Cyber-Insurers Feel the Brunt of Retail Data Breaches

Cyber-Insurance Providers  are Feeling the Brunt of Retailer Data Breaches – Policies must enforce higher security standards

Who foots the bill for all of the recent data breaches? Insurance companies are delivering Cyber-Insurance policies at record rates. However, they are also paying out historic amounts of money to their clients to compensate for these breaches. Insurance companies will continue to pay out mind-numbing amounts for these breaches and these policies must enforce higher security standards.

What are the different types of Cyber-Insurance policies and what do the cover?

  • First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm. The reputational harm is so nebulous that it is hard to quantify amounts for lost business and customer distrust. First-Party Insurance is more prevalent in the United States, due to mandatory reporting laws. HIPAA has no tolerance for lack of reporting.
  • Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines.
  • Cyber-Insurance doesn't do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach

Find the Best Insurance Policy for Your Company

The best approach is to identify and secure the company's digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers. "Make sure the cyber policy wording covers your true cyber exposure," Barn says. "Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response." Different industries {Retail, Financial, Healthcare, Not-for-Profit, Education} have different types of coverages, so it is important to tailor your policy, accordingly.

At the Risk and Insurance Management Society conference in Denver this April, about 100 risk managers were surveyed by the German company, Munich Re. Seventy-seven percent said their companies planned to buy some level of cyber-insurance coverage in the next year. A survey of cyber security insurers, compiled by NetDiligence last year showed the average data breach claim to be around $954,000 per incident.

The Policy Costs of a Data Breach

NetDiligence in their 2013 Cyber Liability & Data Breach Insurance Claims study further broke down the average costs od data breach insurance claims. It is important to note that the costs were much higher for larger companies. Target has spent $143 million thus far, by recognizing an insurance policy receivable offset expenses by $38 million.

·       Average claim: $954,000 (down from $3.7 million in 2012). Average for larger companies is still $3 million.

·       Claim range: $2,500 to $20 million.

·       Median claim: $242,500.

·       Typical claim: $25,000 to $400,000.

·       Crisis services costs (forensics, legal counsel, notification and credit monitoring)

·       Average cost of crisis services: $737,000.

·       Median cost of crisis services: $210,000.

·       Legal costs (defense & settlement)

·       Average cost of defense: $575,000.

·       Average cost of settlement: $258,000.

The obvious category left out is damage to reputation. There are policies that will attempt to cover damaged reputation, but how can you predict lost future sales and lost confidence in your companies’ ability to secure its data environment? Customers demand safety in their transactions. Insurance companies demand due diligence in their clients attempting to secure their data environment. What if there was a foolproof way to protect your environment, without the worry of all of these costs?

Insurance companies, it is time to demand security solutions that work. It is time to require your customers to have a security solution that actually holds up against a breach. Tokenization is that solution. Tokenization of your environment allows you to remove toxic data from your environment, while allowing unlimited flexibility in how you access, store, and secure your data. TokenEx can tokenize any data format {PCI, PII, PHI, etc.} without charging an arm and a leg. The beauty of flat rate pricing is that the majority of our customers pay for our data security platform with the reduced costs of compliance and other associated fees. Do you want to continue gambling with piecemeal security solutions that store your toxic data on-site, while not lowering your compliance obligations and scope? Visit to learn more.

Topic(s): insurance , data security , HIPAA , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog