‘It will never happen to us’ - this is a common statement for technology managers to make about data breach insurance, according to Shaun Cooper MBCS. This is despite the fact that breaches can tarnish reputations and hit corporate balance sheets.

When high profile system breaches or system failures occur, it is not just the organisation’s reputation in question. For IT departments, that often walk a tightrope between managing business expectations and supporting the day-to-day operations within budget, a system failure or breach can cost dearly.

The costs of incidents

According to the latest Ponemon Institute’s annual study the costs of UK data breaches continue to rise. The average organisational cost of a data breach in 2010 increased to £1.9 million, up 13 per cent from 2009 and a further 10 per cent from 2008. Data breaches in 2010 cost an average of £71 per compromised record, up £6 from 2009 and up £11 from 2008.

Lost business and ex-post response are becoming the main components of data breach costs. Recovering customers, profits and business opportunities after data breaches posed the greatest cost hurdles for companies in 2010, even more than the data breach response itself.

Customer turnover in direct response to breaches remains the main driver of data breach costs. Sectors with the highest 2010 average per-record costs were communications (£102), financial (£94) and pharmaceutical (£90). Data breach size ranged from 6,900 to 72,000 lost or stolen records.

Just multiply these costs by the average number of records breached in an attack and it is clear to see the staggering costs to businesses processing cardholder and personal data.

In April 2010, the Ministry of Justice (MOJ) authorised the Information Commissioner’s Office (ICO) to assess fines of up to £500,000 against individuals responsible for serious breaches of the Data Protection Act. The ICO levied its first two breach-related penalties in November 2010.

Scope and benefits of data breach insurance

Even the most robust Information security / disaster recovery is never failsafe. That’s why many security vendors have gone on record stating that companies should not rely on technology products alone.

Coupled with the threats of operational error, supply failure and administrative mistakes, data breach insurance can be the ideal vehicle to transfer residual risk. Data breach insurance generally covers incidents including and not limited to:

  • forensic investigations;
  • legal advice / assistance;
  • notification (drafting / printing / call centre / advertising);
  • card replacement;
  • monitoring services (credit and intrusion);
  • public relations;
  • response to a data breach as a result of actions by an employee, contractor or external party such as a hacker - includes physical theft of data on paper or digital media;
  • time used in remedial actions directly related to the breach;
  • costs incurred through dealing with third parties i.e. hosting companies;
  • assessments and fines levied by card brands and through acquiring banks and/or payment processors.

Subsequent fraud resolution costs including; - credit rating analysis/resolution

  • close monitor on trending;
  • identity theft insurance for breach victims.

Where a data breach affects a credit card merchant, the costs to carry out the forensic investigation report by a Payment Card Industry Qualified Security Assessor, (these investigations are mandatory under Payment Card Industry rules) are covered under the insurance policy.

The key benefits of data breach insurance include coverage for costs ranging from the information technology department’s internal investigation of an incident and steps to rectify the situation to lost income and wage roll.

Data breach policies also typically include coverage for reputation rehabilitation expenses, such as compensation to customers affected by the incident as well as payment for specialist crisis management consultants to assist in re-establishing the company’s brand.

Customer notification and credit monitoring costs may also be included whereby credit monitoring agencies are engaged to write to the customer and provide them with 12 months of credit monitoring surveillance.

Seeking professional advice

To discuss coverage options, speak with a specialist data breach/cyber risk insurance broker. Ask the broker to carry out a ‘gap analysis’ of your current insurance programme and for them to ‘map out’ your intangible information technology assets. Then you should be in an ideal position with the broker to identify types of policy cover available and design bespoke coverage to meet your specific needs and risk appetite.

The data breach insurance market has opened up over the past few years due to increased competition; premiums have become more competitive as more insurers have built up a loss history. The broader cyber / non-damage insurance products tend to be offered by Lloyd’s of London insurers, covering data loss from human error and software failures.

The world’s economy relies heavily on networked computer systems for commerce, communications, energy and transportation distribution and a host of other critical activities. System failures or beaches, no matter what the cause, are part and parcel of business life. IT / security managers should seek out advice on data breach insurance not only to help protect against reputational risk, but also to protect the IT budget from these unforeseen incidents.

Managers should not dismiss the prospect of buying data breach insurance as a failure in their own abilities to defend their network. Companies take similar precautions in other areas, such as installing smoke detectors and sprinklers within their buildings and making sure they buy property coverage on an annual basis.

Cyber-attacks will continue, but with proven risk management and risk transfer mechanisms, there is less and less reason why these incidents should jeopardise corporate IT management and the bottom line.