[BreachExchange] Target’s Cyber Insurance: A $100 Million Policy vs. $300 Million (So Far) In Costs

Mon Apr 11 19:04:47 EDT 2016

http://www.jdsupra.com/legalnews/target-s-cyber-insurance-a-100-million-76448/

When it comes to buying cyber insurance, businesses can take comfort that
they have mitigated the financial risks that come with a data breach.  Just
not all of them.

Target Corporation’s high-profile hack is a case in point.  In a securities
filing last week, Target said costs associated with its 2013 holiday season
data breach – which exposed the personal information of more than 100
million customers – are approaching $300 million.  As of January 2016,
Target has incurred $291 million in breach-related costs including legal
fees, crisis communications and forensics costs.  Of that amount, less than
one-third or about $90 million is expected to be covered by cyber
insurance.  At the time of the breach, Target had $100 million in cyber
insurance coverage from multiple underwriters, on top of a $10 million
deductible.

According to its public filings, Target’s cyber insurance policy contained
a $50 million sublimit for settlements with payment card networks.  In
2015, Target entered into settlement agreements with all four of its major
credit card providers, which are in various stages of court approval.
Visa, for example, cut a $67 million deal with Target.  MasterCard later
entered into a $19 million settlement.  But Target hasn’t disclosed whether
its settlements with the credit card companies will come from a portion of
the cyber insurance, subject to the sublimit, or if those settlements will
be funded by other sources (such as its corporate general liability policy
or from its operations).

And the financial pain isn’t close to over.   Although Target has resolved
many of the more than 100 lawsuits filed after the breach, it still faces
several shareholder class action lawsuits, a separate lawsuit filed in
Canada and ongoing investigations by State Attorneys General and the U.S.
Federal Trade Commission.

Several industry analysts forecast that Target’s breach-related losses will
reach $1 billion.  After disclosure of the breach in early 2014, Target’s
profit was cut in half – down 46 percent over the same period the year
before.

The “hard” costs covered by cyber insurance oftentimes are only the tip of
the iceberg.  Cyber policies don’t usually cover intangible harm like lost
sales, plummeting customer goodwill and trust or damage to the brand.  Most
policies also exclude some forms of major attacks like state-sponsored
espionage or ransomware – which has been on the rise especially in the
healthcare industry.

Target’s experience with cyber insurance isn’t uncommon.  It’s a
fast-growing and evolving market with dozens of underwriters offering
coverage.  With the increase in headline-grabbing breaches and the
sophistication of cybercriminals, demand for coverage is high and business
brisk. Total cyber insurance premiums paid in 2014 were about $2.5 billion
and the market is expected to reach $7.5 billion by 2020.  In comparison,
cybercrime costs the global economy about $400 billion per year and that
number isn’t expected to slow anytime soon.

One expert told me that the most cyber insurance an organization is likely
to acquire is in the $300 million range – using multiple underwriters.
That’s significantly less than the billions of dollars’ worth of coverage
available for other organizational risks such as property and casualty
damage.

The cyber policy coverages, exclusions and premiums vary widely.  The more
comprehensive policies reimburse for forensics firms, notification to
customers and credit card monitoring for victimized customers.  Some
policies coverage legal fees.  Much is open to negotiation and some of the
risks might even be covered by other policies already in place such as
general corporate liability or error and omissions coverage.

If there’s a lesson to be taken from Target’s experience, it’s that not all
cyber insurance policies are created equal.  While cyber coverage can be an
important risk allocation tool, it is only one piece of a much larger
puzzle.  Organizations need to start with an overall cyber risk analysis –
looking not only at IT risks but at exposure to governance, regulatory and
legal liability – to fully assess and identify the most likely risks in the
event of a cyber event and consider the coverage that best fits their own
risk profile.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160411/10417d99/attachment-0001.html>