Security Breach Notification Laws Reinforce Need for Cyber Insurance

With more than 40 states now enforcing privacy and security breach notification laws, underwriters are working hard to scoop up the business this niche creates, while also tweaking their policy forms to provide the broadest and most comprehensive coverage.

Over the last several years, cyber liability coverage has evolved from just insurance for information technology companies to coverage that nearly every class of business should have if they don't already, according to underwriters. From retailers and banks to restaurants and medical offices, many businesses are unaware of the great security technology exposure they face, according to agents. That's why insurers and agents have turned their attention to educating their customers of their risk and how to prevent a security breach, which can be costly.

Recent state laws require companies that have experienced a security breach to notify all customers that could be affected by the breach that their information has been compromised, even if the information hasn't been used. In most cases, the notification also includes an option of one year credit monitoring services and a new card or account number for customers.

According to Emily Freeman, executive director and partner of Lockton International's Technology, Media and Telecommunications Practice, the average cost of a security breach for a company is $15 per person. For a business with millions of customers, that can really add up.

Lockton recently released a report titled "What Should You do to Prevent Cyber Thieves?" in response to a Wall Street Journal article about a recent cyber attack in Europe and China that included the theft of sensitive information from 2,400 companies. Lockton's report offers information for insureds on how to prevent a cyber attack and the proper steps to take should a breach occur.

"The extent to which corporate companies are at risk is becoming a pandemic problem," Freeman says. "We felt it was important for our clients looking at that [WSJ] article to know what to do next and in what areas they should spend their time improving their defenses."

Handling the notification and rebuilding a company's reputation after a breach are major cost factors that most companies don't think about. Lockton offers a reputational harm form through Lloyd's of London to help a company with the financial impact of adverse media associated with a data breach. The coverage provides net income and extraordinary expenses associated with restoring brand and reputation. This coverage can be sold on a standalone basis or combined with the data breach policy.

Hiscox has been writing cyber liability coverage, which it refers to as privacy coverage, on a standalone basis since 2006. The firm is in the process of finalizing a new version of its privacy coverage and expects its new form to be complete around April. The product will include new wording, expanded coverage for the cost of data breaches, and a specific version for the healthcare industry.

Although capacity in this marketplace has increased tremendously over the years because of the soft market, Hiscox finds that some of the new entrants do not have experience handling breaches. With so much new capacity, companies are differentiating themselves by their experience and extra services, such as credit monitoring coverage, call center costs, and any claims that come from a class action because of fraudulent charges.

Jim Whetstone, senior vice president and U.S. Privacy Product manager at Hiscox, says it is important for agents to learn the differences among carriers' privacy and security forms.

"With so many different versions out there, agents and brokers need to take the time to understand them because when a data breach occurs, everyone needs to be on the same page," Whetstone says. "It's great that there is more capacity so companies can get large limits, but it also makes it difficult for agents to understand all of the different forms."

Also, because this exposure is relatively new, there is no firm pricing structure in place yet so rates do not adequately reflect the risk, which is the problem in many insurance markets now.

Adam Sills, associate vice president of technology E&O, privacy liability at Allied World Assurance Co., notes that the extreme competition leads some to believe that this class doesn't have significant claims potential.

"People think that just because there haven't been a huge amount of publicized claims, that there is a limited amount of risk. I disagree," Sills says. "There have been multi-million dollar claims and the exposures are constantly changing due to increased regulation and sensitivity. The risk has never been greater."

Agents should also understand the different state notification laws. While data breach notification laws are not yet in all 50 states, they are now in more than 40 and insurers expect a federal cyber notification law at some point in the not too distant future. The consensus among insurers is that there hasn't been much of a rise in the number of data breaches in the last several years, but mandatory notification laws have brought to light the frequency of the problem and made consumers more aware of their vulnerability to a breach, which in turn increases demand.

"There has been a steady increase in demand as the losses are made public," says Estelle Cummings, area vice president of sales at CCBSure Insurance, a division of ISG International.

Despite this, many underwriters still find it hard to convince companies of their exposure.

Cummings and her team use the Web site privacyrights.org to show clients how often breaches are occurring and how vulnerable information is. Because of the mandatory notification laws requiring companies to notify people of breaches, sites such as privacyrights.org can help insurers bring home the need for this coverage to consumers.

"About 90 percent of businesses out there have a cyber coverage need," Cummings says.

And, according to Cummings, that need extends beyond just the internet. Laptops that have sensitive customer information that is lost or stolen, doctors' offices improperly disposing of medical records, or violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are all potential privacy claims. Even office assistants leaving passwords on their computer screens and giving an outsider access to the system can lead to big problems.

"A security breach doesn't have to be computer related and a lot of policies would cover those that are not just technology driven," Cummings says. "It's a pretty complex coverage and underwriters have to look at their client and look at what they are doing and what their needs are."

Sills saw purchases delayed a bit at Allied World in the last year with the sluggish economy but has seen it pick back up recently. Allied World has been writing a lot of financial institutions, healthcare organizations and utilities. The carrier provides limits up to $25 million and coverage includes privacy and network security liability, first party notification, crisis management, media and intellectual property coverage and extortion.

"One thing we have tried to do is meet people halfway," Sills says. "A lot of our energy is put towards education and the conversion of turning non-buyers into buyers."

Comments

D. Kellus Pruitt Mar 6th, 2010 11:57 AM

â€œAccording to Emily Freeman, executive director and partner of Lockton International's Technology, Media and Telecommunications Practice, the average cost of a security breach for a company is $15 per person.â€

I read that the Ponemon Institute estimates the cost of a breach to be over $200 per person. Which estimate is correct?

D. Kellus Pruitt

Comments

Add Comment

Free Market Alerts

Showcased Listings

GC/General Contractor Workers Comp - High Risk

Builders Risk Commercial & Residential

Insurance Markets

More Information

Community