BreachExchange mailing list archives
Business data breaches driving up demand for cyberinsurance
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 13 Oct 2014 18:55:52 -0600
http://www.northjersey.com/news/business/insuring-against-loss-from-hackers-1.1107528 When Robert Morris' grandfather co-founded the Rampart Group insurance brokerage 50 years ago, the priority for most of his business clients was making sure they had adequate fire insurance, and insurers checked to make sure their clients' office and factory buildings had the right firewalls. Now, Rampart Group's biggest clients are concerned about a different kind of firewall, and they are making sure they are covered if their electronic databases and computer systems are breached. "Today's hot button is cyberinsurance," said Morris, president of Rampart, which has offices in Fort Lee and three other locations. "We're up over 200 percent on cyberpolicies since last year, and it's still growing rapidly." Cyberinsurance covers companies for costs from data breaches, unexpected computer crashes or shutdowns caused by hackers. Corporations first began seeking cyberattack coverage about six years ago, as news of costly data breaches began to surface. Many early attacks were caused when an employee's laptop was stolen or computer backup tapes were misplaced. But over the past two years, reports of sophisticated criminal rings infiltrating retail, bank and government computer systems and the undetected collection of credit card data and personal information have become alarmingly common. This month, news that JPMorgan Chase, the financial giant with a reputation for investing heavily in data security, had been breached and that addresses and phone numbers connected to 83 million household and business accounts had been stolen reinforced fears that no one is safe from cyberattack. News of the Chase breach came 11 months after Target, the nation's second-largest retail chain, was hit by a holiday-season hacking that compromised some 40 million credit and debit cards. The total cost to Target of that attack is expected to top $1 billion. Home Depot, Neiman Marcus, eBay as well as smaller retailers also have been breached. Retail and bank breaches involving payment cards get the most publicity, but any place that handles confidential or financial information — hospitals, law offices, government agencies — have to worry about cyberleaks. The Ponemon Institute, a Michigan-based research think tank specializing in data protection and security, reported on Thursday that cybercrime has cost a sampling of 59 U.S. companies an average $12.7 million this year, up roughly 10 percent from last year's average of $11.6 million. This year's average includes two companies that were each hit with more than $50 million in cyberattack costs. Cybercrime expenses are rising, Ponemon Chairman Larry Ponemon said, because "the bad guys are getting better at what they do." The accounting firm PricewaterhouseCoopers reported in September that data breaches increased 48 percent this year, with 117,339 attacks occurring each day around the globe. American International Group, Chubb, Travelers and other large insurance carriers have rolled out corporate cybercoverage plans. Warren-based Chubb has developed a number of specialized cybersecurity products, including policies designed for health care organizations, lawyers and small businesses. Marsh, the insurance brokerage division of Marsh & McLennan Cos., last month announced it would provide catastrophic cyberattack coverage for large companies that want an additional $300 million in coverage above the first $100 million in costs, which the company would be expected to cover. Rates all over the map Experts say the costs of cyberinsurance vary greatly and depend on the number of records or amount of data a company collects and needs to protect. Panelists at the Black Hat and Def Con conventions in Las Vegas in August said standard rates are $20,000 to $25,000 for $1 million of coverage. Tom Ridge, the first U.S. homeland security chief, said last week that his company, Ridge Insurance Solutions, was joining with the venerable Lloyd's of London to offer cyberattack insurance. The Chase breach, Ridge said at an appearance in London reported by Bloomberg News, scared corporate executives around the world. "Who would have thought that JPMorgan, with its security budget, could be hacked into," Ridge said. "Now a lot of people are thinking, 'If it could happen to them, it could happen to us, too.' " Bloomberg reported last week that U.S. property insurers have record surpluses after investment gains and two years without devastating hurricanes. The insurers, as a result, are willing to take on additional risk, and see cyberpolicies as a new source of growth. The pricing challenge One problem insurers face, however, is knowing how to price a policy based on anticipated risk when information about the impact of cyberattacks is limited. "The problem is there's not enough actuarial data to tell us how many attacks there are going to be and what's going to be the cost of the attack," said Rampart Group's Morris. If a company comes to an insurer seeking fire insurance, Morris said, "they know what's going to burn, within certain parameters because they have the statistics for hundreds of years. We don't have that in cyber at all. Not even close." That causes prices for policies to be "all over the place." Rampart Group brokered its first cyberinsurance some four or five years ago, Morris said. The policies, however, have become far more complex and sophisticated since then. Insurers now provide coverage packages that help a company notify customers of a breach, that provide forensic accounting services and credit-monitoring services and that pay for public relations or legal assistance. Morris said Rampart Group itself pays for cyberinsurance coverage as part of its business insurance because it needs to protect itself if any confidential information on its customers is breached. Michael Palmer, chief operating officer of HiTouch Business Services, a national office products and services company based in Saddle Brook, said cyberinsurance increasingly is becoming a standard cost of doing business. 'Policy from Day One' HiTouch, a Rampart client, has never had a breach, but the company has had cybercoverage since it was founded in 2010. "We had a very small policy from Day One, and we've kept increasing it every year," Palmer said. Recently, HiTouch has seen that its larger business customers, who enter into contracts for large purchases or services, want to deal with vendors who have cyberinsurance. "Their legal departments are saying these are the insurances every vendor you have must carry," Palmer said. Cyberinsurance planning "has to be a collaborative effort" between the company and the insurer, Palmer said, adding that HiTouch has annual meetings with Rampart to evaluate its coverage. The coverage, he said, has to be coupled with HiTouch's internal data security and governance policies. The insurers "want to know that you're protected at a certain level before they're going to insure you," he said. Industry experts say the drive for cyberinsurance should help strengthen corporate cyberdefenses in the same way that insurance companies years ago led the push for uniform building codes and code enforcement to reduce fire and property liability risks. Personal coverage The growth in corporate cyberinsurance is causing some insurance companies also to look at cyberinsurance riders on personal life insurance or homeowners policies, coverage that would provide reimbursement in cases of identity theft, stolen information, or even lawsuits linked to social media misuse. Morris said he is trying to develop a personal cyberinsurance policy to provide $500,000 to $1 million in coverage for a premium of about $200 a year. The coverage could protect someone who might be sued because of something a family member posted on social media or bring in digital-reputation repair experts if the policy owner is attacked on social media. "Cyberinsurance is becoming something every industry and really anybody who has a computer needs," Morris said. "Because anybody can get hacked."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Business data breaches driving up demand for cyberinsurance Audrey McNeil (Oct 21)