Cyber Risk on the Rise

Business owners have long protected company assets through property and casualty insurance that covers bricks and mortar, but they now face danger from another corner "” cyber and privacy breaches.

"The number one trend that I'm seeing right now is companies facing cyber exposures and addressing cyber risk," says Todd Belden, president of the Cincinnati office of Hylant Group. "The definition of assets is really changing. Ten years ago, you would not have thought of data as an asset. It's really a company asset that needs to be protected."

Cyber or privacy breaches occur when sensitive data, such as employee Social Security numbers or patient health information, are lost or stolen. Traditional insurance against theft does not cover data breaches from hackers who steal digital information, and most insurance plans do not cover the costs incurred from misplacing or losing sensitive data.

"These policies are purchased as standalone products," says Spencer Timmel, privacy liability and network security specialist for Executive Risk Practice at Hylant Group. "Companies with Personally Identifiable Information and protected health information should purchase standalone products to transfer this risk and protect their balance sheet."

Lost or stolen data can cost millions of dollars if not protected. The TJX Companies, the parent company of T.J. Maxx and other retail stores, suffered data breaches in 2005 and 2006 that compromised approximately 94 million credit cards and cost the company an estimated $250 million. In 2009, the largest breach to date occurred when 130 credit card numbers were pilfered from Hartland Payment Systems, with damages already numbering $200 million and still ticking.

As individual information online becomes more and more public, so, too, is sensitive business information becoming more open to exposure.

"If you're doing anything online, you're risking this exposure," Belden says. "Obviously, the size of your online activity dictates your exposures. If you sell products online and you're capturing credit card information, any type of personal information at all, then that's an exposure as well."

COMBING FOR COVERAGE

Businesses need property and casualty insurance, but often face the daunting task of deciding what type of insurance product to purchase, the amount of risk retention to assume, and the right broker to hire. Specialty insurance products can be purchased for farm crops, equine mortality, ocean and marine packages, as well as cyber liability.

"You have to truly hire a broker who understands your exposure, understands your products, understands the markets to be able to tailor the product that best fits your needs," Timmel says.

Choosing the right coverage is highly industry specific and varies based on the company's type of risk and level of exposure. A local retailer processing less than 25,000 credit cards per year does not face the same risk as a national retailer with hundreds of store locations and a large
e-commerce website.

"Primarily, it is geared toward how much information you're storing," according to Timmel. "If you're a smaller organization, you certainly have less exposure, less risk to your balance sheet, but that should not undercut your responsibility to manage the risk, to understand it."

When a privacy or cyber breach occurs, companies are obligated to notify the affected parties. Notification requirements vary by industry: Health care is regulated by the HIPAA and HITECH Act, but companies handling credit cards must comply with the Payment Card Industry Data Security Standard.

Regulations for notifying affected individuals also vary state by state. So, if a customer from Georgia has a credit card number stolen at a store in Ohio, the store in Ohio has to comply with Georgia notification regulations. When thousands of records are compromised, managing notifications across state lines and responding to potential lawsuits becomes a difficult task.

"It's time consuming and not very easy for the company going through the breach to figure out "¢ without spending a lot of money," says Craig Hoffman, an associate with Baker & Hostetler law firm.

Companies must notify thousands of individuals, hire legal counsel, protect their brand name and preserve consumer trust. So the financial fallout piles up quickly, costing $214 per compromised record and an average of $7.2 million per data breach event, according to the Ponemon Institute's 2010 U.S. Cost of a Data Breach report.

RISK MANAGEMENT

"It's not a matter of whether you will be breached, but when you will be breached," Hoffman says. "And not having a plan in place makes the first time you get breached a nightmare, if you're not ready.

Timmel says that while data breaches perpetuated by hackers against large corporations make headlines, about 40 percent of breaches are the result of misplaced files or lost mobile devices such as laptops. In 2006, Starbucks Corp. misplaced several laptops that contained approximately 60,000 employee files with Social Security numbers and addresses.

"You lose a laptop, you lose a flash drive, you send an email that has an attachment and you try to send it internally and it gets sent externally. Those types of mistakes are a significant exposure," Timmel says. "Just because you lose that information and it's a mistake, does not exempt you from complying with federal and state laws."

Cyber risk can be mitigated by performing risk assessments, managing data safely, and having plans in place to respond to a breach.

"It's kind of one part technology, one part diligence and effort," Hoffman says.

Companies need to decide from the outset how much protection they need and how much risk to retain. Purchasing property and casualty insurance will not be enough for a company handling large amounts of sensitive data: They need separate cyber liability coverage, because lost or stolen data can quickly become more expensive than buring down your storefront.