The Target data breach, which exposed the personal information of 40 million credit card holders, underscores the need for businesses to devote resources to cyber risk management, including the potential purchase of cyber risk insurance.
Target apologizes and provides suggestions to customers
Target Brands, Inc has issued an apology for the widely reported breach, which is said to have affected brick-and-mortar customers who made debit or credit card purchases between November 27 and December 15. In the same notice, Target advised customers to make use of governmental agencies and the periodic free credit reports available from the credit bureaus. There was little mention of resources being made available by Target itself; Target only instructed customers to contact it if there was evidence that a Target brand credit card was being misused. However, a few hours ago Target CEO Gregg Steinhafel announced that Target would be offering free credit monitoring services. Although expensive, this was a wise decision. The company's credibility was at stake.
Responsibility for loss control including customer notification and credit monitoring
When a company's security is breached and the personal information of its customers is released, the company may need to supply credit monitoring services to those affected. This can be legally imposed, or it can be done proactively to reduce future liability and to promote good customer relations.
The law requires a company to notify its customers in the event their personal information was exposed in a breach. Target has been notifying some customers personally of the breach via email, and as the Baltimore Sun Times has indicated, with letters via U.S. mail. It appears that this effort is far from complete, however.
Cyber risk insurance can cover notification costs, credit monitoring, and regulatory fines
Businesses can purchase cyber risk insurance to cover this exposure. Policies can be configured to cover customer notification, credit monitoring and payment of fines. In the event of actual liability claims, policies can also provide coverage for defense costs and for damages.
A company can be quickly overwhelmed with phone calls after a breach
While Target has substantial resources, the breach is the second largest in history, so it will be scrambling to put together systems to handle the influx of calls and inquiries, and sort out who will be provided credit monitoring services. Indeed, the Associated Press (AP) just reported that Target has been overwhelmed by phone calls from concerned customers, and that many phone calls now result in a busy signal. This should change as crisis management personnel are trained on the situation and put online.
Insurance companies have adequate arrangements in place to handle the surge in calls produced by the breach of a small to mid-sized business. Hence, companies that have purchased quality cyber liability insurance coverage are unlikely to be faced with the short-term predicament Target now finds itself in.
Contingency planning for cyber events is critical. In addition to actually paying for all of this, cyber risk insurance is one way to provide such a contingency plan. By putting the elements of a response in place before an event has occurred, the firm can reduce response time and mitigate damages. Companies that only develop breach-response provisions after a breach has occurred are typically overwhelmed. Any delays in implementing a response can magnify direct losses, and critically injure a firm's reputation. Cyber risk insurance represents an extremely efficient way to put key components of such a plan in place for small to mid-sized businesses.
Potential impact on Target
The impact on Target's short-term sales and long-term business prospects is unclear. CNBC speculated that the breach could negatively impact sales during the critical Christmas holiday shopping season. In the same report, however, CNBC noted that TJX had an even larger breach several years ago but did not appear to suffer long-term effects.
Cyber risk insurance can cover first-party losses of the hacked company itself
Policies can also be configured to cover losses to the insured business itself. Such coverages are known as "first-party" coverage. In the case of Target, losses in revenue caused by a decline in trust by consumers could have been covered. This first-party coverage for damage to the brand is new and extremely desirable. But it is relatively untested. Businesses seeking this form of coverage should carefully go over the policy provisions with a knowledgeable insurance broker, and if they can afford it, an attorney. As an example, the insured may have to provide substantial evidence that the breach caused an observed decrease in revenues. That may be hard to do in practice. A business that has a detailed metrics system in place may fare better than one that does not when attempting to obtain payment for such a claim.
In addition to this reputation coverage, policies can cover revenues lost because a system is crashed by a hacker. This form of first-party coverage is called cyber business interruption coverage. It would pay an amount for each day that a critical website or system is down. This coverage has been readily available for a longer period of time, and loss payment amounts are objectively determined. The daily payment amount is actually selected by the insured in the application for insurance. The amount selected affects the policy premium. The coverage is analogous to the business interruption coverage provided in a commercial property insurance policy, where the owner of a building may be compensated for lost rents during the time period a building is unusable after a fire.
Cyber risk policies can also be configured to provide first-party coverage for the restoration of data that was destroyed by a hacker. Say for instance that the breached company's data was deleted, but some of it could be extracted from other resources. Such a policy might pay for the work necessary to do this. This also is a more well established coverage.
Cyber risk management requires more than securing one's systems
Firms must do more than just secure their systems if they wish to adequately manage the risk of a cyber incident. If a company as large and well-secured as Target can be victimized, virtually any company can be victimized. So, in addition to securing a firm's own systems, corporate directors must see to it that adequate contingency plans are in place in the event of a breach. Cyber risk insurance provides an extremely efficient means for putting such plans in place for small and medium sized businesses.