2013 was a record year for data breaches, including four of the top 10 data breaches of all time. No industry is immune. In its 2014 Data Breach Investigation Report (using 2013 data), Verizon reported that two of the top security threats are technologies commonly used in the hospitality industry: Website attacks accounted for 35 percent of all breaches and point-of-sale (POS) system attacks accounted for 14 percent of all breaches.
Protecting guest data is harder than ever as there is more data to protect. The demand for tablet and mobile technologies extends the perimeter and complexity of the network that needs to be supported, and attackers are busier and more sophisticated than ever finding new ways to obtain data. Regardless of how the data is lost, the damage to an organization’s reputation resulting from the exposure of sensitive data must be addressed.
Concern regarding the potential liabilities that may result from a data breach is driving many organizations to evaluate the need for cyberliability insurance, an emerging market in the field of enterprise risk management that grows with each high-profile data breach.
Standard liability insurance policies have not traditionally covered cyberevents, but some court decisions have held that data corruption or theft constitutes physical damage to software or data. This is not the norm and should not be relied upon. Perhaps in response to these court cases some underwriters are now including a cyberendorsement in business owner policies (BOP) that can afford some coverage for a cyber-related event.
The Towers Watson “2013 Risk and Finance Manager Survey” reports an 11 percent increase in organizations that have purchased network security/privacy liability-type policies. The report indicates that 44 percent of organizations in the financial services industry have purchased policies of this kind and only 33 percent of organizations in nonfinancial services industry have purchased these policies. The most common reason cited in the Towers Watson survey for not purchasing a cyber-risk policy is that the organization believes that its internal IT department and controls are providing adequate protection.
Decisions about cyberliability insurance should be considered in the context of enterprise risk management. A choice not to fund this type of insurance is an acceptance of the risk levels identified as the result of an enterprise risk assessment or a choice to fund mitigation strategies that will either prevent a breach or minimize the impact of one. In order to make this determination, it is helpful to understand the risk from a cost perspective.
For the past three years NetDiligence®, a cyber-risk management company, has consolidated and analyzed claims from multiple insurers in an attempt to understand true costs of cyber breaches and predict future trends. Its objective is to help risk management professionals and insurance underwriters understand the true impact of data insecurity. To date, its sample size is limited, a reflection of a growing market where not enough policies are in place when breaches have occurred, but the data that is emerging from its work provides good information for those considering this type of insurance coverage.
In its most recent (2013) study, NetDiligence reported the most likely breach incidents included loss or theft of either personally identifiable information (PII) or protected health information (PHI) resulting from either a lost or stolen laptop or from hackers. This seems to conflict with news reports and other studies citing credit card data as a major target for hackers, however, it can be reconciled by understanding that the NetDiligence report is only able to analyze claims paid out on a limited number of breaches for organizations with cyber-liability policies in place. The study included a total of four claims from the hospitality industry where reported costs ranged from $55,000 to $235,000.
With respect to claims paid out for PCI fines, 3.4 percent of its dataset included these claims, which ranged from $11,000 to $120,000. Of the seven claims with PCI fines in the study, two of them were from the hospitality industry, one from a mid-cap company and the second to a micro-cap company. Not surprising, larger companies typically have bigger breaches and the minimum payout for these types of organizations as reported by the NetDiligence study was $3 million. It postulates that smaller companies either have smaller breaches, less insurance coverage or both.
In general, many reported breaches do not involve a large amount of records, although those that do can be expensive. The most common cost item organizations report following a data breach is the cost to provide credit monitoring. Interestingly enough, in the Utah Department of Health breach almost 780,000 individuals were eligible for free credit monitoring and only 59,500 people took advantage of it in the first year.
Today the cost to purchase a cyberliability policy is still relatively low. Pricing for this type of insurance is based either on net revenues or on the number of data records that could potentially be exposed. Expect rates to go up as more breaches become public and underwriters become more reluctant to write such policies.
Before making a decision to purchase cyberliability insurance policy, certain items should be considered. In order to obtain cyberliability insurance, the organization must fill out a questionnaire that details the security program in place. Any misrepresentations on that form can invalidate claims. An organization will be required to have a sound security program in place before it will be able to obtain cyberliability insurance. Spending money on insurance in lieu of a security program is not an option. A commonly covered cost item in a cyberliability policy is breach notification costs. Policies typically have a clause covering this claim when required by law, but many organizations choose to notify victims as part of a goodwill gesture (notifying all customers instead of just those known to have been breached) and these extra costs of notification when not required by law are typically not covered under a policy.
The cyberliability market is in tremendous flux. Currently, premiums are reasonable and it might be the right time to consider purchasing a policy for your organization.
Mary Siero, CISSP, CISM, CRISC, is the president of Innovative IT in Las Vegas, www.iitlasvegas.com.
