In addition to gaining massive media attention, the Target data breach is also changing the nature of Cyber Risk Insurance. Key changes, discussed below in more detail:
- Risk Management works – this could have been prevented
- Liability coverage in a Cyber Risk Insurance is now critical
- Underwriters will accelerate their review of their own offerings – underwriting, policy forms and pricing – and the market will tighten
- Most companies will buy Cyber Risk Insurance
- Smaller organizations will closely review the coverage they have – is it adequate?
The data breach itself is fascinating – see here at BloombergBusinessweek and here at KrebsonSecurity for specific accounts of what happened. It shows that risk management works – this breach could have been prevented, according to BloombergBusinessweek:
The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.
This breach may be the tipping point for the liability portion of Cyber Risk Insurance policies. A large part of losses to date have been for breach notification costs – first party losses to help victims monitor their credit. It is looking like the Target breach could result in significant liability losses. According to BloombergBusinessweek:
More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages.
With huge losses expected within the liability part of the policy, underwriters will reassess the liability coverage provided in most Cyber Risk policies. This will likely impact the Cyber Risk Insurance market as the competitive landscape shifts.
The magnitude of the breach and media attention will push the last remaining organizations off the fence and they will start buying coverage. Cyber Risk Insurance is easy to obtain, comprehensive and relatively inexpensive. For the moment. According to the Wall Street Journal (here), insurance buying is increasing:
The Target data breach was the equivalent of 10 free Super Bowl ads
Not surprisingly, smaller organizations have much the same exposure as larger organizations. According to Robert Hartwig, President of the III.
Small businesses are transacting more of their business online [and] have many of the same exposures as a company like Target, just on a smaller scale
Coverage is becoming increasingly important. Policy forms vary, with some forms providing significantly more coverage than others. And some smaller organizations are relying on low-limit endorsements for coverage. Policy extensions typically provide limited coverage, and GL insurers are expected to begin rolling out specific Cyber Risk exclusions soon. And many smaller organizations do not buy Cyber Risk Insurance, or are not properly covered.
Tennant Risk Services is Cyber Risk Insurance specialist. As a specialty wholesale broker and underwriting manager, Tennant Risk delivers expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability insurance (E&O, D&O, EPL, Cyber). We excel at hard to place accounts, including Cyber Risk Insurance. Review our expectations here.