Given the high cost per incident, management awareness of cyberrisk is at an all-time high, according to the 2012 Cost of Cyber Crime Study by The Ponemon Institute, a well -respected cyber research firm. The report found that most risk managers view cyber insurance to be a key piece of their strategy for mitigating their company's cyber exposures. While only about a third of companies in the study currently have a policy, nearly 40 percent say they now plan to purchase one in the next year. So there still is much education and awareness to come.
The Ponemon study results were validated by independent reports from Advisen and Zurich Insurance Group, as well as Verizon. Viewed together, several significant trends are clear:
Million Dollar Security Data Breaches
The average financial impact to companies per incident was $9.4 million. Most incidents involved the loss of confidential business information. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Mobile devices and cloud computing pose an increasingly significant risk. Nearly three-quarters of the risk managers polled said they now have a mobile device security policy. Aggregation of data into large databases also poses an increasing hazard. (Advisen and Zurich: A New Era in Information Security and Cyber Liability Risk Management, October 2011)
Improving Insurance Options
Cyberrisk insurance coverage is a critical part of a risk manager's toolkit today. Over the past decade, insurance carriers have become more sophisticated and comprehensive in their product offerings. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age)
Cyber Incidents Increasing
Data breaches continue to grow. The number of compromised records across the reported incidents "skyrocketed back up to 174 million after reaching an all-time low in the  report of four million." (Verizon: 2012 Data Breach Investigations Report)
More Than an IT Issue
Cyberrisk now ranks among the most important insurable risks, along with natural disasters, fires and other catastrophic events. More than three-quarters of respondents characterized cyberrisk as greater than or equal to losses from a natural disaster, business interruption, fires, etc. (The Ponemon Institute: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age.)
Lori Bailey, Global Head of Professional Liability for Zurich General Insurance, said, "Any strategy to protect and mitigate the impact of a cyberrisk event has two important transferring what can be enormous financial costs, and gaining access to the needed technical expertise by way of a response team that can reduce both the immediate and long-term impacts of the event on the organization." With a separate cyberrisk policy, even a small business can obtain important financial protection and access to the needed resources and response team, she added.
In many states, a cyberrisk event will trigger regulatory requirements requiring a business to notify affected customers within 72 hours of the breach, as well as find, fix and protect the data from another attack. Credit monitoring is often required to be offered to the customers affected, among other possible remedies. The costs, on average, Ponemon reports, were $188 per record during 2012. Cyber insurance policies will cover the financial costs of the event, up to the limits of the policy. But almost all policies give the company access to a sophisticated response team employing forensics techniques that will meet the regulatory requirements.
Rapid response is critical for mitigating the financial and reputational impact of a cyber event. Bailey points out that if customer records are stolen during an attack, the costs can escalate even faster depending upon the number of records and the industry affected. Even a small company can face a multimillion dollar loss. Having an incident response plan in place is one of the most important things a company can do. Not only will it help engage customers, media and other stakeholders in a proactive way, but also it can prove extremely beneficial in helping to mitigate any damages resulting from a cyberrisk event.
There are generally two types of coverage available under a cyber-liability policy:
-- Third Party Coverage:
This coverage would include security and privacy liability coverage, including coverage for regulatory proceedings and legal defense costs. An important option, especially depending upon your industry, is internet media liability coverage.
-- First Party Coverage:
This coverage would include the costs of a forensic investigation as well as legal, public relations and notification expenses ? including credit monitoring for affected individuals. Reputational costs, usually difficult to identify and assess, are mitigated by these kinds of services. It will also include coverage for loss of business income, and includes the cost of replacing digital assets. It can also include coverage of cyber extortion threats and reward payments.
NetDiligence, in its annual discussion of cyberrisk trends, reported in their 2013 Cyber Claims Study that the average claim now runs about $3.5 million. Claims, the analysis noted, range from a low of $13,000 to a high of $10.5 million.
Costly claims may account for the fact that, according to the Ponemon study, satisfaction with the policies remains high among those who have purchased them. In addition, nearly two-thirds of the respondents also said the coverage is an important part of their risk management strategy and that the mere purchase of coverage "made the company better able to deal with security threats."
Bailey said, "The risk has always been there; it's the awareness that has changed for the better." She added, "It's an evolving risk, but we understand how to manage it by mitigating the financial costs and providing the kind of needed services that can reduce the impact of breach."
This material is provided for informational purposes only and was compiled from sources believed to be reliable. Any sample policies and procedures and references to insurance policies and coverages herein should serve as guidelines only. Please consult with qualified legal counsel to address your particular circumstances, questions and needs.
Zurich is not providing legal advice and assumes no liability concerning the information set forth above.
(The above piece is part of our continuing Insights series designed to highlight key products and services to our readers. This paid-for Insights was written and edited by Risk & Insurance®
on behalf of our marketing partner. Additional Insights can be found on our Web site at www.riskandinsurance.com.)
September 17, 2013
Copyright 2013© LRP Publications