Data breaches, work interruption and network damage along with the intangible losses to business reputation for security are among the issues facing businesses. Cyberinsurance has become a priority business expense in planning in the new era for cyber-attacks, according to The New York Times.
The attack on Target over the holiday season of 2013 is a painful reminder for the planning budget of 2014. There are at least 50 companies offering insurance for cyber security.
The Department of Commerce lists cyber security as a necessity and as a deterrent. The Department of Homeland Security introduced its first workshop in October 2012 to face the challenges of the market due to losses to companies from cyber-related incidents.
The DHS National Protection and Programs Directorate (NPPD) held a follow up in November 2013. The NPPD round table focused on “how do cost/ benefit considerations inform the identification of not only an organization’s top cyber risks but also appropriate risk management investments to address them?”
Insurance companies who offer cyberinsurance are faced with the dilemma of the cost of losses and how to assess losses. If losses can be identified it is of course much quicker and easy to insure. But the intangible items are difficult.
Ed Powers, who heads the online risk services, practice at Deloitte & Touche, the accounting firm states, “The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones.”
How does a company give data for insurance requirements when the future amount of loss is difficult to quantify? Target had a difficult situation at Christmastime 2013 trying to determine the number of customer transactions stolen and the amount of the theft. Numbers varied while Target was trying to determine the source of the attack. It is not a slam and dunk to assess damage.
Companies’ place their data online so it is also difficult to assess what has been stolen and not yet surfaced anywhere is a system to identify the loss.
Graeme Newman, a director at CFC Underwriting, said that in underwriting property, there is a history on which insurance companies can draw valuation. The cost of fire can be quantified and “they could tell you exactly the chance of an office building burning down in Midtown Manhattan, but there isn’t anyone on this planet who could tell you the probability of a large U.S. retailer being hacked tomorrow,” says Newman.
The cost of cyberinsurance has now reached $1.3 billion, according to Betterley Risk Consultants, which is an increase from the $1 billion paid in 2012. The breakdown of that includes smaller policies issued to small to midsize businesses.
The large sized companies that have one billion in capitalization can receive cyber insurance protection of about $300 million while the company can insure its property assets in the billions. That is a significant loss when a large company such as a target calculates over 100 million transactions hacked.
Target’s insurance allocated at the time of its breach was $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage however came from multiple carriers. That $100 million payment does not compensate for the $1 billion in losses some analysts are forecasting.
On top of the losses in Target's sales, there are legal, accounting, filing fees, new cyber security and other expenses of $88 million. Target only expects insurance to pay $52 million. Once a situation as this one has occurred it makes it more difficult for Target to acquire additional cyberinsurance.
After the Chinese cyber attack on U.S. businesses came to the news in May with a filing from U.S. Atty Gen. Eric H. Holder Jr. against five Chinese military officers, tensions increased between the U.S. and China. This past week-end President Obama met with Chinese President Xi Jinping in California at Rancho Mirage. A main topic of discussion was the cyber attacks and theft of intellectual property.
The calculation by insurance underwriters will forge on into this new era of insurance underwriting because it is too large an amount of insurance premiums not to offer from its insurance services. It is now a part of everyday business and in international meetings with a U.S. president.