Warding Off Hackers

Companies of all sizes seek coverage for a ‘virtual explosion of breaches’

By Joan Tupponce

Illustration by Matt Brown
Illustration by Matt Brown
Advances in information technology, from applications to digital records to cloud computing, are like candy to cyber thieves. If you think these hackers are targeting only the data of Fortune 500 companies, think again.

A report compiled by Verizon Communications’ forensic analysis unit in conjunction with the U.S. Secret Service and the Dutch National High Tech Crime Unit found a “virtual explosion of breaches involving smaller organizations” in 2010. “It’s not a matter of if you are going to have a breach; it’s when and how big,” says Erin Walters, Virginia executive risk practice leader for Baltimore-based regional insurance broker RCM&D Inc. “You can have the best IT system, but human error causes a lot of these breaches.”

Once considered by businesses as costly and unnecessary, cyber-risk coverage — or network security/privacy coverage as it is more commonly called — is becoming commonplace among businesses of all sizes. Why? Because any business regardless of size can come to a screeching halt if its IT system is attacked and confidential information about employees or customers is compromised. That type of incident can result in loss of revenues as well as the cost of restoring lost or damaged data.

As companies expand into services such as cloud computing, their risks tend to increase. “Cloud computing is the latest flavor of technology, and technology does carry with it certain risks,” says Bob Parisi, a senior vice president within Marsh Inc.’s financial and professional liability practice in New York. “You are aggregating a huge amount of data in one place. That attracts the criminal element. They want to attack something big.”

There are security concerns when companies deal with a third-party enterprise that offers cloud services. “You can have less control over the level of security on that site,” says John Lubatti, marketing manager for the mid Atlantic region of New York-based USI Insurance Services. He notes that some companies now are asking whether the vendor has network security/privacy coverage. “It’s not uncommon today to have that type of coverage required along with general liability in a service or supply contract.”

The current economy makes it difficult for some businesses to think about adding an additional expense to their insurance costs. “It’s hard to convince them that this is a coverage you need,” says Lubatti. Often companies believe they are not vulnerable to an attack because their transactions are not Internet related. “They still have information that is of a private nature and that exposes them to liability,” he adds. “That information can be on their computers or on paper. Either way it can still be compromised. One of the largest categories of breaches is lost or stolen laptops.”

Companies that lose confidential information must comply with privacy breach notification statutes that include legal and forensic expenses as well as the cost of notification and providing credit monitoring for anyone whose record was breached. Currently, Virginia, along with 45 states and the District of Columbia, Puerto Rico and the Virgin Islands, have enacted state security breach notification laws, according to the National Conference of State Legislatures. The only states without notification laws are Alabama, Kentucky, New Mexico and South Dakota.

Businesses and health-care providers failing to protect confidential information can face large penalties thanks not only to a number of state laws but also federal regulations such as the Sarbanes-Oxley Act, the Fair and Accurate Credit Transactions Act and HIPAA (the Health Insurance Portability and Accountability Act).

The retail, financial and health-care industries were among the first to sign on for this type of insurance coverage because of their risk exposure. “What we have seen more recently is that more companies are understanding that everybody has exposure from a privacy standpoint,” says Greg Longest, a senior vice president with Marsh Inc. in Richmond. In addition to customer information, companies also have “private information on their employees, such as their Social Security numbers and date of birth.”

When it was first issued more than 10 years ago, network security/privacy coverage was expensive. “There were very few markets that would write it,” Walters says. “Over the last 24 months the market has expanded significantly, and a multitude of carriers have begun writing this business. It’s become ultra-competitive and much more affordable.”

The cost of network security/privacy insurance to cover the expense of breaches and lost revenue varies depending on the type of company being insured. “It can range from as little as a few thousand for a small, uncomplicated account to tens of thousands annually for a company like an automobile dealership,” says Lubatti.

The coverage has broadened over the years, insuring more than network breaches. “[It’s] evolving,” says Michael Holland, a client executive for Wells Fargo. Network security also now includes privacy insurance, which covers losses resulting from a variety of events, such as an employee leaving confidential information unprotected on his desk or “dumpster diving for confidential information.”

Expenses covered in network security/privacy insurance include customer notification, credit monitoring for affected individuals, forensic costs, attorney fees and costs from incident response firms that help companies keep the incident out of the media.

Not all carriers are created equal when it comes to the coverage they offer. “They are different as to what breach response services they can provide,” Walters says. Some insurance carriers provide companies with access to prescreened notification and forensic firms as well as privacy attorneys. In many cases the carrier has negotiated a discounted rate for the services.

Some carriers even have a breach response coordinator on staff who can help facilitate a speedy turnaround time. “How you deal with a breach — how quickly and accurately you respond —can ultimately help to limit your liability in the situation,” Walters says.

Data breaches can be costly, as noted in the 2011 U.S. Cost of Data Breach report from Symantec Corp. and Michiganbased Ponemon Institute. The report says the average per capita record cost of a data breach is $194. The organizational cost is around $5.5 million.

Economic losses are not the only concern when it comes to a security breach. The publicized loss can also permanently damage a company’s reputation. Affected companies view the breach as an issue related to their brands. “If a [company’s] site is down or has a privacy breach, there is an impact on the way people view that company,” Longest says. “What we have seen is if you handle breaches appropriately using planning and resources quickly and in an effective manner, you will have a better outcome.”