A wide variety of insurance products typically floods the markets in response to catastrophic incidents. An earthquake prompts earthquake coverage. Hurricanes prompt hurricane insurance. Fires prompt fire insurance. Cybersecurity—the newest frontier and the most serious threat facing banks today—is no different.
According to the FDIC, “internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks,” and cybersecurity “needs to be engaged at the very highest levels of corporate management.”
That observation is incontrovertible. Banks are obviously rich targets for cyber intrusions. Their information systems contain a treasure trove of account numbers and personal information for criminals to use or sell to obtain the profits that motivate the crimes.
Cybersecurity expenditures by banks have grown exponentially as criminals have developed new and more intrusive tools. J.P. Morgan Chase, for example, will increase its expenditures on cybersecurity by $500 million over the next few years. But while proactive steps can mitigate the risks, the cost of responding to the inevitable breach remains prohibitively high. And that is where cyber insurance comes in.
Financial cyber nightmare
A cyber intrusion can quickly become a costly disaster. Once a data breach has occurred, companies incur immediate costs in breach identification, forensic analyses, and security measure implementation. Additional costs come from state and federal notifications, consumer communications, and maintenance.
That’s just the beginning. After a breach, banks may be faced with class-action litigation over potential violations of federal or state statutes; common law negligence, fraud, or breach of contract suits; or shareholder derivative suits and other litigation, such as contractual disputes with third-party vendors or disputes with other members of payment card systems or payment card brands.
And now, more than ever, companies incur costs in responding to congressional and other federal investigations, as well as state regulatory inquiries.
Target’s 2013 data breach, for example, has cost the retailer more than $236 million, with some analysis projecting that amount to increase to $1 billion. Home Depot’s recent breach has resulted in over 100 separate lawsuits against the home improvement retailer. [Editor’s note: Some of those suits have been pressed by banks.]
The Ponemon Institute estimates that the average cost in the United States for a single data breach of fewer than 100,000 records in 2013 was $5.85 million. However, 33% of this total amount was deemed “direct” costs, which are generally insurable. That finding does provide a ray of hope that some of these costs may be mitigated.
Where insurance fits
A Treasury Department official recently urged banks to consider purchasing cybersecurity insurance in light of recent high-profile cyber attacks targeting financial institutions. But cyber insurance is not a replacement for basic proactive steps that financial institutions should take to mitigate their risks. It is merely a part—albeit an important one—of an information security plan.
Each bank should create such a plan and regularly test its effectiveness to ensure that the bank can adequately prevent (and when necessary respond to) a cyber attack.
The plan should:
• Name an information security leader;
• Require a systems assessment;
• Implement an information security program;
• Create and execute a crisis response plan;
• Review third-party vendor relationships;
• Evaluate and obtain cyber insurance.
Performing a systems assessment is key. It provides understanding of where key information is located; who has access to that information; what system weaknesses exist; and what effect a breach would have on the bank.
Without a plan, there is no way to properly evaluate whether a cyber insurance product will provide a bank with what it needs. So these proactive steps are a condition precedent for any consideration of cyber insurance.
At their core, cyber insurance policies are designed to cover three types of expenses associated with a data breach, depending on the type of policy chosen:
1. Response and investigation costs.
2. Litigation defense and damages.
3. Regulatory defense and penalties.
Typical cyber policies in the current market provide “first-party” coverage, “third-party” coverage, or both.
First-party coverage typically covers response costs, such as hiring professionals to assist in the investigation and response. Such experts can include attorneys to advise on notification and other legal requirements, public relations firms, crisis management firms, and computer forensic firms. This coverage also includes notifying affected customers; providing credit monitoring services; establishing call centers; creating security and incident response templates; and restoring lost data.
Third-party coverage typically covers litigation expenses and damages. Certain third-party policies may provide coverage for costs of regulatory defense, fines, and punitive damages.
There are many factors for a bank to consider when evaluating cyber insurance policies. These factors are largely specific to the business itself. Cost of premiums is certainly a driving factor, as are coverage options, risk complexity, and variance in carrier offerings. The lack of historical data and uniform coverage practices does not help ease any concerns that banks may have.
Common areas for evaluation include:
• What notification obligations a financial institution anticipates.
• Whether a bank should obtain retroactive coverage for undetected breaches that occurred before the policy’s effective date. Because data breaches are often undetected for long periods of time, a bank may not have confidence that its systems have not been breached.
• Whether a policy includes coverage for reputational harm or lost sales and profits relating to harm caused by a cyber attack, and what methodology an insurer uses to calculate lost sales and profits.
• Whether a policy extends to third-party vendors that have access to sensitive bank information.
• Whether exclusions that typically apply to general insurance policies continue to apply to cyber insurance policies. Examples include exclusions, such as those for employment practices, antitrust violations, or ERISA violations—and even intentional acts by directors or officers.
When selecting cyber coverage, banks should take a cross-disciplinary approach. The executive or team directing the project should consult several different departments, including those responsible for information technology, privacy, compliance, human resources, business operations, legal, and risk. By gathering information from these different areas, banks will be better able to create a comprehensive cyber risk profile with a greater understanding of their cybersecurity needs.
In addition, financial institutions should look to fill any gaps in coverage under their existing general commercial liability policies with the available cyber insurance coverage options.
Trends in cyber risk
The cybersecurity insurance industry is evolving at a rapid pace, and banks should soon begin to benefit from reduced premiums as competition increases in the market. However, because cyber insurance is still in its infancy, policy terms are often specifically tailored to the insured’s unique risks as a result of negotiations between the insurer and the insured. A bank should thus negotiate the precise coverage that meets its needs.
The cyber insurance market, which included total premiums of approximately $600,000 in 2009, is now expected to grow to $2 billion in 2014, as more companies build their information security plans.
Robert Parisi, network security and privacy practice leader for insurance broker Marsh USA, told CNBC that the firm saw a 21% increase in cyber insurance sales in 2013, and sales for the first half of 2014 doubled what they were for the same time in 2013. At AIG, approximately 18% of cyber insurance coverage is written for financial services firms.
Nevertheless, cyber insurance appears to lag behind other types of insurance in the amount of coverage providers offer. As reported in a Wall Street Journal blog, AIG CEO Peter D. Hancock, said the largest coverage he is aware of is for a bank that has about $400 million in coverage. In the same blog, Marsh’s Parisi said he believes the largest amount of cyber insurance in the market may exceed $500 million, although most large policies are set at approximately $100 million to $200 million.
The increase in sales activity has been met by a dramatic increase in the number of claims filed with insurers. Geoff White, the underwriting manager for cyber, technology, and media at Lloyd’s syndicate Barbican, said in a Bloomberg View column there was a 50% increase in the amount of such insurance submissions filed in the first three months of 2015, as compared to the first three months of 2014. Even as claims data against cyber insurance policies has become more developed, it has become easier to see where the costs arise. In 2013, for example, the average cost per claim was $3.5 million. The average cost of legal defense was $574,984, while legal settlements averaged $258,099. Crisis services cost an average of $737,473, which included forensics, notification, call centers, credit monitoring services, and legal counsel.
While the increase in market size and claim submissions are important data points, neither really indicates the extent to which insurance companies are fully covering the costs of cyber incidents under their cyber policies.
Courts are generally examining cyber coverage under traditional insurance policies. There has not yet been significant litigation on coverage under cybersecurity policies. (Sony’s 2013 Playstation breach was determined to be not covered by a traditional policy.)
So broad-based statistical information is not readily available. And even when litigation begins, there will be significant variability between each policy, because there are no real standards as to underwriting, encryption, crisis response, security technology, and other considerations that underlie scope of coverage.
What we can only tell now is that without a baseline history of losses related to cyber attacks, it is nearly impossible to determine the appropriate amount of coverage—which is why only portions of the cost of the Target and Sony breaches appear to be covered by insurance.
What you can expect
Cyber insurance does not, by itself, protect a bank from data breaches. However, according to Deputy Treasury Secretary Sarah Bloom Raskin, “qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you may be lacking.” Similarly, seeking and obtaining cyber insurance may serve to proactively assist the bank’s ability to handle regulatory reviews in this area.
So banks applying for cyber coverage should thus be prepared to provide comprehensive and specific information regarding their cybersecurity practices, such as the composition and budget of their security departments; technical, administrative, and physical security measures; and data management and retention policies and practices.
Banks also should be prepared to provide insurers with bank policies on privacy and data use; network security; training; record and information management compliance and data destruction; and incident response plans.
In this way, the act of applying for cyber insurance will help a bank create an information security plan, and the act of obtaining cyber insurance will help a bank mitigate the eventual—and inevitable—data breach.
Bracewell & Giuliani LLP Partner Shamoil T. Shipchandler, a former U.S. Attorney’s Office deputy criminal chief for the Eastern District of Texas, represents clients in complex white-collar and cybersecurity matters. Associate Patrick R. Hanchey counsels and represents banks and other financial institution clients in matters involving state and federal banking laws, regulations, enforcement actions, and other corporate activities.