The team of forensics investigators and security consultants called on to contain the data breach at U.S retail giant Target have finished that particular phase of the incident response. But the fallout associated with the security incident could last years, say security experts, costing the retailer millions in regulatory fines and legal fees associated with potential lawsuits.
Target's legal counsel has very likely reviewed the company's cyberinsurance policy if it has one, said Mark Greisiger, president of NetDiligence, a Philadelphia-based cyber risk assessment services firm that works with cyberinsurance underwriters. In addition to helping offset costs related to a serious security incident, cyberinsurance policies often provide assistance with breach services, including immediate access to legal counsel, forensics investigators and security consultants. Target declined to comment to CRN about its insurance coverage.
"There's a good chance that a company like Target has had coverage in place for a decade," Greisiger said. "A major benefit is to be able to get assistance in a timely manner when all hell breaks loose. It can get some businesses through the first 24 hours when they don't even know where to begin."
Some businesses, however, have been caught without coverage. Sony's PlayStation Network was hit hard by hackers in 2011, resulting in more than three weeks of downtime while forensics teams determined the scope of the massive breach. The attacks came in two separate waves and resulted in the exposure of account data on more than 70 million people and about 12 million credit and debit cards. Sony is still reeling from the incident and is in a longstanding dispute with its commercial general liability insurance company, Zurich American Insurance Co., over the hundreds of millions of dollars in claims it made from expenses it incurred during the data breach.
High-profile incidents such as the Target and Sony breaches are causing some businesses to look at what policies they have in place, said Ben Goodman, president and CEO of 4A Security, a New York-based managed security service provider. Cyberinsurance is part of a risk management strategy, said Goodman, who also is CEO of 4A Security partner Enterprise Risk Associates, which specializes in insuring against risk assessments.
Insurance policies help transfer risk and reduce the financial impact of an incident, said Goodman.
"From our perspective this is where it is a mistake to think IT security is just a technology issue; it's also a business issue," he said. "You can control the impact an attacker may have on you by putting in all the best practices so you are not an easy walk-in-the-park kind of place for a hack, but at the end of the day you're not going to be 100 percent effective."
4A Security and Enterprise Risk Associates are run as separate businesses, said Goodman. 4A Security sales engineers aren't selling insurance policies, he added, as they would have to be licensed according to state guidelines.
HOW DOES CYBERINSURANCE WORK?
Cyberinsurance typically is purchased separately from property or casualty policies. Annual premiums generally run between $5,000 and $10,000 per million in coverage, say insurance experts. Premiums can be more or less expensive depending on the industry vertical and the perceived level of risk that the underwriter might have, said NetDiligence's Greisiger. Size does not necessarily matter, as a small business that is in a highly regulated space and collects a lot of data faces increased exposure, causing rates to increase. Rates are loosely based on the industry sector, the revenue of the business, the number of employees and the type of data in the company's systems, he said.
Much like auto or home insurance, policies have a deductible or a retention limit. A million dollars in coverage may have a $10,000 deductible. Once the threshold is reached, a claim can be made. Underwriters rarely request an on-site risk assessment, but in cases where the coverage is high companies such as NetDiligence are called in to conduct an analysis of the systems and security policies in place. If the business is in a regulated sector, such as the payment industry, a report on compliance is sometimes requested for review.
"If it’s a small client with low-level limits, the underwriters may just roll the dice," Greisiger said. "If we are called in, we check to see if you have a dedicated team in place, ongoing patching and change management processes and certain safeguards beyond the basics."
Most standard liability insurance fails to cover data losses stemming from cyber-related incidents, said Christine Marciano, a cyber-liability insurance specialist at Princeton, N.J.-based Cyber Data-Risk Managers. Marciano, a certified information privacy professional who is licensed to sell insurance in 15 states and Australia, said she often works with IT consultants, resellers and other providers, which refer potential clients.
"When an organization doesn't have a true cyberinsurance policy, a claim made under existing coverage is often battled between legal teams in court," Marciano said. "It's too late when the victim organization finally realizes that property and casualty policies are insufficient."
Businesses typically are referred to Cyber Data-Risk Managers after a serious security incident has taken place or during a review find that their policies need to be updated, Marciano said. Conducting an annual review is crucial, she said, because insurance companies are constantly trying to keep pace with the changing threat landscape and emerging security technologies to make adjustments to coverage.
"We have both proactive organizations that realize that the risk isn't going away no matter how much they spend on technology, and organizations that had a breach and then realize they don't want to go through this again," Marciano said. "It's very important when renewal time comes up for the existing policyholder to take a look at what other policy offerings are out there because, just as technology is constantly evolving, insurance has to keep up with the changes with the coverage that they are offering."
Coverage is just beginning to emerge for companies facing legal trouble for collecting data on individuals in a nontransparent manner. Another area of concern is the aggregate risks building up for underwriters over the increased use of cloud services, where a serious breach could result in a thousand or more claims overnight, said NetDiligence's Greisiger. Underwriters also are considering adding coverage for intellectual property protection, an area that is often not covered by most cyberinsurance policies.
Risk can never be completely eliminated, said Justin Kallhoff, CEO of Lincoln, Neb.-based Infogressive, a service provider that focuses on penetration testing, vulnerability management and implementing network security appliances and other security technologies. Kallhoff said some of Infogressive's customers have purchased cyberinsurance or special insurance riders adding data security to standard insurance coverage. It's all about the individual business' risk tolerance, he said.
"We have plenty of conversations about the fact that you're never going to get to a zero-risk state," Kallhoff said. "It's always a discussion around not being a matter of if, but a matter of when."
BY THE NUMBERS: DATA BREACH CLAIMS
Insurance claim data yields information into data breach causes and the associated expenses of security incidents. A recent study of 145 data breach claims in 2013 conducted by NetDiligence found that claims ranged from $25,000 to $400,000. The company's analysis found that smaller businesses experienced the most incidents, while larger firms lost more records.
Insurance claim payouts helped offset many standard expenses following a data breach. Crisis services cost an average $737,473, and legal defense cost an average of $574,984, according to NetDiligence. The average legal settlement was $258,099.
Businesses are relying more on cyberinsurance to cover the growing legal expenses associated with data breaches. Class-action lawsuits are common, but legal action, backed by cyberinsurance carriers, is helping businesses settle regulatory action related to incidents.
Security experts are watching Wyndham Hotel Corp., which is scuffling with the Federal Trade Commission in court over fines it received related to several breaches at its hotel chain that took place between 2008 and 2010. More than 600,000 credit card numbers were stolen and $10.5 billion in fraudulent transactions were reported as a result of the exposure. The FTC claims that Wyndham Hotel should have had stronger protections in place to protect its customer information. Wyndham says the FTC doesn't have the authority to govern cybersecurity issues.
Of $84 million in total payouts, about half was spent on digital forensics investigations, breach notification, credit monitoring and identity theft remediation following a security incident, according to the NetDiligence study. About 35 percent of payouts addressed legal defense activities, 13 percent helped offset legal settlement costs and less than 1 percent of payouts covered PCI and regulatory fines.
Credit and debit card information was exposed in the majority of the claims examined by the NetDiligence, followed by other financial data and billing records. NetDiligence said one claim involved copyright infringement.
Fines associated with the Payment Card Industry Data Security Standards (PCI-DSS) ranged from $11,000 to $120,000, according to the study. Two incidents occurred at restaurants and were caused by hackers. A third incident occurred at an organization in the education sector and involved hacking a point-of-sale device, the study found.
"The dirty little secret of the infosec world, and with compliance in particular, is that there is no comfort to be gained from meeting requirements," said Pete Lindstrom, a security expert and principal analyst at Spire Security. "Your likelihood of having an incident doesn't actually change. Compliance doesn't equal security."
According to the NetDiligence study, of the 145 data breach claims only four addressed health-care data, resulting in coverage of fines of $150,000 each. The health-care firms either improperly handled paper records or were struck by malware infections, exposing personal health-care information.
Cyberinsurance also paid out in the case of a staff member of a health-care provider who commented on a patient's diagnosis on a social media website. The resulting legal expenses caused the per‐record cost for that incident to exceed a quarter of a million dollars, according to the study. In another claim, the theft of one donor's credit card information from a nonprofit resulted in a forensics investigation, a lawsuit and a PCI fine led to $50,000 in expenses.
Most incidents stemmed from lost or stolen laptops and storage devices followed by external hackers. Rogue employees came in next, responsible for 17 claims, followed by malware infections and exposure of data in paper records. Denial of service attacks resulting in business disruption and downtime were associated with three claims, according to NetDiligence.
PUBLISHED JAN. 21, 2014