Weathering the financial fallout of a data breach

Sept. 5, 2013
Why cyber insurance should be a part of your risk mitigation strategy

While companies rightly focus resources on data breach prevention procedures and products, breaches may still happen. The increasing volume and associated financial cost of data breaches should prompt organizations to also prepare for post-breach damage, which includes financial loss.

In fact, the financial ramifications can be sizeable. In a 2013 study by the Ponemon Institute, "Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age," 56 percent of those surveyed had breaches and reported an average cost of these incidents to be $9.4 million in the last 24 months. However, these costs are only a fraction of the average maximum financial exposure of $163 million that the survey respondents (breached or not) believe they could suffer due to cyber attacks. It is no surprise then that the majority of those companies ranked security risks as equal to or greater than natural disasters.

Yet, less than a third of the surveyed companies reported they have a cyber insurance policy in place.

Perceived Barriers

The study showed that price was a key roadblock for purchasing cyber insurance. Other reasons companies identified for not purchasing insurance included concerns about too many exclusions, restrictions and uninsurable risks. However, of those with insurance, 62 percent believe the premiums are fair given the nature of the risk.

Another barrier for companies is that often there is no clear role that is responsible or can make the purchasing decision for selecting a cyber insurance. The Ponemon Institute study showed that the decision-making is dispersed among risk management (40 percent), compliance (17 percent) and the chief information security officer (16 percent) as the top three roles at an organization noted.

Often, there is also a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims.

Consider Insurance in the Security Mix

Not surprisingly, experiencing a breach is a major motivator to consider cyber insurance. Among companies that experienced an incident, 70 percent of survey respondents said the experience increased their interest in insurance while 39 percent overall said their organization plans to purchase a policy.

Security industry professionals are in a great position to help organizations understand the prevention tools and methods available as well as proper post-breach response. Some of the key steps an organization should take to prepare are to identify personnel to form a breach response team, create a plan – and more importantly practice that plan – and enlist third-party experts such as outside legal counsel to be a part of the response team.

In this mix, the breach plan should include securing cyber insurance to ease financial consequences. In looking at cyber insurance, here are a few things to consider:

• Before assessing policies, determine the level of coverage and benefits needed for the company’s risk. This can vary for organizations considering the amount of data they should be protecting, number of employees and government or industry-specific regulations.

• There are two kinds of claims: First-party, which are costs incurred by the loss of trade secrets and intellectual property or Third-party, which are damages a business must pay to customers who sue them for lost or compromised personal information.

• There is also business interruption coverage that allows a company to receive payment reimbursement for expenses incurred due to loss of business if a data breach incident prevents the company from operating.

• Policies sometimes cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control, which includes distributing data breach notification letters.
Additionally, being equipped with cyber insurance provides a breach resolution partner with access to quality resources needed to effectively manage the fallout from an incident.

While a small number of companies currently carry cyber insurance, 62 percent of survey respondents reported that just the process of evaluating insurance improved the company’s cyber security preparedness and readiness. This is a clear sign that we will see substantial growth in preparedness and, subsequently, the cyber insurance industry.

About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.