Email and social media have quickly become the most common way to communicate. Electronic data is growing at an exponential pace. So it should come as no surprise that cyberrisk is fast becoming the largest risk management challenge faced by executives at companies big and small. The cost of a data breach, regardless of its cause, can be incredibly expensive and time consuming. While reported costs vary, costs per breach have been reported as high as $10 million. (NetDiligence Cyber Risk Claims Study, 2013)
Given the high cost per incident, management awareness of cyberrisk is at an all-time high, according to the 2012 Cost of Cyber Crime Study by The Ponemon Institute, a well-respected cyber research firm. The report found that most risk managers view cyber insurance to be a key piece of their strategy for mitigating their company’s cyber exposures. While only about a third of companies in the study currently have a policy, nearly 40 percent say they now plan to purchase one in the next year. So there still is much education and awareness to come.
The Ponemon study results were validated by independent reports from Advisen and Zurich Insurance Group, as well as Verizon. Viewed together, several significant trends are clear:
Million Dollar Security Data Breaches
The average financial impact to companies per incident was $9.4 million. Most incidents involved the loss of confidential business information. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Evolving Risk
Mobile devices and cloud computing pose an increasingly significant risk. Nearly three-quarters of the risk managers polled said they now have a mobile device security policy. Aggregation of data into large databases also poses an increasing hazard. (Advisen and Zurich: A New Era in Information Security and Cyber Liability Risk Management, October 2011)
Improving Insurance Options
Cyberrisk insurance coverage is a critical part of a risk manager’s toolkit today. Over the past decade, insurance carriers have become more sophisticated and comprehensive in their product offerings. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Cyber Incidents Increasing
Data breaches continue to grow. The number of compromised records across the reported incidents “skyrocketed back up to 174 million after reaching an all-time low in the [2011] report of four million.” (Verizon: 2012 Data Breach Investigations Report
The average financial impact to companies per incident was $9.4 million. Most incidents involved the loss of confidential business information. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Evolving Risk
Mobile devices and cloud computing pose an increasingly significant risk. Nearly three-quarters of the risk managers polled said they now have a mobile device security policy. Aggregation of data into large databases also poses an increasing hazard. (Advisen and Zurich: A New Era in Information Security and Cyber Liability Risk Management, October 2011)
Improving Insurance Options
Cyberrisk insurance coverage is a critical part of a risk manager’s toolkit today. Over the past decade, insurance carriers have become more sophisticated and comprehensive in their product offerings. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Cyber Incidents Increasing
Data breaches continue to grow. The number of compromised records across the reported incidents “skyrocketed back up to 174 million after reaching an all-time low in the [2011] report of four million.” (Verizon: 2012 Data Breach Investigations Report
More Than an IT Issue
Cyberrisk now ranks among the most important insurable risks, along with natural disasters, fires and other catastrophic events. More than three-quarters of respondents characterized cyberrisk as greater than or equal to losses from a natural disaster, business interruption, fires, etc. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age.)
In many states, a cyberrisk event will trigger regulatory requirements requiring a business to notify affected customers within 72 hours of the breach, as well as find, fix and protect the data from another attack. Credit monitoring is often required to be offered to the customers affected, among other possible remedies. The costs, on average, Ponemon reports, were $188 per record during 2012. Cyber insurance policies will cover the financial costs of the event, up to the limits of the policy. But almost all policies give the company access to a sophisticated response team employing forensics techniques that will meet the regulatory requirements.
Rapid response is critical for mitigating the financial and reputational impact of a cyber event. Bailey points out that if customer records are stolen during an attack, the costs can escalate even faster depending upon the number of records and the industry affected. Even a small company can face a multimillion dollar loss. Having an incident response plan in place is one of the most important things a company can do. Not only will it help engage customers, media and other stakeholders in a proactive way, but also it can prove extremely beneficial in helping to mitigate any damages resulting from a cyberrisk event.
There are generally two types of coverage available under a cyber liability policy:
- Third Party Coverage: This coverage would include security and privacy liability coverage, including coverage for regulatory proceedings and legal defense costs. An important option, especially depending upon your industry, is internet media liability coverage.
- First Party Coverage: This coverage would include the costs of a forensic investigation as well as legal, public relations and notification expenses ‒ including credit monitoring for affected individuals. Reputational costs, usually difficult to identify and assess, are mitigated by these kinds of services. It will also include coverage for loss of business income, and includes the cost of replacing digital assets. It can also include coverage of cyber extortion threats and reward payments.
NetDiligence, in its annual discussion of cyberrisk trends, reported in their 2013 Cyber Claims Study that the average claim now runs about $3.5 million. Claims, the analysis noted, range from a low of $13,000 to a high of $10.5 million.
Costly claims may account for the fact that, according to the Ponemon study, satisfaction with the policies remains high among those who have purchased them. In addition, nearly two-thirds of the respondents also said the coverage is an important part of their risk management strategy and that the mere purchase of coverage “made the company better able to deal with security threats.”
