15 are in the market, and 40 to 50 per cent will be buying it within a year. This coverage is growing fast, and at a time when the economy is distressed.”
Sources credit media coverage of various data breach disasters for spurring the growth. Yet, “We still see prospects with no security plan in place,” Goldstein says.
Beyond that, “For first buyers, it’s painful,” Kalinich says. “They have to coordinate their IT and legal and human resources and risk management departments, and break down the silos for those areas.” (Human resources is involved because of the need to respond to questions about security training practices.)
Enterprises interested in applying for cyber insurance should, as a first step, fill out an insurance application, sources agree. In the end they may not buy the insurance, but the process of filling out the application can be educational.
“Even if they don’t buy any insurance they will understand their exposure better and will be able to discuss it with their boards of directors in an intelligent manner,” Kalinich says.
“There are questions on it you might not have thought of yourself,” Merrill adds. “I’m not saying you should then submit it – just use it to educate yourself. Then bring in a broker.”
On the broker issue, Haase says, “This is a complex purchase and you need a professional helping you.” Most policies are highly customizable, and there are a lot of endorsements – some of which may not even drive up the price – that can be requested if you know what to ask for. For instance, you might add coverage for paper files, both on-site and off.”
Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5 per cent to 10 per cent, so that 15 per cent to 10 per cent of the premium goes to commissions.
Finally, Merrill cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.
“Cyber insurance is not there to replace sound risk management,” Merrill says. “It is there to supplement it.”