As the data breach epidemic continues to sweep through Corporate America and regulatory penalties and litigation become more frequent and costly, compliance and risk officers are increasingly turning to cyber-risk insurance policies to help cover the potential financial losses.

The number of companies that have requested applications and quotes at ACE for data breach coverage has tripled in the last year, says Toby Merrill, vice president, ACE Professional Risk, a division of insurance company ACE USA, part of ACE Group. “The submission count continues to increase each year,” he says. More organizations are choosing to purchase coverage as well, “We've seen more growth in the last three years than all the years prior.”

Cyber-risk insurance policies have been around for roughly two decades, but only in the last several years have companies across a broad array of industries begun to purchase coverage. Until recently, most of the buyers were in the financial or technology sectors, where data breaches have been more common.

In the last few years, however, healthcare providers, retailers, universities, and companies in many other industries began purchasing cyber-risk policies.  “More and more, this is becoming mainstream coverage,” says Nick Economidis, a professional liability underwriter for Beazley, which insures data privacy and network security risks.

In general, cyber-risk insurance policies reimburse companies for “damages and claims expenses arising out of the wrongful disclosure, theft, or loss of information,” Economidis says. “Information may be personal, identifiable information or confidential corporate information in electronic or paper form.”

One reason for the boom in interest, apart from high-profile attacks on such companies as Sony, Citigroup, and a division of EMC Corp., is the enactment of several data breach laws that come with stiff penalties. For example, Massachusetts passed a strict data privacy law in March 2010, which requires stricter safeguards of consumers' personal information relating to Massachusetts residents.

Additionally, Congress' passage of the Health Information Technology for Economic and Clinical Health Act in 2009 dramatically increased the monetary penalties for privacy violations in the healthcare sector. The Federal Trade Commission's Red Flags Rules, which require businesses to establish a program to detect identity theft, took effect at the beginning of this year.

Horizon Blue Cross Blue Shield of New Jersey made the decision to purchase coverage two years ago after being approached by its insurance broker. “I think there was just an internal recognition that there was a need for it at that point, or at least to start exploring it,” says Renee Yozzi, risk manager for the health insurance company.

Horizon's concerns are well-founded. According to a joint survey conducted by the Computer Security Institute, a membership organization for information security professionals, and the Federal Bureau of Investigation, more than 90 percent of 351 security professionals surveyed reported experiencing a cyber attack of some kind in the past year.

Types of Coverage

Cyber insurance policies cover two basic types of coverage:

Liability coverage, which reimburses companies for legal defense costs, settlements and other legal liability expenses which arise when private data has been released, whether due to a hack or a lost laptop, or paper copies of private reports that got into public hands.

Breach response coverage reimburses companies to cover the financial loss associated with such actions as notifying people of the breach, arranging credit-monitoring services, and hiring a forensic expert.

“I would look for insurance companies that have a history of good quality cyber-insurance products that are reputable companies in terms of claims paying and financial strength.”

—Rick Betterley,

President,

Betterley Risk Consultants

The number of providers that offer such coverage continues to grow. On June 14, Travelers became the latest insurer to launch a package of policies covering various fraud and expense liabilities.

Some insurers offer risk-management services—such as firewall testing tools, for example—with their policies. “Look for a company that has a good rich array of management services that come with the policy,” say Rick Betterley, president of Betterley Risk Consultants. “That to me demonstrates an understanding and a commitment of the coverage and the product.”

Broker Assistance

Many companies may have a knee-jerk reaction to buy cyber coverage after seeing other companies making the headlines for data breaches and not wanting to go through the same experience. “That's fine, but it's not really the way to run your strategy over the long haul,” says Robert Richardson, director of the Computer Security Institute. “A more coherent approach would be to think about the assets that you particularly need to protect and how you can protect those at multiple levels. The trick is to be smart about whether it makes sense to insure against certain kind of risks.”

CYBER-INSURERS

A partial list of insurance companies that now offer cyber-insurance coverage is below:

ACE

Arch Insurance Group

Beazley

Chartis

Digital Risk Resources

Hiscox

Navigators

Provider Insurance Group

Sprezzatura Insurance Group

The Hartford

Travelers Insurance

Source: Compliance Week.

That is where insurance brokers can help. “You want to involve a licensed broker or agent, preferably one that has experience with these products, to provide guidance on what terms are needed based on what exposure the organization has,” says Merrill. For example, some companies have a lot of sensitive personal information or third-party corporate information, so they might be more interested in privacy liability and data breach coverage, he says.

Brokers can help “as far as providing an analysis and format that senior management can more easily understand,” says Yozzi. When Horizon BCBS of New Jersey went through the process, she says, the broker provided a breakdown of different carriers to help management analyze policy provisions to hone in on what coverage was necessary for the organization, Yozzi says.

“From a risk manager standpoint, it's just as important for a broker to outline what is not going to be covered, so that management understand, when you're purchasing this policy, it's not a panacea,” adds Yozzi. “It is not intended to cover every single issue surrounding a breach.”

COMPUTER SECURITY STATS

The following chart shows what percentage of 285 respondents to the Computer Security Institute 2010/2011 Computer Crime and Security Survey experienced a security incident in 2010:

Chart 2 below shows what kind of security policy respondents had in place in 2010:

Source: CSI 2010/2011 Computer Security Survey.

And don't forget that old technologies die hard. Data lost on paper documents is still quite common, and some policies only cover data in electronic form. “So that would be an exclusion I would worry about,” Betterley says. If you hire a third-party document destruction company to destroy your data and they throw it in the garbage instead, “some policies wouldn't cover that because the data is not on your network,” he says.

Some policies also have a minimum-security-standard requirement, where the insured is responsible for maintaining certain levels of security. Failure to meet security standards may result in exclusion of coverage by some insurers' standards, says Economidis.

Companies will also want to look for coverage that is tailored to their needs. “The services that are provided also could be customized to your industry. So you need to ask those questions,” Yozzi says. One type of credit monitoring that may be appropriate for one industry may not be appropriate for another.

Cyber-breach risk insurance may require buy-in from a unique group of executives responsible for risk management. Yozzi recommends getting the chief information officer involved right from the start, so everyone understands the intent of the coverage and full discussion can follow on what type of coverage may be needed, she says.

ACE's Merrill says it is equally important to have the general counsel and compliance officer at the table during discussions, due to the increasing  number of privacy regulations and the potential to be found out of compliance with these standards.

“More and more of the exposures that these policies address come from being out of compliance with notification laws, regulations, rules, or consumer protection laws,” and not necessarily the actual lost laptop or data breach, says Merrill. “That is where, quite frankly, most of these battles are going to be won or lost.”