Title: Should Your Firm Invest in Cyber Risk Insurance? (Subscription or fee required)
Author: Scott J. Shackelford (Indiana University)
Publisher: Business Horizons, vol. 55, no. 4
Date Published: July–August 2012
In one of the largest data breaches in corporate history, hackers penetrated the Sony Corporation’s PlayStation and Online Entertainment divisions multiple times during the spring of 2011 and gained access to the names, addresses, and passwords of 102 million customers. It’s estimated the attacks will cost Sony between US$1 billion and $2 billion, not including the damage to the company’s reputation.
But Sony wasn’t alone: Best Buy, Citigroup, Hilton, JPMorgan Chase, the International Monetary Fund, Lockheed Martin, Marriott, Target, and Verizon were also hit by hackers in 2011.
As concerns have grown about such attacks, so, too, has interest in cyber risk insurance. Even before that spate of attacks, the market for such policies was booming, soaring from a $100 million business in 2003 to at least a $600 million business in 2009. And this paper — which analyzes the liability of firms for data breaches under U.S. laws and examines more than 50 government and law enforcement reports, academic studies, and surveys across a wide range of industries, most released in the past few years —concedes that firms should consider purchasing cyber coverage.
But the author warns that companies have to be far more proactive and must view insurance as only one part of a multipronged risk mitigation strategy. Apart from the fact that most cyber insurance coverage is still limited and evolving, companies need to install a number of basic and cutting-edge protections in their internal security systems. In addition, they should make sure that a senior manager is focused on the dangers. An overreliance on insurance, the author cautions, could leave both “corporate intellectual property and consumer records at risk.” Data breaches reportedly cost U.S. companies about $204 per lost consumer file as of 2009, and one 2011 study of IT executives at large firms found that 80 percent had detected one or more recent attacks.
The need for insurance specifically directed at cyber attacks was underscored by the Sony case. Sony, which found itself facing almost 60 class-action lawsuits over the hacking, is in an ongoing legal battle with its insurance carrier, which contends that its general business coverage does not extend to cyber crime.
Cyber policies offer a variety of protections and services — for example, business interruption insurance covers companies’ direct losses from being hacked, and post-breach responses include the hiring of computer forensic experts and the use of credit-monitoring services. Nonetheless, companies taking out such policies can remain exposed to liability, due to a combination of legal gray areas, a still-developing insurance market, and the ever-changing nature of cyber threats.
One of the challenges to putting in place the right protections is that cyber crime takes many forms. Identity theft costs consumers more than $5 billion a year, the author reports, and costs firms another $48 billion. Fraud is also a major problem, accounting for more than 600,000 complaints and $1.8 billion in claims from businesses in 2008. And as the persistent Operation Aurora attacks on Google and other multinational companies in 2009–10 proved, high-tech criminals are employing a series of sophisticated assaults to capture firms’ intellectual property.
State and federal legislators have struggled to put regulations and protections in place that keep up with the emerging cyber threats. Congress, for example, is still weighing a broad-based Cybersecurity Act. In the meantime, courts are increasingly holding companies liable for not securing their information and government officials have been urging firms to buy cyber risk insurance.
Until recently, at least, corporate boards largely turned a blind eye to the problem, this paper notes. A 2010 Carnegie Mellon survey found that 56 percent of board members at firms with revenues between $1 billion and $10 billion thought improving risk management was important, but none of them cited improving data and computer security as a priority. Insurers, however, are now routinely including cyber risk assessments in their estimates for overall coverage, and more companies are signing up.
But those buying policies must augment their coverage with a variety of internal safeguards, the author maintains. These safeguards include installing the virtual equivalent of security cameras and padlocks, and using technology to detect intrusions, patch software holes, encrypt crucial data, and provide buffers between internal systems and the Internet.
Adding a cyber watchdog to the corporate hierarchy is also important. When Sony was first hacked in April 2011, the company did not have a senior manager devoted to information security, the author reports. The presence of such a manager can make a significant difference. One study cited by the author found that firms with a chief of information security reported lower costs after a breach: a tally of $157 per affected consumer versus $236 for firms without a leader in strategic security.
Corporate acknowledgment of the problem seems to be on the rise. More firms are disclosing information about their data protection measures to the U.S. Securities and Exchange Commission (SEC), which has hinted that it might soon require such disclosure. And some studies have shown that companies that choose to disclose aspects of their data protection practices in their annual reports profit from the move. Investors could view this form of disclosure as a commitment to prevent a cyber attack, “which would positively impact consumer trust, lead to greater transparency, and drive up the company’s market value,” the author writes.
In considering cyber risk insurance, firms should conduct a cost-benefit analysis: Would a policy mitigate exposure to cyber risk, taking into account how applicable state laws affect liability? The analysis becomes more complicated for multinational firms, because the nascent laws on cyber crime vary significantly from country to country.
If managers do opt to buy insurance, they can’t use that coverage as an excuse to delay other cybersecurity measures, the author cautions. “As losses mount, investors will likely stop treating cyber attacks as a corporate nuisance,” he concludes, “and start treating them as the serious threat that they are” to a firm’s very survival.
Cyber attacks are on the rise, costing firms millions in direct and indirect costs, and managers should consider purchasing special insurance to limit their liability. But buying a policy should not give companies a false sense of security; strong internal countermeasures are still required.