Companies are looking to new forms of insurance as they learn that even the most robust computer security is no guarantee against data breaches.
The trend is being propelled as well by the discovery—too late, sometimes—that a company's traditional insurance policies do not cover the cost of privacy breaches and data loss.
Cyber risk insurance was born in the immediate prelude to the "Y2K problem," when organizations feared sudden data loss after midnight on Dec. 31, 1999. Over the ensuing years, these specialized policies have grown in scope and sophistication, and their sales have soared as companies have become increasingly network-dependent, e-commerce has blossomed, and cyber criminals have increased in their reach and aggressiveness.
The use of cyber risk insurance got a big boost in 2003 when California passed a "data security breach reporting" law, which required companies to publicly disclose any loss of unencrypted customer information they held. Most states now have similar disclosure laws. "That really drove interest in these [insurance] products," says Tracie Grella, global head of professional liability at American International Group, Inc. (AIG). "At the same time, we started to see more attacks, and breaches started to make front-page headlines. It became a big reputational issue for companies."
Even so, relatively few companies have insurance against data breaches, with policies concentrated among large retailers, financial institutions, health care providers and hospitality companies. Among Fortune 500 companies penetration is above 30%, but among all companies penetration is less than 20%, says Kevin Kalinich, head of network risk and cyber insurance at Aon Risk Solutions. Still, since 2009, the number of companies with cyber risk insurance has soared almost 400%, he says.
Kalinich says many companies, if they think about it at all, mistakenly believe their traditional property and casualty insurance policies will protect them against losses from data theft. Most of those policies, especially those written years ago, are silent on whether they do or do not cover data breaches, and recent court cases have reached mixed decisions on this issue. In February, a New York judge sent out a wake-up call in his decision that Sony Corp. could not recover the costs of customer data losses from the 2011 PlayStation Network hacking under its commercial general liability policy. Industry estimates of Sony's losses in the hacking case go as high as $2 billion.
Most cyber risk insurance policies today cover privacy breach notification and crisis management, regulatory defense and civil penalties, breach-related liability and first-party business interruption. Such policies for large companies typically have limits of $1 million to $100 million, and annual premiums of $10,000 to $50,000 per $1 million of coverage, according to Aon Risk. Most such policies do not cover theft of funds, future losses of revenue beyond the initial business interruption period, loss of trade secrets, or bodily injury or property damage from a cyber attack.
Companies often underestimate the amount of insurance needed even for risks that are covered, Kalinich says. "One of the biggest mistakes is to focus too much on the policy's premium, as opposed to the total cost of risk." He adds that companies must consider their business relationships with vendors and other external parties, and should not assume all risks are associated only with their internal systems.
AIG's Grella says another mistake is "thinking that your IT systems alone can protect you." Cyber risk mitigation, including insurance, must involve teamwork by managers from IT, human resources, legal, finance, and someone at the board level, she adds.
Another pitfall to avoid is putting your cyber risk policy in a bottom drawer and forgetting it, says Robert Hartwig, president of the Insurance Information Institute. "Every day, there are new revelations about vulnerabilities and about the sophistication of people with malicious intent."
For example, Hartwig says, the Affordable Care Act ("Obamacare") mandates that patient records be digitized. Health care managers' cyber risk exposure will "grow exponentially over the next four years," he says, as patients inevitably receive faulty treatment due to system errors and downtime.
In another example, says Kalinich, Microsoft dropped support for Windows XP on April 8, and many cyber risk policies exclude from coverage computers for which support is not current. Companies that continue to use Windows XP should re-negotiate their insurance on those machines, he says.
Emily Cummins, director of tax and risk management at the National Rifle Association, says that organization offers cyber insurance as part of an integrated enterprise risk management program, but she declines to offer specific details about its insurance policy. She warns, "The gravity of a potential loss may not necessarily correlate to the number of records breached. The Target [Corp.] data breach has been so publicized that it is becoming a market-moving event for cyber insurance. But I want to make it clear to all sizes of enterprises that a data breach can cause a catastrophic uninsured loss for any size organization."
Gary Anthes is a technology writer and editor based in Arlington, VA.