Insuring Your Cyber World

Adam Maas struggles to think of someone who doesn’t need cyber liability insurance.

“Um … a caddy?” laughed Maas, commercial risk manager for the Larkin Group in Traverse City.

If a business has a computer, and if that computer is connected to the internet, there’s a risk, said Maas and others in the field. Just look at the almost daily reports of data breaches (Target, Home Depot), they argued.

Yet only 30 percent of businesses bought some form of cyber insurance in 2013, according to a study by the Traverse City-based Ponemon Institute, which conducts independent research on privacy, data protection and information security policy.

The cost for insurance is “very surprisingly affordable” for what it covers, Maas said, with premiums starting at $1,000 a year. And what it covers is scary to think about: Data breach, content injury, forensic costs, even cyber extortion.

Cherry Republic has yet to buy cyber insurance, although it will likely happen in the next few years, said Andrew Pritchard, digital marketing manager. He said the cost of the premiums hasn’t yet offset the cost of any perceived damages.

“Cyber insurance doesn’t actually offer any protection against the threat; it just lets you recoup losses and costs,” he said. Instead, Cherry Republic, one of the region’s largest online retailers, takes precautions to make sure its data stays safe, including not storing any customer credit card information. Those numbers are on someone else’s servers, Pritchard said.

Munson Healthcare, on the other hand, has had cyber insurance for about three years, and reviews its coverage each year. There are three basic components to its coverage, said Bob Zimmerman, controller.

– First-party coverage protects Munson against loss and damages, including the loss of income if the hospital’s computers have to be shut down or the cost of fixing them.

– Third-party coverage is for customers or clients who may be damaged by a data breach.

– Notification and monitoring covers the cost of letting everyone know what happened, plus monitors credit reports. “Over an extended period of time, that can be expensive,” Zimmerman said.

And yet, Munson has never had to file a claim. And none of Maas’ customers have ever filed a claim either.

So is the $1,000-plus a year worth it?

According to the Ponemon Institute, the cost of a data breach in the U.S. in 2013 averaged $201 per record, the second-most expensive country after Germany. The study, sponsored by IBM, tallied both direct and indirect expenses. Direct expenses include things such as forensic experts (to find out how the breach happened), hotline support, free credit monitoring subscriptions and discounts on future products and services. Indirect costs include in-house investigations and an “extrapolated value of customer loss.”

In Munson’s case, there are “hundreds of thousands” of sensitive records, Zimmerman said. The hospital is close to having everything transferred to electronic medical records, putting it in “most wired” category of its peer group, he said.

Ponemon’s study shows there’s a 19 percent chance of a company with at least 10,000 records having a data breach over the next two years, but that figure varies by industry. Public sector organizations are at the most risk – a 23.8 percent chance – while energy and utilities have only a 7.5 percent chance.

Garret Boursaw, sales manager at the Ford Insurance Agency in Traverse City, said most independent insurance agencies sell cyber liability insurance through their partners, such as AIG, Cincinnati and Auto Owners. Local agents for State Farm and Farm Bureau said they don’t offer cyber liability insurance, but could arrange for it through partners as well.

Boursaw said he’s found that smaller businesses are hesitant to buy cyber insurance, but “there’s nothing stopping a small business breach.”

Boursaw said even a farm with a community supported agriculture (CSA) service that has its customers’ credit card information stored could be at risk, or a reporter who has a list of contacts or sent emails. He said it’s important to craft a policy that fits the business and pay attention to exclusions, but that the industry may standardize cyber policies soon.

The cost of a policy depends on the industry and the amount of data, plus what technological safeguards are in place. Insurers will ask about firewalls, software, whether there’s a dedicated IT staff, any past instances, network setup and how much info and data is processed each month.

According to Ponemon, if strong measures and plans are in place, the average cost of a data breach can be reduced as much as $21 per record. Appointing an information security officer to lead the response team cuts it even more.

Maas has been dealing with cyber policies for at least three years, and it was on his radar for a couple years before that.

“It’s really because of the advent of how much is digital, how much has to be protected,” he said. “There are always going to be people who are going to find ways to dig into things,”  so having a solid system and doing everything possible to safeguard data and information will keep premiums low.

Munson’s Zimmerman said it’s a “fairly extensive application” that is updated annually to decide the right coverage for the hospital as well as how much risk the insurer is taking on. Munson’s insurance covers any office or practice owned by Munson; doctors in independent practices have to find their own. Munson’s insurer is Beazley, “not the largest, but it’s specialized,” Zimmerman said.

He recommends finding an insurer that’s ranked by the A.M. Best Company and making sure the insurer has an A rating or better.