It may not have been the biggest theft of online data, but it certainly grabbed the most headlines. Cyber hackers stole credit and debit card information from some 40 million Target customers during last December’s holiday shopping season.
Although third-party liability coverage is important, victims of cyber attacks must address many more areas and costs with first-party coverage.
Target has spent $170 million to replace 17 million credit cards, in addition to the costs of replacing stolen money, sending notifications to customers and credit monitoring fees.
XL is developing new products to address supply-chain interruption, theft of trade secrets and reputational harm.
But the biggest known hack job took place five years earlier, at Heartland Payment Systems, a payment processor in Princeton, N.J., which had as many as 100 million credit and debit card numbers stolen in 2008 by criminals who installed spying software on the company’s computer network. In fact, the headline-grabbing Target breach is a good example of how the insurance market for cyber crime has evolved and matured since the Heartland breach.
Cyber insurance initially was developed to deal with third-party liability concerns of companies storing personally identifiable information or confidential corporate information such as trade secrets. But it quickly became apparent that, although third-party liability coverage is important, a company must address many more areas and costs with first-party coverage if it becomes a victim of a cyber attack.
“There is the cost of notifying individuals that their private information may have been accessed by another party, the cost of offering credit monitoring to make sure no one opens an account in your name or otherwise unlawfully uses your information, and the cost to hire a law firm to advise you on this,” says John Coletti, cyber product manager for XL Insurance. “And there are the costs to hire a computer forensics company to come in and identify where the issue occurred, has it been eradicated, are the bad guys still there siphoning off information or has it been resolved? All that is in the policy now, but when cyber policies were first written, they didn’t start off that way.”
The Target breach also seems to have spurred more companies to realize they need cyber protection.
“Certainly we have gone through a transition,” says Stan Stahl, president of the Los Angeles chapter of the Information System Security Association and the president of Citadel Information Group. “A lot of organizations thought this didn’t apply to them, and there was a lot of denial. It is a lot harder to be in that state of denial right now.”
“The general buy rate is much higher than it was,” agrees Scott Schleicher who, with Coletti, leads XL’s cyber division. “You had a lot more lookers and explorers of the coverage then, but it seems now the inquiries are much more serious, and you have a higher take-up rate of new quotes for new clients.”
“In November I was getting one or two submissions a day on this, and now it is three or four a day,” says Kenneth LaBelle, a cyber specialist and professional lines broker with the wholesaler Burns & Wilcox in Farmington Hills, Mich. “A lot has to do with the national news. Things like Target pop up and make people wonder about it, and that is not just the large businesses. There is an uptick in small businesses as well. They are realizing that a cyber breach could be more damaging to them because they don’t have much capital.”
The risk exposure can be huge. By May, LaBelle says, banks and the payment card industry had replaced 17 million cards because of the Target loss, and that number continues to grow. At $10 per card, the company has spent $170 million just to replace the cards, and that doesn’t cover replacing stolen money, notifications that had to be sent out and credit monitoring fees.
As a result, retailers are now “a very tough class to write quickly,” LaBelle says.
“Retailers have high amounts of transactions, and lots of them are with payment cards,” he says. “When you have millions and millions of payment card transactions, you have the possibility of losing every one of those. Day in and day out, you have potentially millions and millions of people under exposure.”
Another tough area to insure for cyber breach is the healthcare field, given all the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
In November I was getting one or two submissions a day on this, and now it is three or four a day,Tweet
“You lose those medical records, and you can be heavily fined,” LaBelle says. “The fines can be outrageous by the medical regulators. When cyber insurance covers this, there is often a sublimit on the regulatory fines” to limit a carrier’s exposure.
For example, in May, Columbia University and an affiliated healthcare entity, New York-Presbyterian Hospital, agreed to pay the Department of Health and Human Services $4.8 million and implement a corrective action plan to avoid being found in violation of HIPAA privacy and security rules. It was the largest HIPAA settlement to date in a data breach investigation. The investigation, which began in 2010, involved electronically protected health information for 6,800 people. Data on patient status, vital signs, medications and laboratory results were all erroneously made publicly accessible on the Internet.
“These cyber insurance policies are full of sublimits,” La Belle says. “If an insurance agent doesn’t know cyber liability and tries to fumble their way through it, they would have no idea what to get. You have to know what is provided, and you need an expert who knows how to find it and read it so you know what is provided for specific risks.”
Just as hackers are finding new ways of putting companies and their customers at risk, the insurance market is being challenged to find new ways to cover events that have yet to occur—and responding fast when they do.
“Right now the cyber criminals are very much ahead of what ordinary business defenses are capable of responding to, and in some ways it is only going to get worse,” Stahl says.
“That is the evolution of insurance happening right before our eyes,” LaBelle says. “If we knew what would happen next, we would know how to protect against it. But there really is no way of telling how they are going to get into your system. We have to work with carriers who can evolve, and we have to change things on the fly.”
In general, LaBelle says, he has greater success dealing with the non-admitted market in placing cyber coverage because those carriers “are more free with what they are able to offer and can make changes” far faster than the admitted market.
Coletti says a number of customers are inquiring about cyber coverage that has limited availability and is offered in limited scope, questioning whether their cyber policy responds to their own security errors or responds if a key supply chain vendor is breached.
“To date, cyber insurance has largely been about data breach response and indemnifying a company for the costs they incur to respond to the breach,” Coletti says. “This market has matured, and I anticipate the next phase of the market will center on first-party costs as a parallel offering to property insurance. With more devices connecting to the Internet and greater reliance on technology, the potential for technology failures or cyber attacks on that technology will be become more and more prevalent. The insurance community will need to design products to address these exposures.
“There is a lot of due diligence that needs to go into this because these are products offered to provide insurance for new exposures where there is little data on the loss potential. These risks have to be evaluated carefully.”
One of the biggest challenges is to try to find the proper pricing for a risk that hasn’t yet occurred. XL is developing new products to address issues such as supply-chain interruption, theft of trade secrets and reputational harm. To calculate the risk without specific data on loss potential, Coletti says, involves working “across company lines on the first-party side” and talking to risk engineers and property underwriters.
“And trying to assess how they go about evaluating business interruption exposure,” Coletti says. “On trade secret exposure, we are getting expertise from third parties who have businesses around quantifying and valuing trade secrets. There is a lot of external help that you need to do this.”
Until those products are more widely available, Coletti says, carriers may find themselves facing claims from heretofore unanticipated cyber attacks that, absent specific exclusions for cyber coverage, may turn into claims filed under standard general liability or property policies.
“It will be interesting to watch how policies that are not written for cyber events, your average property policy or GL policy, for example, will respond to claims triggered by a cyber event,” he says. “What will happen when a cyber event occurs that triggers these policies, claims are submitted and they go to an underwriter who did not intend to cover this but is not going to be able to deny coverage? Those are the moments that will make the market.”
Essentially, the market will have only two choices at that point: Carriers will have to either place broad exclusions for new types of cyber attacks in their GL, property and excess policies, prompting the development of new products, or cover them under the existing policies.
“I anticipate an expansion of cyber exclusions, which will further promote the stand-alone cyber market,” Coletti says.
Something similar happened in 2007 with another huge cyber attack at TJX Cos., the parent of T. J. Maxx and Marshalls. At least 94 million Visa and MasterCard accounts were exposed to potential fraud in a data breach, with cost estimates involving Visa cards alone ranging from $68 million to $83 million, spread across 13 countries.
Right now the cyber criminals are very much ahead of what ordinary business defenses are capable of responding to.Tweet
“Prior to cyber policies becoming very much the in-vogue thing to have and very much on the top of everyone’s mind, there still were these breaches of privacy that were out there,” XL’s Schleicher says. “A lot of policies didn’t have exclusions for this kind of breach, and there were plenty of claims paid on GL and umbrella coverage policies that otherwise would have been covered by cyber policies.
“For the most part, the umbrella market took a couple of big hits on the very high-profile accounts because of that. I can tell you T. J. Maxx didn’t have cyber coverage, but it didn’t go uninsured on that claim. A lot of excess umbrella carriers on that risk had skin in the game and money on the line on that. Since then, the cyber market started really blowing up and getting lots of exposure.”
There is a lot of due diligence that needs to go into this because these are products offered to provide insurance for new exposures where there is little data on the loss potential.Tweet