*This is the fourth post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern.
Common questions we often hear from CEOs, CFOs, and Directors of businesses and public and private institutions are “How do we determine our cyber insurance coverage needs? In other words, how do we know that we have enough insurance to protect our organization in the event of a data breach or cyber-attack, and not so much that we are wasting money? Should we just benchmark what others in our industry are doing?”
What makes answering these questions difficult is that the CEOs, CFOs, and Directors often don’t have a firm grasp on what information and information systems they have in their organization, and the magnitude of what they stand to lose in the event of a data breach or cyber-attack. Below is some practical advice from two very experienced insurance brokers, followed by some additional questions to help you analyze your needs, followed by a brief examination of three studies that provide a cost per record loss analysis from the Ponemon Institute, Net Diligence, and Verizon.
What do brokers recommend? Brokers are often asked about benchmarking coverage limits based on what others in the industry are doing.
Spencer Timmel of Hylant offered this advice:
“Many rely on benchmarking, but you must understand its limitations. Benchmarking is populated with historical purchasing data and the cyber market is relatively young. Minimal amounts of quality data in a dynamic area of risk can lead to buying unsuitable limits, which means a false sense of security or a waste of money. At Hylant, we feel a more effective way is to quantify a business’s specific risk. The first step is to identify the exposure by inventorying the systems. This process includes understanding what type of information is at risk, how the information is stored, who has access to it, and how it is segregated from other systems. With this information, we can formulate what a realistic data breach would look like and quantify the risk with real data breach cost statistics. This process is a more effective way to limits adequacy and will give the buyer more confidence in their investment in cyber insurance.”
Mario Paez of Wells Fargo offered this advice:
“When considering appropriate limits of insurance, it is important to be reminded that insurance solutions are one piece of a larger risk transfer program within individual organizations. There are many privacy and security risk mitigation/transfer strategies (such as data classification, data retention, employee training, tightened indemnification with relevant third party vendors, updated and tested incident response plans, etc.) that significantly contribute to a particular organization’s risk profile. These risk mitigation/transfer strategies must also be considered when evaluating limits of insurance along with analyzing recent claim trends from industry, carrier and internal broker databases. Industry data breach calculators based on historical claims data are helpful in determining limit adequacy, however the specific risk profile and security posture of an individual organization is a necessary component to forecast potential breach scenarios and determine more appropriate limits of liability, defense, regulatory and breach response expense insurance coverage for example.”
What do you stand to lose?
From a practical standpoint, it seems as though the first step to determine your coverage needs is to determine what you stand to lose in the event of a data breach or cyber-attack. This involves an inventory of the types of information and information systems you have, and an assessment of the magnitude of harm expected to result from having that information compromised. (This is like determining what it would cost to replace your home if it was destroyed by a fire, rather than an assessment of the risk that your home would be destroyed by a fire.)
Your organization likely has more valuable records than you might expect. You likely have employee records, including possibly medical records if you have a self-funded healthcare plan and retirement plan records; customer information; vendor payment records; or other confidential information, financial records, proprietary records, and trade secrets.
You have to assess the level of impact to your organization if each of those records were compromised. You might do this by assessing the potential level of impact as low, moderate (resulting in serious adverse effects), and high (resulting in severe or catastrophic adverse effects on organizational operations, assets, and to individuals). You then have to determine which assets to insure, e.g., just high-valued assets, or moderate and high-valued assets. An officer or director of an organization, who must exercise his or her duties as a fiduciary, is likely to be more risk averse and insure to the likely amount of a catastrophic loss rather than gambling on a lower risk or chance of loss occurring.
An added benefit of doing an inventory and assessment of your information and information systems is that you can adjust your record retention policies to keep what is important to your organization for only as long as the information is needed, which will reduce your record retention costs. This may also reduce your litigation related electronic discovery costs as you will likely have fewer records that will need to be reviewed and produced in response to a lawsuit.
What about costs per record? Once you determine what information you have, you have to determine what it would cost if that information was compromised in a data breach or cyber-attack. There are several publications that address this, and you will want to involve your insurance broker in this analysis.
- Ponemon Institute’s Cost of Data Breach Study: United States:
United States indicated that the total average cost to an organization for a data breach resulting from the loss of 100,000 or less records was $5.9 million, with an average cost per record of $201. If you dug into the data, the study indicated that this cost included $3.2 million in lost business, which is often not insurable. If you dug even further, the study indicated on a percentage basis that the total average cost included 38% for lost customer business, 8% for customer acquisition cost, and 2% for free or discounted services, most of which is typically uninsurable. The remaining 52% of the total average cost included services for investigations and forensics (13%); audit and consulting services (7%); outbound and inbound contact costs (10%); public relations and communications (1%); legal services (defense and compliance, 19% combined); and identity protection services (2%). So the total amount of insurable costs may be closer to $100 or less per record. - Net Diligence’s 2014 Cyber Claims Study looked at a sampling of 117 data breach insurance claims. Net Diligence reported that the average claim payout was $733,109, with the average claim payout for a large company being $2.9 million, and with the average payout in the healthcare sector being $1.3 million. Net Diligence reported that the median per-record cost was $19.84, with the average per record cost being $956.21. Significantly, Net Diligence reported that the average cost for Crisis Services (forensics, notification, legal guidance, and miscellaneous other expenses) was about $366,500, the average cost for legal defense was about $700,000, and the average cost for legal settlement was about $560,000. The key factor in Net Diligence’s study that you need to keep in mind is that these figures represent “payouts” covered by the insurance policies, and not necessarily the total amount of loss claimed by the policyholders.
- Verizon’s 2015 Data Breach Investigations Report concluded that trying to determine what your loss may be based on a cost per record estimate is a very poor method in which to predict your actual costs from a data breach. Verizon looked at the Ponemon Institute and Net Diligence studies, data breaches involving more than 100,000 records, and other information and concluded that the average cost per record was $0.58. One of the most important points from the Verizon report was that “there’s lots of stuff contributing to the cost of breaches besides the number of records lost.” And, having a robust incident-response plan, keeping lawyers on retainer, and having pre-negotiated contracts for customer notification and credit monitoring helps keep control costs.
So trying to come up with what you stand to lose based on a cost per record seems like only half the puzzle because you have to factor in other significant costs, like what will it cost my organization to defend several class action lawsuits and regulatory investigations if there is a breach? These additional costs will be further explored during the upcoming webinar.
What about sub-limits?
Another thing to keep in mind when deciding how much insurance you need is to consider your coverage sub-limits. For example, you may think you have a $10 million policy, but if it only has $500,000 of coverage for defense costs, you may find yourself underinsured (using Net Diligence’s HIPAA example of an average defense cost of $700,000 per incident) and having to pay for certain costs, like underinsured defense costs, out of pocket.
Whether you have enough cyber insurance depends on what information and information systems you have, how much that information is worth to your organization, and the damages that could reasonably result if the information is compromised.
Look for our next post: “Cyber Insurance: What Terms and Conditions Should I Consider When Buying?
The author, Bill Wagner, JD, CPCU, CIPP/US, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.