1. KYTan/shutterstock.com
The Demotech Difference Fall 2015
T
he global cyber insurance
market is currently generating
about $2 billion in premium,
and has a projected growth to $10
billion in premium by 2020 according
to ABI Research. However, less
than 6% of small to medium sized
enterprises (less than 500 employees)
are purchasing cyber insurance.
Recently conducted benchmark
researchsponsoredbyIBMconcluded
that it is more likely a company will
have a breach involving 10,000 or
fewer records, rather than a mega
breach involving more than 100,000
records. With the risk increasing for
small to medium sized enterprises,
and the small amount purchasing
cyber insurance, it is becoming
more important for insurers to add
some coverage for this risk to their
small business package policies. If an
insurer is going to add coverage to the
commercial policies it is important
that they choose a program that will
keep their insured in business.
According to Sheryl Christenson
of Global Institutional Solutions,
60% of businesses never recover
from a breach. An insurer needs
to look at three main things when
developing or choosing a reinsured
cyber endorsement for their insured.
The first is the coverage, second is
Information or “PII”. PII is any
information that can be used to
determine the identity of a person.
Common forms of PII are name,
address, phone number, social
security number, driver license
number, or credit card information.
Any of this information can be used
to commit identity theft. When
a business accepts or stores this
information, they are now liable if
that information is stolen during a
breach.
The first cost associated with a data
breach is the breach response, and
notificationof theaffectedindividuals.
This consists of preparing a letter and
mailing it to all affected individuals.
It also includes setting up a call
center, which is usually outsourced,
to handle questions related to the
breach. The size and scope of the
breach is determined by a forensic
audit, which is often the first thing
required by the state or a regulatory
body. The legal requirements differ
by state, depending on the size of
the breach, and can include the
requirement of a press release, a
notification in local media, and credit
monitoring services for the affected
individuals.
If a breach of payment card
information has occurred, there are
potential fines and penalties from
the card brands such as VISA and
MasterCard, and in some cases
mandatory processing equipment
upgrades. Regulatory bodies such as
Health and Human Services (HHS)
or state attorneys general also have
the ability to impose fines for HIPAA
related breaches of protected health
information. These are all forms of
first party coverage; however there is
also a need for third party coverage.
Is Your Cyber Endorsement
Enough?
By Ted Richmond
the limit, and third is the services
included through third party vendors.
All businesses at some level have
sensitive information either on their
customers, vendors, employees or
all of the above. This information is
referred to as Personally Identifiable
...60% of
businesses
never recover
from a data
breach.
This article first appeared in the Fall 2015 issue of The Demotech
Difference, a publication of Demotech, Inc., www.demotech.com
2. The Demotech Difference Fall 2015
Third party coverage, also referred
to as defense coverage, is typically
a component of most cyber
endorsements and will provide legal
defense for claims that arise from
affected individuals. A class action
lawsuit against the insured is a
reality, and should be a component of
coverage.
New and emerging threats include
such actions as funds transfer fraud
where a cyber criminal gains access
to a business’s online commercial
bank account and fraudulently wires
funds from the account. A common
misconception is that the bank will
make the business whole, but under
current regulations the bank is not
liable for these losses if they provided
reasonable security controls. Very few
cyber policies, or even endorsements
for that matter, are providing coverage
here. It may not be a highly publicized
risk like a data breach, but it can wipe
a business out if they become victim to
such an attack.
Anothercrucialcomponentofcoverage
is employee theft, which should not be
excluded.Themajorityofdatabreaches
are the result of employee theft due to
the ease of access to this data and the
possibility of coercion by criminals to
steal this information. According to
Sheryl Christenson, 85% of breaches
are internal. Criminal gangs either
implant people into a business or
approach existing employees with an
opportunity to make easy cash.
The costs of a data breach can range
dramatically depending on the type
of information breached and the size
of the breach. The average cost of a
breach, according to the Ponemon
Institute, is $86.84 per record for
breaches between 10,000 and 100,000
records. Notification per affected
individual averages $2.50, which
includes the call center and credit
monitoring for one year according to
Sheryl Christenson. A forensic audit
according to RGS Limited claims data
for a payment card breach averages
about $10,000 and the average total
cost of a payment card breach is
$37,000. Taking a look further into
new and emerging risks, the average
loss for funds transfer fraud according
to Greenway Solutions is $17,000.
Having an endorsement for $25,000
may be adequate in some scenarios,
but because of these costs it is easy
to comprehend the need for a higher
limit. Increasing the limit to $50,000
or $100,000 may be worth the modest
increase in rates, as the difference may
not be significant since the majority of
breaches cost less than $50,000. The
The average cost
of a breach...is
$86.84 per record
for breaches
between 10,000
and 100,000
records.
wk1003mike/shutterstock.com
cost of a higher limit seems necessary
when looking at the exposure it is
preventing.
In addition to having adequate limits
and the correct coverage, an insurer
needs to make certain that a business
takes the necessary steps to prevent
a breach, and respond appropriately
in the event of a breach. These steps
can greatly reduce the amount of a
claim and prevent further damages.
Risk mitigation tools that should be
in place include a risk assessment that
allows a business to evaluate their risk
and take the necessary steps to reduce
their exposure. Along with evaluating
the risk, the business should have
specific policies in place for business
practices and a response plan in the
event of a breach. These services can
be added to an endorsement through
a third party provider. They will also
provide breach response services at a
reduced rate to the insurer and be the
first line of defense in assisting the
prevention of a breach and mitigating
risk post breach. If an insured does not
have these services it creates additional
confusion when a breach does occurs
and can leave a business wondering
what to do.
Commercial insurers have the ability
to provide this coverage at a low cost
across their small business portfolios,
which creates both value for their
policies and good will with their
customers. However, if they choose to
do so, they need to be educated that
the risks are covered and the limits are
there to support breaches at all of their
insured’s business segments.
Ted Richmond is Vice President of RGS
Limited LLC., developing new products in
the area of cyber for insurance companies
and financial institutions. He works with
both domestic and international insurance
markets to provide these programs. He
may be reached at ted@royalgroupservices.
com.
RGS Limited LLC is an insurance program
manager specializing in data breach
and cyber programs. RGS has launched
and managed programs for insurance
companies, payment processors, and banks
both in the U.S. and internationally.