Does Your Company Need Cybersecurity Insurance?
Though it happened nearly three years ago, the data breach that Target Corp. suffered continues to resonate. During the 2013 holiday shopping season, cyberthieves made off with the credit card information of about 40 million customers. The data in those records included not only card and CVV (card verification value) numbers, but also phone numbers and even email addresses.
The breach cost the retailer millions of dollars in remediation and legal costs. It also became a public relations black eye for Target that translated, in the short term, into lost customers and revenues.
Cybercrime continues to grow, says Chris Heim, CEO of Eden Prairie-based HelpSystems, which provides IT automation, business intelligence and cybersecurity services worldwide. Its customers range from small companies to Fortune 500s. The merely disruptive lone hackers of the past are giving way to sophisticated global gangs that are heisting large blocs of data, either for their own scams or for selling elsewhere on the so-called dark web.
“Target was the big event, but they’re not alone,” Heim adds. “The number of attacks is going up and up, and the bad guys are better organized, well funded, more knowledgeable and more skilled.”
You can add Sony, Home Depot and J.P. Morgan Chase to the list of organizations that suffered huge and well-publicized breaches in the past few years. With familiar names like those, some smaller companies may conclude that they are less vulnerable to similar attacks. Why go after a small fish when the big fish have so much valuable data?
But cybersecurity experts warn that all data has value on the global market. Even a small breach can put a small company at risk of financial damages that many can’t afford. This realization has businesses of all sizes signing up for cybersecurity insurance, a type of coverage that has boomed alongside cybercrime in recent years.
At the same time, experts say, companies shouldn’t simply assume that an insurance policy alone will protect them from legal ramifications of a breach.
Though cybercrime statistics aren’t precise—a great many attacks aren’t reported—the figures that exist are sobering. For example, Symantec, a cybersecurity software company, reports:
- There were 429 million exposed online identities in 2015, compared with 348 million in 2014.
- Forty-three percent of cyberattacks in 2015 targeted small businesses, compared with 34 percent in 2014.
Small enterprises often are victimized by ransomware (where the hacker locks up a company’s IT system for ransom) and phishing (where hackers create realistic-looking emails from banks and other trusted sources to persuade the victim to reveal passwords and other valuable data).
What transpired at Target and Home Depot weren’t hacks so much as “exploitation of misconfiguration,” says Robin Tatam, HelpSystems’ director of security technology.
“A true hack is where somebody has exploited some typically unknown vulnerability in an operating system or an application environment,” Tatam says. In a misconfiguration, “somebody has, say, user accounts with passwords that match the username.” In other words, a misconfiguration is a window that’s been left wide open. “This doesn’t mean it can’t be fixed,” he adds. “It’s just that they haven’t.”
While it’s true that financial institutions, retailers and, increasingly, health care companies are the most desirable victims, many crooks will go after the easier targets, Tatam says. That means small businesses can expect to be attacked, and they typically don’t have the kind of protection that these three industries have developed.
What do cyberburglars want?
“Health care information has become probably the biggest ROI from a hack perspective,” Tatam says. “The reason for that is simply that it is highly saleable. There are countries and individuals that do not have health care” and will try to use other people’s insurance coverage as their own.
Also, Heim adds, patient and insurance records contain information-rich data, including birth dates, Social Security numbers and much more. On the global black market for digital data, health care information is traded at 10 to 20 times the price of a credit card record, if not higher, Tatam says.
Little wonder that cybersecurity insurance has become the newest hot coverage, says Jeff Maas, president of the Minneapolis property casualty division for CBIZ, a Cleveland, Ohio-based financial and employee business services provider. Though cybersecurity insurance has been available for about 15 years, in some respects, it’s still in its infancy. Demand has been stepping up rapidly in the past few years, notably because of the Target breach and others. Kris St. Martin, CBIZ’s Minneapolis bank program director, says most of the banks he works with previously thought their IT departments could handle these kinds of issues.
Cybersecurity insurance is “an evolving coverage,” with carriers offering a variety of policies, according to St. Martin, whose work includes advising financial institutions on security issues.
Generally speaking, there are three types of coverage. One is an old-fashioned claim policy in which an option for electronic theft has been added. A second is a form of directors and officers (D&O) insurance that’s designed to protect those leaders from any liability or settlement due to a data breach. St. Martin notes that Target board members were sued for lack of oversight.
The third form is what St. Martin calls “the classic cyber-policy,” which is intended to cover all costs associated with a data breach. For instance, if a bank has 50,000 customer records compromised by what the state law defines as a breach, that bank will have to send notifications to all 50,000 people, as well as provide free credit monitoring for a certain amount of time. A cybersecurity policy could cover those expenses. Depending on how the policy is worded, it could also cover defense costs if the bank is sued.
Post-Target breach, this type of insurance has become readily available. “There are so many companies offering it,” Maas says. “Most insurers who aren’t big in ‘cyber’ are offering some form of it as an add-on to their regular property and liability policies.” St. Martin says there are six or seven carriers that are very thorough in cybersecurity coverage.
Beyond policy choices, if your customers’ data is stolen, are you protected, from a legal standpoint?
Eran Kahana, a technology and intellectual property attorney with the Maslon law firm in Minneapolis, recommends that clients look at cybersecurity coverage as a specialty insurance, and not simply a bolt-on to a general liability policy. Kahana, who represents companies with $5 million to $200 million in revenue, advises businesses to get granular with their insurance approach. He stresses that companies considering cybersecurity insurance need to weigh every contingency and possibility. As Target and others have discovered, businesses suffering data breaches also can be hit with lawsuits.
One of Kahana’s roles as an attorney is helping clients handle “the hailstorm of issues that happens once a breach occurs.” These issues include contractual obligations in terms of notification—in other words, who should be informed of the breach. And, of course, companies are looking at litigation risks, he adds.
Legal disputes are why carefully worded cybersecurity insurance policies are crucial. In litigation, the insurance company “is going to deny the claim and say that the breach did not fit the language of what is covered because the language of what is covered is a bit too vague,” Kahana notes.
In addition, Kahana says, there are the challenges of a company relying on cloud services to which it has outsourced data. Insurance might not cover data loss over the cloud, or customer data lost by a third-party vendor.
“My job is to look at all of the different variables that make up a data security picture,” Kahana says. “When we’re looking at insurance, I’m making sure we’re thinking through all the things we need based on a known standard.” It also means coverage that can handle the high costs of data restoration.
To make sure that those costs are indeed being covered, Kahana recommends that companies make sure that the policy language is very specific. He advises following established data-protection protocols such as Federal Information Processing Standard (FIPS) 199, a governmental standard that’s used primarily by federal agencies. But it can provide guidance to businesses on data protection. Kahana says that NIST standards also can be useful. (NIST is the National Institute of Standards and Technology, a federal agency.) The goal is for a cybersecurity team to be able to say to its company’s leadership: We did this right.
Are businesses getting better at handling cybersecurity risks, particularly in the wake of so many high-profile hacks? From Kahana’s perspective, the answer is no. “They’re doing something about it, but they’re not getting good at it,” he says. Too many clients are borrowing policies and procedures from other businesses, then thinking that they fixed their problems. Many aren’t adopting all best practices— not even basic ones such as encryption, two-factor authentication for system access, or vigorously enforcing a policy that employees not leave laptops where they can be stolen.
“My top advice [to businesses] is to engage with experts to guide them in building not a risk-free but a well-reasoned cybersecurity culture,” Kahana says. “You can’t do this internally by yourself.”
False sense of security
Establishing a good culture involves legal, technical and organizational participation and interaction. “Cyberinsurance is good, but it doesn’t eliminate the need to build an information security program,” says Chad Boeckmann, founder and CEO of Secure Digital Solutions, a St. Louis Park-based information security consulting firm. Believing that the insurance will cover you in case of a breach can, in effect, create a false sense of security.
“In order for you to actually be paid on a claim, the first thing the insurance company is going to inquire about is the state of your security program,” Boeckmann explains. Insurers will ask how detailed that program is and will want to ascertain that it’s more than a set-it-and-forget-it list of policies and procedures. Undertaking an annual security-program risk assessment and making adjustments as the business changes—new markets, products, technologies and resources—is important. But recalibrating a security program is also necessary to adapt to ever-shifting dangers of cybercrime.
Boeckmann urges businesses to have well-defined response plans in case of breaches. Bad guys aren’t going to stop, and security isn’t 100 percent effective. “You can get it to 99 percent, and that’s about as good as you’re going to get it,” he says. That’s why having an incident response plan is key to surviving an adverse event. “As we’ve been saying in this industry, it’s not a matter of if, but when” an attack occurs, he says.
The upshot for any business: Though you’re not a Target, you’re still a target. A thorough cybersecurity insurance policy can help protect a business financially and legally, but such policies can’t replace a well-designed cybersecurity program. As Boeckmann notes, “Security can become a competitive advantage in this day and age.”
Gene Rebeck is a Duluth-based freelance journalist who writes monthly for Twin Cities Business.