For small-to-midsize businesses, the ongoing costs of responding to a data breach can dwarf the expense of the data loss itself. Now new insurance instruments are being created to help limit the damage.
The theft yesterday of more than 450,000 user names and passwords from Yahoo also exposed the e-mail addresses and passwords of users of Gmail, AOL, Hotmail, Comcast, MSN, and several other e-mail services. In other words, if people subscribed to the breached Yahoo service with the same passwords they’ve used for their own e-mail accounts, then those passwords are now in the possession of the hacking group D33D Co. that breached Yahoo and posted those names and passwords online. And if those people used the same passwords (as many people do) to access their bank accounts, credit-card payment information, or their employers’ business systems, then they’d better change those passwords pronto, as Yahoo advised in an official statement.
Unsurprisingly, Yahoo has received a great deal of criticism in the past 24 hours for failing to notify its users expeditiously and, according to security provider TrustedSec, for storing the passwords unencrypted, in plain text. Undoubtedly, in the coming days Yahoo will receive more flak for both its security practices and its response to the breach. (Yahoo News’s home page today takes no notice of the breach; it’s mentioned only in the “Tech” section.) All this will be costly to Yahoo in terms of cash and reputation.
Data breaches — and the business’s response to them — are a concern not only for large enterprises such as Yahoo. According to Verizon’s 2011 Data Breach Investigations Report of 759 events, 63% of breaches in 2010 involved organizations with no more than 100 employees. And a 2011 survey by security provider Symantec of 1,288 small and midsize businesses found that the reported average cost of cyber attacks was $188,242.
All businesses are vulnerable to cyber crime, but smaller businesses have fewer resources to deal with them. Consequently, they are increasingly the target of cyber criminals and, as Larry Ponemon, chairman and founder of the Ponemon Institute, a privacy and data protection research group, says, “Small and midsize companies can lose as many records as large ones.” As the cost of data breaches scales with size, the more records that are compromised, the more expensive it gets.
Insuring one’s businesses against cyber loss is not new, but historically it’s been costly. “You can always get insurance for anything,” says Ponemon. “But if you go to a specialty insurer, the premiums are high, as it’s difficult to model exposure” in the cyber world. And that makes underwriting difficult.
According to Steve Vallone, a broker at World Wide Facilities, a wholesale specialty insurance brokerage, the tough part for an underwriter “is finding out where the risk is. Some carriers,” says Vallone, figure out how to charge based on a company’s revenue. “But that doesn’t bring in the whole picture: how sophisticated your IT is; how up-to-date your systems are; what information you keep on those systems; whether you keep customer information on file or you give it to third parties,” he says.
Vallone, however, sees the discipline of assessing cyber risk maturing as insurers become more familiar with IT security best practices, allowing them to simplify the insurance-application process and quote lower premiums. Meanwhile, Betterley Risk Consultants’s 2012 report on the cyber insurance market notes that insurance carriers are reporting “much of their growth coming from small-to-midsize companies newly aware of the possibilities of liability, and especially a breach and resulting response costs.”
Those response costs are what Beazley, a specialty insurer, is focusing on in its new Breach Response product, aimed at small-to-midsize businesses, which bundles liability insurance and response services at a minimum $1,000 annual premium. According to Jamie Orye, who manages Beazley’s U.S. Private Enterprise Technology, Media and Business Services underwriting team, SMBs responding to data breaches by themselves often make mistakes and incur costs they could otherwise avoid. As the Betterley report points out, “CFOs, Treasurers, and Risk Managers who are not so sure that the case for [cyber] liability protection has been made . . . can easily see how post-breach costs would be a burden.”
After becoming aware of a data breach, Orye says, SMBs are often in a rush to send out letters to their affected customers. But “the law identifies what can and can’t be put in a letter. The letters themselves present a risk of violating regulations,” he adds.
Orye cites a California hospital that thought it had a breach last year that exposed the information of 500,000 patients. “With the best intentions,” he says, it immediately notified all of them. It turned out the breach did not expose any records.
“It was a public-relations nightmare,” Orye says. Along with the expense the hospital incurred notifying all those patients, it had to deal with a raft of lawsuits filed under the California Confidentiality of Medical Information Act, which recognizes damages for exposed medical records. That those records were not, in fact, exposed was determined only after the fact, and after the lawsuits had been filed and publicized.
Beazley’s Breach Response package includes attorneys “specialized in data security laws and regulations” who can write (and determine when not to write) those letters, says Orye, and also provides computer-forensics services, handles mailing services, and sets up call-center response teams.
“Small businesses have to understand that it’s almost impossible for them to get their arms around what needs to happen postbreach,” Orye says.
World Wide Facilities’s Vallone believes cyber and breach insurance, especially in the SMB space, will become as prominent as employment practices liability insurance, which used to be elective and is now almost universal. And he sees Beazley’s full-service package as a model well constructed for small business needs.
Without that kind of coverage, Vallone says, “If you had a breach, you had to hire lawyers; maybe hire an IT consultant to figure out what went wrong and how to fix it. That’s a lot of work. Then you have to consider hiring a PR firm. What do you do? There’s a lot of uncertainty. In a traditional policy, you pay for all that, and then submit a bill to the insurer.” But before that happens, the business is focusing on matters other than generating revenue and servicing customers.
“With employment liability,” says Vallone, “if you’re going to fire an employee, you can call a hotline to get best practices so you’re not responding on a gut level and risking getting sued. I see cyber moving in that direction.”
When looking for breach insurance, Ponemon suggests asking the following questions:
- How many breaches have you handled? (“There are a lot of moving parts — regulatory bodies; notification letters — it’s not always linear.”)
- Have you dealt with breaches in my industry? (“No two breaches are alike.”)
- Who are your vendors? (“Some insurers claim to offer help. What they’re really saying is you go out and find forensics help and we’ll cover the cost.”)
- Am I covered for third-party data loss? (This is critical in the cloud era. “Amazon, Rackspace, Terradata — they’re building cloud safely. But for lots of providers, it’s like a hotel in Calcutta in the ’60s. It’s not an environment that’s figured out security hygiene.”)