Still a hard sell
Companies are reluctant to buy cyber insurance despite major breaches
Scott Strickler believes many Virginia business owners are operating with a false sense of security.
Strickler, a partner specializing in business coverage and cyber insurance products at Richmond-based Robins Insurance, says that, despite widely publicized breaches at companies like Target Corp., relatively few Virginia businesses appear willing to spend money on specialized cyber liability coverage.
“The main misconception is, ‘My information is secure … There’s no way hackers can get into my system … Besides, they’re not interested in someone as small as me. They’re only interested in big companies like Target,’” he says.
“They don’t seem to realize that no system is bulletproof.”
In fact, while the massive data breaches at major companies have been grabbing headlines in recent months, new research indicates that many criminals are turning their attention to smaller companies, seeing them as softer targets that are ripe for exploitation.
Last year U.S. investigators revealed that between 2005 and 2012 a small group of identity thieves based mainly in Russia and Ukraine stole an estimated 160 million credit- and debit-card numbers. They breached 800,000 bank accounts of customers of 7-Eleven, JC Penney, Citibank, PNC Bank, the NASDAQ stock trading system and two leading payroll services companies.
In late December, Target, one of the nation’s largest retailers, said hackers snatched key records of 40 million customers’ payment cards during the 2013 holiday shopping season, collecting names, PIN numbers, CVV security codes, credit limits and expiration dates. A few weeks later company officials said the same data breach gave criminals illegal access to the names, addresses and phone numbers of another 70 million customers.
In February, luxury retailer Neiman Marcus said that information from about 350,000 of its customers’ credit cards was stolen last year (down from initial estimates of more than 1 million).
In April, the Michael’s chain of craft stores confirmed that the company and its Aarons Brothers’ subsidiary suffered the loss of data from about 3 million credit cards between May 2013 and this past February.
As of mid-June these companies had not reported how much the electronic data theft will eventually cost them to investigate and provide follow-up protection for their customers’ bank accounts and credit scores. Yet, the financial damage may be considerable, with some estimates reaching into the billions.
To prevent any repetition of the damage suffered by many of its most prominent members last year, the National Retail Federation plans to unveil as soon as this summer a new information and analysis center, or ISAC, which will help member companies share information about cyber threats and recommend ways to improve network security.
Smaller companies vulnerable
In its most recent annual survey of 16 U.S. industries, using information from 61 participating companies, the Traverse City, Mich.-based Ponemon Institute reported in May the average cost of a data breach last year cost companies $201 per customer, up from $188 in 2012.
The study forecasts that, based on historical data, U.S. retailers and government agencies are the most likely to suffer more malicious attacks during the next 24 months, while energy companies and industrial companies are the least likely.
The Ponemon report, released in early May, also said that smaller companies, without the IT security budgets and staff of larger corporations, may be the most vulnerable. “In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.”
Strickler and other industry professionals emphasize that even the smallest companies run some form of cyber risk. Those risks can be as simple as the loss of employee payroll and tax information or the accidental download of a virus from a customer’s email, a Facebook page posting or a Twitter message to the company’s account.
And no company can even hope to monitor the network security practices of the vendors and third-party business partners it uses every day.
To illustrate, Target executives said that the hackers who robbed the company in 2013 gained access to its customers’ payment and personal data after they first breached the network of one of its HVAC vendors.
“There’s an education process going on right now,” Strickler says. ”We’re asking companies to assess all their possible risks and determine how deep and how broad they may be. We’re trying to help companies understand where their gaps in coverage may be and ask them if they have budgeted for possible losses.”
Limits to liability policies
David Schaefer, executive vice president with AH&T Insurance in Leesburg, echoes those concerns.
“An educated consumer is the most important thing,” he says. “What do you have in terms of risk?”
Schaefer adds that another potentially expensive error many company executives are making is their mistaken belief that the broad language of their existing general business liability policies will cover them under any circumstances, including cyber attacks.
Two important court verdicts in the last nine months have added to the confusion about what losses standard commercial general liability (CGL) policies cover when it comes to electronic data loss and what they don’t.
In February the New York State Supreme Court ruled that the CGL policy that Sony Corp. bought from Zurich American Insurance and another insurance company did not protect it from the massive losses suffered after the infamous PlayStation breach in 2011, during which outside hackers stole millions of customers’ personal information.
According to that ruling, since Sony’s CGL policy provided coverage only in the event one of its own employees was responsible for the attack, the company’s losses were not covered by insurance for attacks launched by outsiders.
On the flip side of this issue, however, a federal court in California last October ruled in Hartford Casualty Insurance Co. v. Corcino & Associates that the company’s existing GCL policy did protect it from losses it suffered after a data breach exposed the personal information of 20,000 hospital patients.
Even before those two verdicts were handed down, the New Jersey-based Insurance Service Office Inc. (ISO) — a top insurance carrier and the leading U.S. publisher of business insurance forms often used as templates by the rest of the industry — last year began to issue new CGL forms that exclude coverage of data breaches and possible losses from cybercrime.
The new ISO forms took effect in early May.
In explaining the changes, company officials said that the CGL policies they had been using were written around 2000 when the frequency and severity of cyber attacks and accidental data breaches were not even imagined.
At the same time that it narrowed the scope of its CGL forms, ISO also unveiled a new suite of coverage options related to specific cyber events, including data breaches.
In a statement, Beth Fitzgerald, the company’s senior vice president of insurance programs, said, “The alarming frequency and severity of data breaches suggests that, for many businesses, it’s no longer a question of ‘if’ but ‘when’ they will suffer a data breach … Protecting against financial loss resulting from a data breach is a critical issue for businesses of all types and sizes.”
Given its influence among insurers, AH&T’s Schaefer says ISO’s revisions will have industrywide implications. He believes the changes represent yet another indicator that insurance products needed to protect businesses from risks involving electronic communications, commerce, records and data are becoming “more siloed,” more specialized.
“ISO has clearly taken a hard line against cyber risk,” he says. “They’re trying to create a firewall,” he adds, between traditional business liability coverage designed for companies with physical, brick-and-mortar, locations and companies whose survival depends on making as much use as possible of the Internet and social media platforms.
“Traditional policies were never designed to cover these new types of exposures,” he says.
Adds Angela Gleason, an associate counsel with the Washington, D.C.-based American Insurance Association: “It’s probably best not to rely on traditional insurance products” to protect your company from cyber risks. “You should look at your current coverages, with an eye toward finding all the gaps and then look to fill them, but probably not with endorsements but with a suite of separate [cyber insurance] policies.”
AH&T’s Schaefer says widespread acceptance of cyber liability insurance by the majority of U.S. business owners still may be a long way off — in spite of all the headline-grabbing data breaches.
To illustrate his point he says American companies were reluctant to buy employment practices liability coverage, now a pretty standard component of business insurance, until after Anita Hill accused Supreme Court nominee Clarence Thomas of sexual and workplace harassment during televised Senate confirmation hearings in 1991.
Additionally, he says most companies ignored any need for protection against terrorist acts until Sept. 11, 2001.
And even though the data breach at Target stores “is front and center” as the most important breach event in modern U.S. history, Schaefer argues, “We’re not there yet from a disaster standpoint.”