It’s certainly starting to feel like the discussion is less about if retailers are going to suffer from a data breach, but when. According to USA Today, over 40% of companies had a data breach in the past year, which is up 10% over the year prior. We all know the best defense is a good offense, but with no singular silver bullet solution to stop data breaches, many retailers are relying on cyber insurance to protect themselves. Is it enough? We take a look..
What Kinds of Cyber/Data Breach Insurance Are Available?
There are primarily two types of insurance offered - first-party and third-party.
First-party insures the policyholder’s own losses, and can include any of the following coverages:
Investigation: The costs associated with assessing whether or not a breach has occurred, including measuring its severity and impact.
Theft: Any costs associated with the tampering with or loss of the policyholder’s data as a result of a criminal attack.
Software/Hardware: Includes damage to software systems and/or the computer hardware itself as a result of a cyber attack.
Revenue Loss: Loss of income or other costs incurred by the policyholder if unable to conduct business as normal as a result of a breach.
Third-party insures for the liability of the policyholder to third parties such as customers/clients and government entities and can include any of the following coverages:
Notification: The cost of notifying employees and customers of the breach.
Regulatory: Costs associated with any lawsuits or judgements as a result of a data breach as well as any legal or technical services required in responding to regulatory inquiries.
Crisis Management: Public relations and advertising expenses related to the education of customers and issuing of the policyholder’s response.
Credit Monitoring: The cost of providing credit and/or fraud monitoring services to affected employees and customers.
What Are the Exceptions?
An article by Information Week’s Dark Reading lists a number of broad exclusions noted in many off-the-shelf type cyber insurance policies that companies should be aware of, including:
No coverage for breaches of protected information in paper files
No coverage for claims brought by the government or regulators
No coverage for vicarious (i.e. third-party processor) liability
No coverage if you fail to encrypt data
What’s the Cost Benefit?
Given the urgency with which the need for this product erupted, and the lack of underwriters with extensive cyber loss knowledge, many insurers have had difficulty pricing it. This has led to wide-ranging differences in costs between carriers. Gartner has reported premiums between $10,000 and $35,000 for $1 million in coverage.
The Ponemon 2014 Cost of Data Breach Study reported post-breach costs (typically including help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions) averaged around $1.6 million in the U.S. in 2014 - certainly something insurance could help take the brunt of.
But the same study reported lost business costs (including the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill) topped $3.3 million for U.S. businesses.
Target has suffered almost $250 million in pure expenses from their breach, and is facing a lawsuit from a group of five lenders acting on behalf of any financial institution affected by the breach - recently given the green light to move forward from a federal judge in St. Paul. While it has been reported that their insurance policies are covering around $90 million of the existing expenses, Target has confirmed they maxed out their coverage, and are still left with a very large, very expensive gap to fill.
Is it Worth it?
There’s no arguing that companies will be better off with cyber insurance than they would be without it. What’s important to remember however, is that while cyber insurance will ease the pain of a data breach, it won’t eliminate it, nor will it prevent one from happening. The best way to protect yourself from a data breach is to employ an ecosystem of technologies that can work together to catch fraudulent spend quicker and empower you stop put an end to the breach as soon as possible.
To learn more about emerging technologies that are defining the payment fraud ecosystem to come, download our whitepaper below: