<div dir="ltr"><a href="https://www.riskbasedsecurity.com/2017/09/equifax-breach-cyber-insurance-to-the-rescue/">https://www.riskbasedsecurity.com/2017/09/equifax-breach-cyber-insurance-to-the-rescue/</a><br><br>Any time there is a big data breach that impacts millions of people, you can expect the lawsuits to spin up and significant costs to follow. As we mentioned in our initial post in this blog series, the first lawsuit against Equifax was filed within hours of the breach announcement on Thursday, September 7th. By the following Monday, at least 25 federal lawsuits and 2 Canadian suits had been filed. In fact, at least 250 lawsuits have been filed against Equifax since September 7th and more are surely to come!<br><br>Undoubtedly, this is going to be an extremely costly event. So much so that Equifax has taken the step of already posting a statement to investors (PDF), advising them of the breach and its potential financial implications. From the statement:<br><br>9. Do you have an estimate of the costs you expect to incur related the cybersecurity incident, including timing? Does Equifax have cyber insurance and to what extent will it offset the financial impact of this incident?<br><br>At this time, it is too early for us to provide specific estimates of the costs we expect to incur related to the cybersecurity incident. The most significant near-term costs expected to be incurred will be delivering our TrustedID Premier identity theft protection and credit file monitoring product for a period of 12 months to consumers who enroll. In addition, Equifax will incur legal, forensic consulting and other costs related to the incident. Equifax carries cybersecurity, crime, general liability and other lines of insurance, and we have begun discussions with our carriers regarding the incident.<br><br>10. How will you disclose the costs related to the cybersecurity incident in your financial statements and public filings?<br><br>Equifax will separately disclose costs specifically related to this cybersecurity incident, as well as any insurance reimbursements that offset these costs. These costs and reimbursements will be treated as non-GAAP items in our presentation of Adjusted EPS and Adjusted EBITDA margin. The timing of the accrual for or incurrence of related costs may differ from the timing of recognizing insurance reimbursement for those costs.<br><br>11. Do you expect this cybersecurity incident to impact your long term financial model?<br><br>Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers.<br><br>While the cost of a data breach has been, and is still highly debated, no one can discount that a data breach does cost money. Luckily for Equifax, they have integrated cyber insurance into their risk management plan and that should help offset some of the costs, but how exactly that coverage will apply is a very curious question.<br><br>Other than confirmation that Equifax does have Cyber Insurance, there has been no official details provided by anyone directly involved as to how much insurance Equifax actually has or how it might respond to the many different costs this breach is generating. What we have seen so far in other published articles is that Equifax has a potential “tower” (a series of insurance policies purchased from multiple carriers) between $100M and $150M. It is rumored that Beazley is the primary carrier on the tower and the first layer is $15M. <br><br>Some anonymous sources have provided additional clarity about their insurance policy, and it appears that there is $130M of coverage in place. Based on all information available the tower has a structure expected as follows:<br><br>$5M – Self Insured Retention<br>$15M – Beazley<br>$10M – ?<br>$10M – ?<br>$15M – ?<br>$10M – ?<br>$10M – ?<br>$10M – ?<br>$10M – ?<br>$10M – ?<br>$25M – ?<br>————————–<br>$130M Total Limits
<div><br></div><div><p>For the most part, many will assume
that the normal coverages in the Beazley’s cyber insurance policy (BBR)
will apply for the Equifax tower. But what is not yet clear is how these
limits will be allocated to the lawsuits and regulatory actions (a.k.a.
the liability component) versus breach response costs (a.k.a. first
party costs). Regardless, $130 million is likely to come up short
compared to the total cost of the event when all said and done. <a href="https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach" target="_blank" rel="noopener">A Bloomberg</a> <a href="https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach">a</a>r<a href="https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach">t</a>i<a href="https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach">c</a>l<a href="https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach">e</a> stated as much when they reported that the cyber policy Equifax has in place was “<i>likely inadequate to cover the credit-reporting company’s costs</i>”. This was further justified from the Equifax statement:</p><blockquote><p>“Our property and
business interruption insurance may not be adequate to compensate us for
all losses or failures that may occur,”</p>
<p>“Also, our third-party insurance
coverage will vary from time to time in both type and amount depending
on availability, cost and our decisions with respect to risk retention.”</p></blockquote><p>So, if $130M is not adequate, then what
amount should have Equifax had in place? We decided to look as some cost
estimates based on studies and models that have previously provided
Cost Per Record numbers.<br></p><table border="1"><tbody><tr><td><b># of Records</b></td>
<td><b>Cost Per Record</b></td>
<td><b>Estimated Cost</b></td>
<td><b>Reference</b></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$0.09</td>
<td>$12,870,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.verizonenterprise.com%2Fresources%2Freports%2Frp_data-breach-investigation-report_2015_en_xg.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Verizon DBIR 2015</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$0.58</td>
<td>$82,940,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.csoonline.com%2Farticle%2F2909613%2Fcyber-attacks-espionage%2Freport-average-cost-per-record-breached-is-58-cents-discovery-times-are-down.html&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Verizon 2015</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$5</td>
<td>$715,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2017%2F03%2FCyberLiability-0711sh.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">NetDiligence 2011</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$60</td>
<td>$8,580,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.ponemon.org%2Flocal%2Fupload%2Ffile%2F2011_US_CODB_FINAL_5.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Ponemon Direct Cost 2009</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$141</td>
<td>$20,163,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.ibm.com%2Fsecurity%2Fdata-breach%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Ponemon 2017</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$158</td>
<td>$22,594,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.csoonline.com%2Farticle%2F2926727%2Fdata-protection%2Fponemon-data-breach-costs-now-average-154-per-record.html&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Ponemon 2015</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$200</td>
<td>$28,600,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.cnet.com%2Fnews%2Fdata-breaches-cost-6-6-million-on-average-survey-finds%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Ponemon 2009</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td> $964.31</td>
<td>$137,896,330,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2016%2F05%2FNetDiligence_2015_Cyber_Claims_Study_093015.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">NetDiligence 2015</a></td>
</tr>
<tr>
<td>143,000,000</td>
<td>$17,000</td>
<td>$2,431,000,000,000</td>
<td><a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2016%2F10%2FP02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">NetDiligence 2016</a></td></tr></tbody></table><p>While <a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Ffortune.com%2F2015%2F04%2F24%2Fdata-breach-cost-estimate-dispute%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">there are disputes</a>
on what the proper cost per record post-breach estimate should be,
based on the table above using multiple data points from previous
studies, it becomes clear quickly that $130M in coverage would not be
sufficient given the amount of data compromised. </p><p>Certainly the decision to purchase
$130 million or more of coverage was aided by the brokers that placed
this coverage and further validated by the financial decision makers
within Equifax. It’s also possible this is the most coverage Equifax was
able to obtain. What is certain is that there are few companies with
more first-hand knowledge than Equifax when it comes to understanding
breach response costs.</p><p>In fact, <a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.beazley.com%2Fdocuments%2F2014%2F019_Beazley_BBRenhancementsCanada.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Equifax has been a partner of Beazley’s</a>
– yes, the very same Beazley that is said to provide the first layer of
cyber coverage to Equifax – providing breach resolution and mitigation
services on behalf of policyholders since at least May of 2014. What’s
more, Equifax describes themselves as data breach specialists, going so
far as to say they are <a href="https://www.equifax.co.uk/data-breach/react.html" target="_blank" rel="noopener"><i>“ideally placed to help businesses if they experience a data breach.”</i></a> With
such deep roots in the cyber insurance and breach response industries,
Equifax should have been well informed as to potential costs.</p><p>
</p><p>The mostly likely component of a
cyber insurance policy to pay out after a breach is the first party, or
breach response, coverage. This includes the various costs that are
incurred by the impacted organization for things like the forensic
investigation, credit monitoring, notification and call center support,
and identity protection services – all activities currently underway at
Equifax. Third-party costs have not yet been be as impactful as many
lawsuits face an uphill battle in proving actual damages from the breach
as is evidenced by the failed attempts against <a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.databreachtoday.com%2Fhorizon-bcbs-breach-suit-dismissed-a-8083&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Horizon BCBS</a>, <a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.businessinsurance.com%2Farticle%2F20170503%2FNEWS06%2F912313250%2FSchnuck-Markets-data-breach-lawsuit&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">Schuncks</a>, and <a href="http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.hipaajournal.com%2Fcarefirst-inc-data-breach-lawsuit-dismissed-lack-standing-3508%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c" target="_blank" rel="noopener">CareFirst</a>.</p></div><div><blockquote><br></blockquote></div><img src="http://t.sidekickopen05.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5dpC2W2m2Nn63V_1VgW3SYl5T72TN-bf3_ytFd01?si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c&ti=undefined" style="display:none!important" height="1" width="1"></div>