[BreachExchange] Equifax Breach: Cyber Insurance To The Rescue?!

[Inga Goddijn]

https://www.riskbasedsecurity.com/2017/09/equifax-breach-cyber-insurance-to-the-rescue/

Any time there is a big data breach that impacts millions of people, you
can expect the lawsuits to spin up and significant costs to follow. As we
mentioned in our initial post in this blog series, the first lawsuit
against Equifax was filed within hours of the breach announcement on
Thursday, September 7th. By the following Monday, at least 25 federal
lawsuits and 2 Canadian suits had been filed. In fact, at least 250
lawsuits have been filed against Equifax since September 7th and more are
surely to come!

Undoubtedly, this is going to be an extremely costly event. So much so that
Equifax has taken the step of already posting a statement to investors
(PDF), advising them of the breach and its potential financial
implications. From the statement:

9. Do you have an estimate of the costs you expect to incur related the
cybersecurity incident, including timing? Does Equifax have cyber insurance
and to what extent will it offset the financial impact of this incident?

At this time, it is too early for us to provide specific estimates of the
costs we expect to incur related to the cybersecurity incident. The most
significant near-term costs expected to be incurred will be delivering our
TrustedID Premier identity theft protection and credit file monitoring
product for a period of 12 months to consumers who enroll. In addition,
Equifax will incur legal, forensic consulting and other costs related to
the incident. Equifax carries cybersecurity, crime, general liability and
other lines of insurance, and we have begun discussions with our carriers
regarding the incident.

10. How will you disclose the costs related to the cybersecurity incident
in your financial statements and public filings?

Equifax will separately disclose costs specifically related to this
cybersecurity incident, as well as any insurance reimbursements that offset
these costs. These costs and reimbursements will be treated as non-GAAP
items in our presentation of Adjusted EPS and Adjusted EBITDA margin. The
timing of the accrual for or incurrence of related costs may differ from
the timing of recognizing insurance reimbursement for those costs.

11. Do you expect this cybersecurity incident to impact your long term
financial model?

Equifax remains committed to delivering on the long term financial model of
7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a
business cycle. Equifax’s long term financial model reflects our continuing
fundamental ability to utilize our unique and differentiated data assets
and leading analytical capability to deliver high value products and
services to our customers.

While the cost of a data breach has been, and is still highly debated, no
one can discount that a data breach does cost money. Luckily for Equifax,
they have integrated cyber insurance into their risk management plan and
that should help offset some of the costs, but how exactly that coverage
will apply is a very curious question.

Other than confirmation that Equifax does have Cyber Insurance, there has
been no official details provided by anyone directly involved as to how
much insurance Equifax actually has or how it might respond to the many
different costs this breach is generating. What we have seen so far in
other published articles is that Equifax has a potential “tower” (a series
of insurance policies purchased from multiple carriers) between $100M and
$150M. It is rumored that Beazley is the primary carrier on the tower and
the first layer is $15M.

Some anonymous sources have provided additional clarity about their
insurance policy, and it appears that there is $130M of coverage in place.
Based on all information available the tower has a structure expected as
follows:

$5M – Self Insured Retention
$15M – Beazley
$10M – ?
$10M – ?
$15M – ?
$10M – ?
$10M – ?
$10M – ?
$10M – ?
$10M – ?
$25M – ?
————————–
$130M Total Limits

For the most part, many will assume that the normal coverages in the
Beazley’s cyber insurance policy (BBR) will apply for the Equifax tower.
But what is not yet clear is how these limits will be allocated to the
lawsuits and regulatory actions (a.k.a. the liability component) versus
breach response costs (a.k.a. first party costs). Regardless, $130 million
is likely to come up short compared to the total cost of the event when all
said and done. A Bloomberg
<https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach>
a
<https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach>
rt
<https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach>
ic
<https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach>
le
<https://www.bloomberg.com/news/articles/2017-09-09/equifax-s-insurance-said-likely-to-be-inadequate-against-breach>
stated as much when they reported that the cyber policy Equifax has in
place was “*likely inadequate to cover the credit-reporting company’s costs*”.
This was further justified from the Equifax statement:

“Our property and business interruption insurance may not be adequate to
compensate us for all losses or failures that may occur,”

“Also, our third-party insurance coverage will vary from time to time in
both type and amount depending on availability, cost and our decisions with
respect to risk retention.”

So, if $130M is not adequate, then what amount should have Equifax had in
place? We decided to look as some cost estimates based on studies and
models that have previously provided Cost Per Record numbers.
*# of Records* *Cost Per Record* *Estimated Cost* *Reference*
143,000,000 $0.09 $12,870,000 Verizon DBIR 2015
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.verizonenterprise.com%2Fresources%2Freports%2Frp_data-breach-investigation-report_2015_en_xg.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $0.58 $82,940,000 Verizon 2015
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.csoonline.com%2Farticle%2F2909613%2Fcyber-attacks-espionage%2Freport-average-cost-per-record-breached-is-58-cents-discovery-times-are-down.html&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $5 $715,000,000 NetDiligence 2011
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2017%2F03%2FCyberLiability-0711sh.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $60 $8,580,000,000 Ponemon Direct Cost 2009
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.ponemon.org%2Flocal%2Fupload%2Ffile%2F2011_US_CODB_FINAL_5.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $141 $20,163,000,000 Ponemon 2017
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.ibm.com%2Fsecurity%2Fdata-breach%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $158 $22,594,000,000 Ponemon 2015
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.csoonline.com%2Farticle%2F2926727%2Fdata-protection%2Fponemon-data-breach-costs-now-average-154-per-record.html&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $200 $28,600,000,000 Ponemon 2009
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.cnet.com%2Fnews%2Fdata-breaches-cost-6-6-million-on-average-survey-finds%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $964.31 $137,896,330,000 NetDiligence 2015
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2016%2F05%2FNetDiligence_2015_Cyber_Claims_Study_093015.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
143,000,000 $17,000 $2,431,000,000,000 NetDiligence 2016
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fnetdiligence.com%2Fwp-content%2Fuploads%2F2016%2F10%2FP02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>

While there are disputes
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Ffortune.com%2F2015%2F04%2F24%2Fdata-breach-cost-estimate-dispute%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
on what the proper cost per record post-breach estimate should be, based on
the table above using multiple data points from previous studies, it
becomes clear quickly that $130M in coverage would not be sufficient given
the amount of data compromised.

Certainly the decision to purchase $130 million or more of coverage was
aided by the brokers that placed this coverage and further validated by the
financial decision makers within Equifax. It’s also possible this is the
most coverage Equifax was able to obtain. What is certain is that there are
few companies with more first-hand knowledge than Equifax when it comes to
understanding breach response costs.

In fact, Equifax has been a partner of Beazley’s
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.beazley.com%2Fdocuments%2F2014%2F019_Beazley_BBRenhancementsCanada.pdf&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
– yes, the very same Beazley that is said to provide the first layer of
cyber coverage to Equifax – providing breach resolution and mitigation
services on behalf of policyholders since at least May of 2014. What’s
more, Equifax describes themselves as data breach specialists, going so far
as to say they are *“ideally placed to help businesses if they experience a
data breach.”* <https://www.equifax.co.uk/data-breach/react.html> With such
deep roots in the cyber insurance and breach response industries, Equifax
should have been well informed as to potential costs.

The mostly likely component of a cyber insurance policy to pay out after a
breach is the first party, or breach response, coverage. This includes the
various costs that are incurred by the impacted organization for things
like the forensic investigation, credit monitoring, notification and call
center support, and identity protection services – all activities currently
underway at Equifax.  Third-party costs have not yet been be as impactful
as many lawsuits face an uphill battle in proving actual damages from the
breach as is evidenced by the failed attempts against Horizon BCBS
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.databreachtoday.com%2Fhorizon-bcbs-breach-suit-dismissed-a-8083&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>,
Schuncks
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=http%3A%2F%2Fwww.businessinsurance.com%2Farticle%2F20170503%2FNEWS06%2F912313250%2FSchnuck-Markets-data-breach-lawsuit&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>,
and CareFirst
<http://t.sidekickopen05.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XZs4X9NxjW41Q3dC3SZ8B0F42Qjy24ldHf8s2mrb03?t=https%3A%2F%2Fwww.hipaajournal.com%2Fcarefirst-inc-data-breach-lawsuit-dismissed-lack-standing-3508%2F&si=5165167453929472&pi=4a210bde-e415-441f-8aee-2c67e40a546c>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170921/d642b0bb/attachment.html>