[BreachExchange] Cyber policies may not cover third-party risk

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 27 14:29:44 EDT 2016


http://www.ibamag.com/news/cyber/cyber-policies-may-not-cover-thirdparty-risk-32480.aspx

With cyber liability insurance, the devil is in the details.

Galen Hayes, owner of Hayes Insurance Agency, El Sobrante, CA, said he is
seeing significant third-party claim activity in his cyber practice.

He said many cyber liability policies are premises-specific and do not
cover losses suffered as a result of a third-party being hacked, so that
companies that store data on the cloud or with an off-site vendor may not
be covered if that data is compromised.

“When you think of cyber liability, most people think of something in their
office, a server that has information that needs to be protected in some
central location,” Hayes said. “But what happens is that companies are
storing their customer information in the cloud or somewhere else, and the
client doesn’t actually get hacked but the storage provider does. Somebody
could have a huge loss and not have it insured even though they have
insurance. I’ve seen this happen. Everybody we talk to, we talk about
this,” he said.

As a result of this trend, Hayes said all the cyber policies he writes
today include coverage for liability resulting from a third-party being
hacked.

“I won’t sell cyber liability without coverage for third-party losses, or
the client will come looking for me,” he said.

Hayes said that the third-party vendor storing the data should be liable,
and should have insurance to cover that liability but that all too often,
cloud storage vendors are underinsured.

Hayes said that a client with 5000 identities to protect would have a risk
of $1 million at $200 per identity, which he said is the approximate cost
to comply with regulations that require companies to notify everyone whose
identity has been accessed, and in most states to provide them with 2 years
of credit monitoring. That doesn’t include money for reputation
restoration, forensics, attorney fees, extortion payments, or to bring in
experts to stop or control the breach.

“$200 per record just covers Identity theft itself. That is how we
calculate risk. How many records to you have times $200. There’s your
risk.  You might get it for $140 to $160 if you are huge like Target.  I
have clients, for whom $200 per identity adds up to $15 million in risk,
and they listen to me, and pay for the insurance.

“What we find is the cloud provider might need $100 million of coverage
because they have 100 clients, who each have an average of $1 million in
risk. But the cloud provider might only have $10 million in coverage, so if
they have a big hack that takes out everything, and they have $100 million
in claims, they only get 10 cents on the dollar on the claims. The
remainder comes from my client who has to pay for the cloud provider’s
mistake. It usually works out, but a lot of people think ‘hey it’s on the
cloud. I don’t have anything to worry about,’ but they do. They don’t
understand the concept until you explain it to them.”

Hayes said that when a cloud provider is hacked, everyone storing data with
that vendor is probably hacked.

He said he has met with cloud providers but has been unable to sell
coverage to any of them. “We don’t cover cloud providers because they
are--what’s a polite word--too cheap?

“I’ve taken a run at a few of them, but then I do a risk management
analysis and I say ‘you have $75 million in risk. If everyone got hacked,
it would take $75 million to tell everyone and protect their identity.’ And
they say ‘how much is $75 million in coverage?’ and I tell them, and they
hit the floor and they pass out,” he said.
“But then they say ‘no, we have such good defense, if anyone hacked in,
we’d get them out before they got past 2 or 3 clients, so how much is $10
million?’ I tell them, and they say ‘no, no, give me $5 million. And I say,
‘you know, if you have a $20 million problem and have $5 million in
coverage you will probably sue me for not making you buy the right
insurance.’

“We have that discussion,” Hayes said. “They are aware of their risk,
because I educate them, or because they are smart tech guys and they
understand it, but they want to roll the dice and not pay for insurance.
With insurance, you either use it or you don’t. If you don’t, it is a waste
of money. If you use it, it is the best investment you ever made.

“So, I actually have talked to several cloud providers but none of them
want to pay the price for the proper coverage. So I always write them a CYA
letter. They don’t like that because they want me to be exposed while they
are exposed, but I am too smart for that after 32 years.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160527/b5e75ba9/attachment.html>


More information about the BreachExchange mailing list