The lawsuits that often follow a cyberattack can be just as devastating as the attack itself. Cyberrisk insurance could help.
In December 2011, computer hackers broke into the network of Stratfor, an Austin-based company that provides global intelligence services to individuals and businesses. The damage was staggering. The hackers stole information related to 90,000 credit card accounts. Five million email messages were stolen and subsequently published by WikiLeaks. The attack also destroyed four of the company's servers.
In a surprisingly forthcoming video message to the company's customers, Stratfor founder and CEO George Friedman explained in great detail the particulars of the attack. He said, "We knew our reputation would be damaged, all the more so because we had not encrypted the credit card files. This was a failure on our part. As CEO of Stratfor, I take responsibility. This failure created hardship for our customers, and I deeply regret that it took place."
Apparently, that apology wasn't enough. Stratfor was hit with a class-action suit from its customers for more than $50 million in damages.
Stratfor's case demonstrates the unfortunate fact that if your company is hacked or fails to protect privacy data, you should not expect sympathy from your customers. In fact, you should brace for a lawsuit.
One way companies can prepare is by buying cyberrisk insurance. Though it has been around since the mid-'90s, cyberinsurance has only recently started to work its way into the mainstream and is now offered by companies such as the Hartford Financial Services Group and Travelers.
The insurance protects organizations from the fallout that often results from the inadvertent disclosure of their customers' confidential information, such as Social Security numbers or bank account information. It can cover you for damages and loss, as well as court costs, should your customers or employees decide to file suit against you in the event their information is leaked.
"We have seen more demand for [cyberinsurance] across all industries and business sizes," says Tim Francis, enterprise cyberlead for Travelers. "More and more people are aware of their exposure and have really started thinking about what is the right insurance for that."
The high costs of dealing with security breaches have helped fuel demand for cyberrisk insurance. The average cost of dealing with a single security breach was $3.7 million, according to a 2012 study performed by NetDiligence, a cyberrisk-management firm. The biggest component of that cost was legal fees, which averaged $582,000 per incident.
Cyberattacks against large corporations may get the media attention, but small businesses aren't immune from hackers. Nearly 40 percent of all targeted cyberattacks take aim at businesses with fewer than 250 employees, according to a June 2012 study conducted by cybersecurity firm Symantec. That rate has doubled from a year ago.
If your business is attacked, your customers have more recourse than they once did. Forty-six states and the District of Columbia now have breach notification laws requiring businesses that store personal customer information to notify customers when their information has been compromised. A handful of states are more stringent, requiring businesses to have a written security policy and specific kinds of security controls in place.
Generally, cyberinsurance is divided into two types of coverage--first party and third party. First-party coverage insures businesses against the costs they may face in the event they are hacked. That means it will pay the policyholder for the material costs of a break-in, some legal fees, and fees for forensic analysis, which is used to determine the nature and extent of the break-in.
Third-party coverage is for the liability related to a breach in security or privacy. This includes the lawsuits that may result if customer data is leaked via a security breach, malware, virus, or other negligence on the part of the company.
The cost of cyberinsurance varies depending on the size of your business and the industry you are in, as well as the amount and type of information your business stores. "A key metric to look at is the type of business you are in and how much personal information you have in your care, custody, and control," says David Beyer, managing member of Digital Risk Resources, a Novato, California, company that develops cyberinsurance products for insurance companies. Beyer says, "If there are lots of employees and lots of information, the greater the exposure is."
Of course, all businesses have an obligation to protect customer data, but businesses such as restaurants and retailers may require less coverage than do financial institutions and medical companies, which have reams of data about their customers and stricter privacy laws to follow.
Coverage typically comes in preset amounts determined by the insurance carrier. You should expect to pay less than $150 annually for about $25,000 worth of coverage. For multimillion-dollar coverage, the annual premium can be thousands of dollars.
By the Numbers
In 2011, there were more than 414 reported cybersecurity breaches that exposed roughly 23 million confidential records. Here's a look at some of the costs that occur when privacy is lost.
Average total cost of a security breach: $3.7 million
Average cost of a legal defense: $582,000
Average legal settlement: $2.1 million
Which industries are affected most by cybersecurity lawsuits?