The theft of personal details of millions of individuals in a U.S. government database might sound shocking, but it really isn’t given the latest stream of well-publicized hacking events in the retail, financial and insurance industries. Neiman Marcus, eBay, Home Depot, JP Morgan Chase, Sony and Anthem are among the high-profile casualties.
Given that a cyber breach has now become statistically likely to happen sooner or later, financial firms are trying to mitigate their potential financial losses through an old yet reliable approach — insurance. Just as worker’s compensation and general liability insurance are meant to compensate for many types of mishaps, cyber insurance should do the trick when it comes to hackers and other causes for data loss. Or so the C-level rationale goes.
Unfortunately, cyber insurance is a relatively new field and ignorance is common. So is impulse-driven buying or not buying, say attendees and panelists at a recent cybersecurity event hosted by the Securities Industry and Financial Markets Association (SIFMA) in New York. If only risk managers put their heads together with C-level executives, legal counsel, and IT directors, well-informed rather than reactive decisions would be the norm. That’s easier said than done. They will all have to go through a steep and costly learning curve.
With cybersecurity breaches on the rise and in the line of vision of customers, investors and regulators, it stands to reason that buying cyber liability coverage insurance is a good thing. But that is only after plenty of research about what kind of policies are available, what they should cost and what they will pay for. Just as bad as buying the wrong insurance or paying too high a premium for the potential payout is the mistaken idea that cybersecurity prevention efforts have already made the firm bullet-proof. Precedent shows that a breach can happen even in the largest and presumably most technologically sophisticated firms.
“Far too often, financial firms might make a decision to buy cybersecurity insurance without reading the fine print or to not buy cybersecurity coverage on the basis it might be too expensive,” said one expert at the well-attended SIFMA event, whose opinion was shared by several others who spoke with FinOps Report.
With either of these extremes, the results can be disastrous. A claim will not be compensated or an unforseen breach could take place which could wipe out the firm. On average, a cybersecurity breach cost about US$2.7 million in 2014, a 34 percent increase from the year before, according to a study conducted by Pricewaterhouse Coopers. Another analysis by the Ponemon Institute found the figure to be around US$5.8 million.
In the event that data is stolen, destroyed, extorted or compromised, cyber insurance can help to minimize the financial damage and indemnify companies against certain losses. Yet it’s not a total panacea, warn attorneys and IT experts. Like healthcare insurance, coverage against hacking events will not replace sound preventative medicine — like taking responsibility for personal good health to mitigate medical costs. Likewise, cyber insurance typically only pays a portion of the losses and there are deductibles involved. In a worst case scenario, the cyber insurance firm might even deny compensation, forcing the affected financial firm to seek legal help from a growing cottage industry of insurance recovery specialists.
Lack of Uniformity
“The terms of cyber liability insurance policies are not dictated by regulators and, unlike general liability insurance, no standard language has been adopted by the insurance industry,” explains Brian Himmel, a partner in the law firm of Reed Smith in Pittsburgh specializing in insurance recovery. “As a result, there can be a great deal of variation between policies, and what might be covered under one policy may not be covered under another.” Even worse, what might seem to be a clearly covered event resulting from a data breach can turn into a disagreement with the insurance provider over whether the terms of a particular policy actually provide coverage or not.
The legal recourse: anything from simply sending a stern letter to the insurance company requesting full payment, all the way to a formal negotiation over how much should be paid under threat of litigation. Litigation is a last resort, and not only because of the legal costs. In the handful of cases which have addressed payments for a cyber breach based on general liability insurance, judges have ruled in favor of the insurance firm.
Case in point: Connecticut’s Supreme Court recently affirmed an appellate court decision that Recall Total Information Management had no coverage under its general liability insurance policy for a data breach incident that occurred when a cart holding computer tapes with 500,000 employee records fell out of a transportation contractor’s van near a highway exit ramp. The court’s rationale: Recall Total Information Management had failed to prove that the information on the tapes had been accessed by anyone.
The better option to relying solely on insurance is to protect and preserve. “The game plan for handling cybersecurity risk should be twofold: buying insurance to cover some or all of the losses while reducing the potential for loss,” says Eric Anderholm, chief executive of Sargeant Laboratories, a technology firm in La Crosse, Wisconsin, specializing in cybersecurity risk monitoring.
If the potential for financial loss weren’t enough motivation, the Securities and Exchange Commission and the Financial Industry Regulatory Authority (FINRA) are on the lookout for firms not operating under a “reasonable standard” to protect against the loss of critical data. These watchdogs have been clear that they won’t hesitate to take enforcement action against slackers.
Speaking at the SIFMA event, Vincente Martinez, head of the SEC enforcement division’s office of market intelligence, warned attendees that the SEC’s definition of “unreasonable” may range from failing to install anti-virus software on computers to failing to correct cited deficiencies in cybersecurity protections. Last week, FINRA settled a case for US$225,000 against Sterne Agee & Leach after an advisor left his unprotected laptop in an airport bathroom. The reason for the fine was that the firm was previously warned about its lack of information security procedures and had not taken action.
Reducing the potential for a data breach naturally falls squarely in the IT department’s lap and it’s a tall order. As a rule of thumb, IT specialists are well-versed in selecting and running a company’s applications, but have far less experience in mitigating the potential of security breaches. Hence, third party consultants and auditors are in big demand to help identify shortcomings that need to be addressed.
Just as important as sewing up any technology loopholes is training staff to avoid the obvious: suspicious emails, requests to share passwords, and misplacing laptops with critical data outside the workplace. “Addressing human weakness through training is critical to data loss prevention,” acknowledges Patrick Cox, senior vice president and chief privacy officer in San Diego for LPL Financial, one of the US’ largest independent broker-dealers. “It has a significant payoff.”
For financial firms seeking to go the extra mile to protect their assets and their profits, insurance falls into two broad categories: first party and third party. First party typically refers to payments to the company to cover damage from the policyholder’s own loss of data and for other harm to the business such as theft, fraud and the cost of forensic investigations. Third-party, which covers litigation and regulatory costs as well as credit monitoring, is far more prevalent in the US than in Europe because of legal requirements to notify customers in the event of a data breach.
Tough Math
To determine which risks are is the most important to cover, financial firms need to do some homework in the form of calculating risk metrics. Just where does cybersecurity risk exist and how much might a breach actually cost the firm? Obviously, the better equipped the firm is to prevent such an event, the more likely an underwriter may be to lower premiums. Still, the relative dearth of actuarial information on what security controls and products are the most effective means that insurance firms are wary about adjusting their premium too much.
It also helps to be realistic about what insurance can cover. Experts told FinOps that cybersecurity insurance doesn’t do much to cover intellectual property theft, reputational damage or a business downturn caused by a security breach.
Given such limitations, how can a financial firm get ready to obtain the best deal possible? An internal quantitative assessment of financial risk, as described above, is a good start. Likewise understanding and being able to talk about the specific vulnerabilities to high-dollar losses. Risk management teams may need to reach out to their IT counterparts for the hard details of how risks may occur, but the risk officers are the ones ultimately responsible for handing the chief executive officer, chief financial officer and the board a cost-benefit analysis based on a cost-efficient risk model, explains Anderholm.
That cost-efficient model is based on self-protecting as much as reasonable and solely insuring the residual risk. Policy costs vary widely depending on the revenues of a company, its risk profile, what is covered, and the underwriter involved. FinOps was cited a broad ranges of figures for policy costs, but the most common for “primary policy” coverage with a low deductive appears to be around $35,000 a year per US$1 million in coverage. With potential losses and liability easily climbing into the tens of millions of dollars for large firms, the cost of using insurance to cover every possible exposure can add up fast.
Despite the relative infancy of the field, cyber risk underwriters are ramping up quickly in policy writing and premium pricing. “We expect full and complete answers to our questions on the measures the firm has taken to mitigate a potential data breach, including its culture, training of employees, technology and procedures in the event of a breach,” says Steven Goldman, executive vice president in New York for the professional risk division of ACE Group. “It’s a multidisciplinary effort on the buyer’s side and in the case of larger firms, the IT, risk management, compliance and finance specialists will either come to the negotiating table or at the very least participate in answering the questions.”
Ultimately, the premium charged will come down to the quality of the “holistic approach” taken by the financial firm in its loss controls, along with a factual profile of the firm including its revenues, industry sector, the type of data and number of records which must be protected, its history of data breaches and other active insurance coverage. The better prepared the client to answer these questions, the faster the process will move to a final decision acceptable to both sides.
As is the case with any third-party service, price isn’t everything. An insurer with a strong balance sheet, a long track record and underwriting experience in the specific risks is generally considered a safer bet than a fledgling cyber insurance firm that might charge far less. The largest providers, such as ACE, also offer referrals to a network of forensic investigators, credit monitoring, and crisis communications specialists in case a breach does occur.
Since cybersecurity insurance firms have a vested interest in ensuring that the premiums paid are higher than the payouts made, IT and risk management specialists shouldn’t take it upon themselves to simply sign on the dotted line. That is where legal experts come into the picture to read the policy’s fine print on what is and isn’t covered. And there will be plenty of it.
Interpretation Counts
For starters, does the policy cover data stored offsite, out of the company’s building or in a cloud by a third-party? Chances are it does, but if it doesn’t there may be a need for additional coverage called excess contractual tech coverage. In some cases, the vendors of the policy holder may have their own insurance, which might offer primary coverage to the financial firm if it is identified as an “additional” insured on the vendor’s policy or at least provide some additional payout in the event of a cyber claim.
It is also important to understand how much of a claim will be honored, when the claim must be noticed and under which circumstances coverage can be void. “Retentions are always an important issue and come down to a negotiation over how much risk will be retained by the policyholder,” says Peter Tracey, a partner in the insurance recovery group of the law firm of Perkins Coie in Washington DC.
Many cyberinsurance programs will still have different retention — or deductible — amounts for first party and third party insurance.”What that potentially comes down to is a large retention amount for the financial firm should it require payouts under first party and third party insurance,” explains Tracey. A far better option is to have the insurance firm agree to only a single retention amount. Goldman says that clients of his firm purchasing both first and third party insurance will only incur one retention amount which is the higher of the two categories..
Although it sounds like the cyber policy should be effective on the day it is signed, experts advise that it is preferable to make it retroactive to some months earlier. The reason: there could easily be a breach which took place prior to that time but which was not discovered until months after the policy was purchased. “Your adversary has been in your system for many months so you need to pay attention to the effective date of the policy,” cautions Neil Pollard, a director in the forensic technology practice at PwC in McLean, Virginia focusing on cyber crime. In some cases the “bug” could have been lingering for eight months before attacking, while in other cases it could be several years. He recommends that financial firms do their utmost to reduce the time it takes to discover a cyber breach.
As is the case with all contracts, representations and warranties count. The question of whether the firm knows of any circumstances that might give rise to a claim is one of the most important — and riskiest ones — asked by cyber insurance underwriters. The reason: it requires the financial firm to specifically state it is either aware or not aware of a specific cyberbreach which has either taken place or will take place down the road, explains Tracey. If risk management or other senior management typically responsible for answering the question either omitted or misstated material information, the insurance firm could deny the policyholder’s claim. It could even try to rescind or cancel the policy.
With data breaches so costly, a mishap so likely and cyber insurance payouts never guaranteed to make a financial firm or its customers completely whole, financial firms may have to accept the fact that all they can do is their best. “It comes down to mitigating the cost of data loss up front and after the fact,” says a cybersecurity manager attending the SIFMA event. “You might not be entirely happy with insurance, but you can’t live without it either so you might as well maximize its benefit.”
Leave a Comment
You must be logged in to post a comment.