Posted on 27 Dec 2011
Sony is still awaiting the final tally for losses related to its data breaches earlier this year. At last count, it had compromised 100 million customer accounts, and Sony anticipated the debacle would cost $200 million. With 58 class-action suits in the works, that may be wishful thinking.
Now for the really bad news: Sony’s losses aren’t insured.
In a lawsuit, Sony’s insurer, the Zurich American Insurance Company, reminded the company it does not own a cyber insurance policy. Sony’s policy only covers tangible losses like property damage, not cyber incidents.
“That’s cyber insurance in a nut shell,” said Jacob Olcott, a principal with Good Harbor Consulting’s cybersecurity team. “Everybody needs it, and most companies don’t realize they don’t have it until it’s too late.”
Despite high-profile cyber attacks at Sony, Google, Epsilon, RSA and others this year, only a third of companies surveyed by Advisen, a research group, say they have purchased a cyber insurance policy.
Experts say that more companies will buy policies in the coming year because of new Security and Exchange Commission requirements. Last October, the S.E.C. issued a new guidance requiring that companies disclose “material” cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a “description of relevant insurance coverage.”
That one S.E.C. bullet point could be a boon to the cyber insurance industry.
Cyber insurance has been around since the Clinton administration, but most companies tended to “self insure” against cyber attacks, says Robert Ackerman, a venture capitalist at Allegis Capital who specializes in cybersecurity.
“Companies don’t want to talk about cyber attacks,” Mr. Ackerman says. “All of a sudden, breaches are now going to be more visible and people are going to have to start estimating their costs.”
There are no statistics on the size of the cyber insurance industry, but Peter Foster, a senior vice president at Willis North America, an insurance broker, estimates there may be $750 million worth of premiums placed. With the recent S.E.C. measure and the frequency and severity of cyber attacks growing, Mr. Foster predicts that figure could grow by 50 percent over the next 12 to 18 months.
The average cost of a data breach hit $7.2 million last year and cost companies $214 per compromised data record, according to the Ponemon Institute. And that’s just for a data breach. If a company’s intellectual property is stolen, it could decimate an organization.
“It is now possible to suck all the information out of a company,” said Scott Borg, chief executive of the nonprofit United States Cyber Consequences Unit.
A comprehensive cyber insurance policy should cover intellectual property theft, said Emily Freeman, a cyber insurance broker at Lockton. Most policies, Ms. Freeman said, cover the “twin risks of privacy and security,” which include the cost of lost business, notification costs, credit-monitoring services, public relations and legal and investigation expenses. It may also cover class-action lawsuits, regulatory investigations, civil fines and even extortion demands.
“There’s no one size fits all. It depends on the size of the company and their exposure,” Ms. Freeman said. “I’ve seen companies buy a million dollars of this coverage with a small deductible. Others have bought $100 million of coverage for a rainy day — the kind of rainy day you might have to disclose to the S.E.C.”