Managing the Risk of Cyber Attack
In the wake of headline hacker attacks, cyber liability has become one of the fastest growing segments of commercial insurance — mitigating costs that follow a breach.
Companies don’t have to buy cyber liability insurance, says Jennifer Bolling, of Arthur J. Gallagher & Co. in Birmingham, “but I think most are realizing that every company has an exposure.”
Editor’s Note: Gary Shertenlieb, of Palomar Insurance, died in early May, not long after talking with us for this article.
In 2013, cyber thieves hacked one of the nation’s largest retail chains, Target Corp., and stole an estimated 40 million debit and credit cards and 70 million customer records. The incident resulted in a class-action lawsuit against the company, which announced this year that it would pay $10 million to the victims.
The incident was among a string of high-profile cyber attacks in recent months against top U.S. corporations, which included JP Morgan Chase & Co., Home Depot, Nieman Marcus, Staples and Sony Corp. In the case of Sony, cybercriminals infiltrated the entertainment giant’s computer networks and planted malware that wiped its corporate files. The hackers also exposed embarrassing employee e-mails, unfinished scripts and unreleased films to the public.
The rise in corporate data breaches has led more companies to seek cyber security liability insurance, says Darlene Violette, marketing manager at Colonial Insurance Agency, in Montgomery. Cyber liability insurance policies help companies mitigate the financial costs that come following a cyber attack.
“It has really inspired a lot of our insured and gotten their attention,” says Violette. “Many never thought of themselves as ever having a cyber liability claim. It’s this false sense of security, thinking, ‘This will never happen to me.’”
But a growing number of businesses are experiencing cyber attacks. A 2014 global study by the consulting firm PricewaterhouseCoopers found that cyber attacks rose 48 percent from 2013 to 42.8 million. Such attacks can come from hackers inside a company or anywhere in the world. The executive who misplaces a mobile device, the worker who opens a phony company e-mail loaded with malware or the staffer who forgets to change a password can cause a data breach.
“The whole cyber breach area has been in existence for a while,” says Gary Shertenlieb, Atlanta-based senior vice president and director of the data breach services and cyber liability practice for Montgomery’s Palomar Insurance. “But I think that it has, in the last five years, been recognized as creating probably one of the greatest new exposures to American business.”
And companies that are the victims of hacking like Target can face costly lawsuits filed by customers and others for failing to secure their computer networks, Shertenlieb says.
“A big issue is that management is now being held accountable by shareholders for not protecting companies by having the proper procedures and processes and adequate response services in place,” he says.
Hackers can even launch cyber attacks through a company’s own vendor. In the case of Target, hackers stole the access credentials of their HVAC vendor.
Even if a company’s vendor is at fault, the company will bear most of the resulting costs that come following a breach, Shertenlieb says.
“For example, if I’m using someone’s software and someone hacks into my system and the software doesn’t perform, I’m still responsible for the [customer] notification,” Shertenlieb says. “The vendor is not.”
However, he says, a company may have a clause in its contract that requires a vendor to help offset at least some of the expenses that come with a data breach.
Jennifer Bolling, regional director of the cyber liability practice at Arthur J. Gallagher & Co. in Birmingham, says that with the potential for liability, she has witnessed more companies seeking cyber liability insurance as well.
“It’s not a required coverage,” she says. “Companies don’t have to buy it, but I think most are realizing that every company has an exposure.”
The typical cyber liability insurance policy will pay for expenses incurred in the recovery of lost and stolen data, notification and credit monitoring services for customers, federal and state regulatory fines and legal claims, Bolling says. Some policies even include coverage for public relations consulting, to deal with the damage to a company’s image following a cyber attack. But not all policies will pay for lost revenue due to a halt in business operations or a damaged reputation, Bolling says.
To protect themselves, companies can buy a comprehensive cyber liability insurance policy or opt for adding a less expensive endorsement, an add-on, to a policy they already have, Shertenlieb says. The premiums for cyber liability policies, however, can vary.
“It depends on what you purchase,” he says. “If it’s an endorsement to an existing policy that gives an offset of expenses, the cost could be minimal and add $1,000 to $1,500 to your policy.”
On the other hand, the premiums for a cyber liability policy could run anywhere from $2,500 for a smaller company to hundreds of thousands of dollars, Shertenlieb says.
Underwriters consider several factors for setting premiums, Bolling says.
“In the insurance world, this is one of the relatively new coverages in the last 10 years,” she says. “Carriers are still gathering data. Every breach is a little bit different, and so it’s a very fluid coverage, because the hackers are creative. Technology is constantly being updated. As breaches happen and as things come out in the news, the carriers react to that. So they may add endorsements. They may totally rewrite their forms. There’s no way that they can completely know every exposure and every risk that you’re going to have when underwriting the coverage. So they have to ask the basic questions, and carriers approach it in different ways.”
When determining the terms of a policy, underwriters consider a number of factors, such as the type of industry and the size of the business in terms of revenue. A retail chain that generates millions in revenue would pay higher premiums than a smaller business.
Underwriters also consider whether a company conducts best practices for reducing its chances for a data breach. Such practices can include how well a company manages spam e-mails, whether they provide security awareness training for their employees or have off-site backup for their computer files.
Even factors such as the number of records a company has to protect and its procedures for destroying sensitive paper documents or securing electronic documents like patient heath records can impact the size of the premiums.
Health care organizations, in fact, have become especially vulnerable to cyber attacks in recent years. In a 2014 survey of 91 health care organizations by the Ponemon Institute, 90 percent said they experienced at least one data breach during the previous two years.
Just this year, Anthem Inc., the country’s second largest health insurance company, suffered an attack on its IT system. The hackers exposed the personal information of 80 million customers, including names, addresses, e-mails, and Social Security numbers, but not the medical records.
If patient medical records are breached, a hospital or medical facility could face stiff fines under the 1996 Health Insurance Portability and Accountability Act (HIPAA), which is designed to protect patient privacy. Therefore, the American Hospital Association has recommended that hospitals review their insurance policies to determine if their current coverage is adequate, given ever-growing cyber security risks.
Rosemary Blackmon, executive vice president and COO of the Alabama Hospital Association, says cyber threats are a major concern among hospital chief information officers she has spoken with.
“It’s because we’re expanding the use of electronic health records and medical devices that can report our information through the Internet,” Blackmon says, “It makes the care more efficient and more effective, but it comes with the risk of possible exposure. So you have to be even more diligent in protecting that information and protecting patients.”
Bolling says one of the best ways for companies to prepare for the inevitable cyber breach is knowing what is actually in their cyber insurance liability policies.
“Understand your policy,” she says. “Know what you have. Know what you don’t have.”
Gail Short and Art Meripol are freelance contributors to Business Alabama. Short and Meripol are based in Birmingham.