When it comes to buying cyber insurance, businesses can take comfort that they have mitigated the financial risks that come with a data breach. Just not all of them.
Target Corporation’s high-profile hack is a case in point. In a securities filing last week, Target said costs associated with its 2013 holiday season data breach – which exposed the personal information of more than 100 million customers – are approaching $300 million. As of January 2016, Target has incurred $291 million in breach-related costs including legal fees, crisis communications and forensics costs. Of that amount, less than one-third or about $90 million is expected to be covered by cyber insurance. At the time of the breach, Target had $100 million in cyber insurance coverage from multiple underwriters, on top of a $10 million deductible.
According to its public filings, Target’s cyber insurance policy contained a $50 million sublimit for settlements with payment card networks. In 2015, Target entered into settlement agreements with all four of its major credit card providers, which are in various stages of court approval. Visa, for example, cut a $67 million deal with Target. MasterCard later entered into a $19 million settlement. But Target hasn’t disclosed whether its settlements with the credit card companies will come from a portion of the cyber insurance, subject to the sublimit, or if those settlements will be funded by other sources (such as its corporate general liability policy or from its operations).
And the financial pain isn’t close to over. Although Target has resolved many of the more than 100 lawsuits filed after the breach, it still faces several shareholder class action lawsuits, a separate lawsuit filed in Canada and ongoing investigations by State Attorneys General and the U.S. Federal Trade Commission.
Several industry analysts forecast that Target’s breach-related losses will reach $1 billion. After disclosure of the breach in early 2014, Target’s profit was cut in half – down 46 percent over the same period the year before.
The “hard” costs covered by cyber insurance oftentimes are only the tip of the iceberg. Cyber policies don’t usually cover intangible harm like lost sales, plummeting customer goodwill and trust or damage to the brand. Most policies also exclude some forms of major attacks like state-sponsored espionage or ransomware – which has been on the rise especially in the healthcare industry.
Target’s experience with cyber insurance isn’t uncommon. It’s a fast-growing and evolving market with dozens of underwriters offering coverage. With the increase in headline-grabbing breaches and the sophistication of cybercriminals, demand for coverage is high and business brisk. Total cyber insurance premiums paid in 2014 were about $2.5 billion and the market is expected to reach $7.5 billion by 2020. In comparison, cybercrime costs the global economy about $400 billion per year and that number isn’t expected to slow anytime soon.
One expert told me that the most cyber insurance an organization is likely to acquire is in the $300 million range – using multiple underwriters. That’s significantly less than the billions of dollars’ worth of coverage available for other organizational risks such as property and casualty damage.
The cyber policy coverages, exclusions and premiums vary widely. The more comprehensive policies reimburse for forensics firms, notification to customers and credit card monitoring for victimized customers. Some policies coverage legal fees. Much is open to negotiation and some of the risks might even be covered by other policies already in place such as general corporate liability or error and omissions coverage.
If there’s a lesson to be taken from Target’s experience, it’s that not all cyber insurance policies are created equal. While cyber coverage can be an important risk allocation tool, it is only one piece of a much larger puzzle. Organizations need to start with an overall cyber risk analysis – looking not only at IT risks but at exposure to governance, regulatory and legal liability – to fully assess and identify the most likely risks in the event of a cyber event and consider the coverage that best fits their own risk profile.