Printed from BusinessInsurance.com

Insurance options vary as much as cyber attacks

Posted On: May. 20, 2007 12:00 AM CST

So-called cyber attacks threaten businesses of all sizes, yet business use of various insurance products to protect against such attacks substantially differ among insurers, industry experts say.

According to American International Group Inc., cyber attacks compromised nearly 90 million identities in the United States since 2005.

Of 200 data breach claims, AIG said 33% were from hacking, 25% were from stolen equipment, 10% were from missing or lost data, 7% were from dishonest insiders and 22% from "other security failures," with 3% unaccounted for.

"The victim must determine what happened, how information was accessed, what was accessed and if it was criminal," said Nancy Callahan, vp of AIG's identity theft and fraud division. "If it was criminal, they have to bring in law enforcement."

"The sheer magnitude of the loss of almost 90 million customer records and the variety of causes is shocking," Ms. Callahan said. "It's urgent to protect middle-market companies and small businesses against the aftermath of an identity breach theft."

Experts estimate indirect costs for lost productivity from stolen or misplaced data average $15 per customer record, while lost customers and recruiting new customers costs $75 per customer record.

Ms. Callahan said the average total cost of an information breach is $50 million.

Data security breaches pose an enormous threat and cost businesses a huge amount of money, said Kate Armfield, co-chair of RiskProNet International's marketing/placement practice group, a network of 28 independent brokers in the United States and Canada. She is also principal-account marketing at brokerage Armfield, Harrison & Thomas Inc. in Leesburg, Va.

Examine differences

"We have reviewed multiple forms that provide this type of coverage and caution there are differences that need to be reviewed during the placement process," Ms. Armfield said. "Some, for example, provide coverage for 'Dumpster diving' or data from stolen laptops and others do not."

Businesses have been slow to buy technology and cyber liability coverage for several reasons, said Patrick Deaver, vp of operations at digital media company i-Mark Inc. in Holly Springs, N.C.

"This is still a concept. There is a lack of awareness due to slow rollout and penetration among business insurers," Mr. Deaver said.

"Where the coverage has been promoted, the value of the coverage has yet to exceed the cost. The insured is still willing to accept the risk of exposure due to a lack of monumental cases that illustrate true impact dollars resulting from security breaches," Mr. Deaver said.

Kirk Sexton, former chief information officer with CHOICE Medical Management Services L.L.C., a Tampa, Fla.-based workers compensation and disability management services provider, has used data breach insurance provided by Unisource Administrators Inc., its parent company in Sarasota, Fla. Mr. Sexton, now an independent consultant, said data breach claims were part of a roll-up technology/Internet rider attached to a general liability policy.

"There were some general conditions that we put into internal policy that helped protect ourselves and lower the premium cost as well," Mr. Sexton said. "Among those were the policy of requiring our trading partners to carry a minimum of a $10 million policy as well."

Data security breach coverage can be purchased as part of a technology liability policy or on a stand-alone basis, said Joshua Gow, vp of Philadelphia-based ACE Professional Risk, a unit of ACE USA.

"We are seeing a lot of demand from a lot of industries that do not have full-line professional liability exposure like retail, hospitality, restaurant chains," he said.

"Companies outsource a ton of different tasks from payroll to accounting to consulting contracts and call centers," Mr. Gow said. "The natural result is that they are taking their confidential client information and entrusting it to third parties."

"If I am entrusting my payroll to an outside company, I say, 'Fine, as part of our contract you are required to maintain $5 million coverage in private liability limits,' " Mr. Gow said.

Data security policy limits are available from $1 million to $50 million.

Responsible outsourcing

"It's a matter of going in and transferring liability," Mr. Gow said. "Even though I have outsourced that service to a third party, if that third party loses my customer data, the customers are going to sue me. I'm the one who trusted this third party to handle the data."

"So I want my own insurance and I want them to have insurance to subrogate against in case there is a problem," Mr. Gow said.

Numerous insurers write data security coverage.

Mark Ware, director of IMA Financial Group Inc.'s technology industry practice, a Denver-based brokerage, said the market penetration is low because some brokers do not understand the issue and companies with strong information technology departments think they are beyond claims.

"Cost of such insurance depends on what a company considers to be its exposure," said David Halstrom, an underwriter at Beazley Group P.L.C. in Farmington, Conn. "A risk manager and a company protecting stakeholders (are) going to have elaborate and technologically related controls available to fend off these risks.

"It's going to be a risk/reward related to the premium vs. the protection you get," Mr. Halstrom said. "Also, it is a matter of do you include that into your total risk management process as a risk manager."

"There are a lot of moving parts to these issues. At the end of the day, the good guys in network security are having trouble keeping up with the bad guys," Mr. Halstrom said. "At the end of the day, that is when insurance is there to protect against those types of situations, where the companies we insure did all that they could, but weren't able to fend off."