A uniform set of national cyber security standards may result if an interagency government council evolves to the point of establishing minimum guidelines. The goal would be to protect against data breaches in the nation’s network for communications and major utilities.
Insurance coverage for cybersecurity policies may potentially benefit from national standards, claims the article, by contributing to a framework for insurance policy provisions.
Consideration of national cybersecurity policies follow closely on the SEC’s October 13, 2011 release of the “CF Disclosure Guidance: Topic No. 2” relating to cyber-security risks. “Registrants should address cybersecurity risks and cyber incidents in their MD&A if … costs … represent a material event, trend, or uncertainty …,” according to the SEC.
You can also read the White House analysis titled “Cyber-Insurance Metrics and Impact on Cyber-Security.”
Insurance Companies Continue to Launch Cybersecurity Insurance
NAS Insurance Services, Inc. (www.nasinsurance.com) recently announced the availability of BrandGuard™ insurance coverage that pays companies for lost revenue in the event of a cyber breach. The expanded cyber liability insurance is designed to provide organizations with an extra layer of financial support while they work to restore their customers’ trust following a data security breach.
NAS policies will provide protection for privacy-related data breaches and recovery efforts, including the cost of legal support, IT forensics, public relations, customer notification, credit monitoring, identity restoration, and compensation for lost income.
Chubb, Chartis, Beazley, Philadelphia Insurance Companies, and Hiscox are among leading insurance companies for cybersecurity coverage.
Many Companies Risk Self-Insurance on Cyber Threats
While data security is increasingly recognized as a major risk factor in the world of “big data,” many companies are not yet seeking insurance coverage.
According to the 2012 Risk and Finance Manager Survey conducted by Towers Watson and released in April 2012,
Nearly three in four respondents (72%) are not purchasing a network security/privacy liability policy, virtually unchanged from last year. And those that did purchase policies (28%) opted for limits that were on the low end of the spectrum. In fact, 43% said their policies had a $1 million to $5 million limit. When asked why they had not purchased a policy, 41% believe their own internal IT department and controls are adequate, while 25% indicated they do not believe they have a significant data exposure.
The Case of Heartland Payment Systems
Heartland Payment Systems, Inc., one of the nation’s largest payments processors, publicly announced the discovery of a “Processing System Intrusion” on January 20, 2009. According to the company’s 10K for the fiscal year ended 12/31/11, the Intrusion prompted regulatory investigations by:
- Federal Financial Institutions Examination Council
- Federal Trade Commission
- Louisiana Department of Justice Office of the Attorney General
- Canadian Privacy Commission
- Other government agencies
Since its disclosure of the Intrusion on January 20, 2009 and through December 31, 2011, the company has expensed a total of $147.1 million, before reducing those charges by $31.2 million of total insurance recoveries. The majority of the total charges, or approximately $114.7 million, related to settlements of claims. Approximately $32.4 million of the total charges were for legal fees and costs incurred for investigations, defending various claims and actions, remedial actions and crisis management services.
The Wall Street Journal CIO Blog covered the topic of data security in a May 29, 2012 article titled, “As Flame Spreads, Most Companies Lack Cybersecurity Coverage.”
About the Author: Legal marketing consultant Margaret Grisdela is available to discuss insurance defense marketing campaigns. Contact her at 1-866-417-7025 or via email.