Title: Should Your Firm Invest in Cyber Risk Insurance? (Subscription or fee required)
Author: Scott J. Shackelford (Indiana University)
Publisher: Business Horizons, vol. 55, no. 4
Date Published: July–August 2012
In one of the largest data breaches in corporate history, hackers penetrated the Sony Corporation’s PlayStation and Online Entertainment divisions multiple times during the spring of 2011 and gained access to the names, addresses, and passwords of 102 million customers. It’s estimated the attacks will cost Sony between US$1 billion and $2 billion, not including the damage to the company’s reputation.
But Sony wasn’t alone: Best Buy, Citigroup, Hilton, JPMorgan Chase, the International Monetary Fund, Lockheed Martin, Marriott, Target, and Verizon were also hit by hackers in 2011.
As concerns have grown about such attacks, so, too, has interest in cyber risk insurance. Even before that spate of attacks, the market for such policies was booming, soaring from a $100 million business in 2003 to at least a $600 million business in 2009. And this paper — which analyzes the liability of firms for data breaches under U.S. laws and examines more than 50 government and law enforcement reports, academic studies, and surveys across a wide range of industries, most released in the past few years —concedes that firms should consider purchasing cyber coverage.
But the author warns that companies have to be far more proactive and must view insurance as only one part of a multipronged risk mitigation strategy. Apart from the fact that most cyber insurance coverage is still limited and evolving, companies need to install a number of basic and cutting-edge protections in their internal security systems. In addition, they should make sure that a senior manager is focused on the dangers. An overreliance on insurance, the author cautions, could leave both “corporate intellectual property and consumer records at risk.” Data breaches reportedly cost U.S. companies about $204 per lost consumer file as of 2009, and one 2011 study of IT executives at large firms found that 80 percent had detected one or more recent attacks.
The need for insurance specifically directed at cyber attacks was underscored by the Sony case. Sony, which found itself facing almost 60 class-action lawsuits over the hacking, is in an ongoing legal battle with its insurance carrier, which contends that its general business coverage does not extend to cyber crime.
Cyber policies offer a variety of protections and services — for example, business interruption insurance covers companies’ direct losses from being hacked, and post-breach responses include the hiring of computer forensic experts and the use of credit-monitoring services. Nonetheless, companies taking out such policies can remain exposed to liability, due to a combination of legal gray areas, a still-developing insurance market, and the ever-changing nature of cyber threats.
One of the challenges to putting in place the right protections is that cyber crime takes many forms. Identity theft costs consumers more than $5 billion a year, the author reports, and costs firms another $48 billion. Fraud is also a major problem, accounting for more than 600,000 complaints and $1.8 billion in claims from businesses in 2008. And as the persistent Operation Aurora attacks on Google and other multinational companies in 2009–10 proved, high-tech criminals are employing a series of sophisticated assaults to capture firms’ intellectual property.
State and federal legislators have struggled to put regulations and protections in place that keep up with the emerging cyber threats. Congress, for example, is still weighing a broad-based Cybersecurity Act. In the meantime, courts are increasingly holding companies liable for not securing their information and government officials have been urging firms to buy cyber risk insurance.