It’s just about the fastest-growing new type of business insurance and the blunt question is: Do you need cyber insurance or is this coverage you can safely pass?
Are the cyber threats out there so numerous and so devastating that special insurance protections now are needed?
Understand this: although the coverage type is relatively new, already “around 20% of credit unions have it,” said Jay Isaacson, director, Credit Union Protection Product Management, at CUNA Mutual.
He estimated that the average policy cost is “around $6,500” (small credit unions will pay around $2,000 per year) and his guess is that the number of insured credit unions will probably double in the next three to five years.
What does a policy cover? Isaacson said a typical policy kicks in when the credit union “has a security breach. It will pay for forensic investigation, member notification, reputation management.”
But often those are just the first-round costs. There also is a liability component available in CUNA’s coverage that comes into play if a credit union is sued as a result of a breach.
In the three years CUNA Mutual has offered cyber insurance “we have had around 50 claims,” Isaacson said.
That doesn’t mean this is small beer, however. Michael Bruemmer, vice president of Experian Data Breach Resolution, estimated the average cost of a breach at $9.4 million.
Bruemmer noted another, important point. In a recent survey, conducted for Experian, 70% of the executives surveyed said applying for cyber insurance “helped improve their state of readiness,” said Bruemmer.
The reason is that before issuing a policy, insurers do a thorough inventory of a credit union’s defenses and the insurer will insist that weak links be strengthened before granting coverage.
CUNA’s Isaacson elaborated, “In making the underwriting decision, we analyze the application. Is there encryption in place? Do they have breach intrusion detection software?
Have they prepared for cyber attacks?”
Said Mel Gates, an attorney in the Patton Boggs Denver office who specializes in cyber issues, “Going through the underwriting process prods you to take a hard look at your risks. Thus you become much more attractive to underwriters.” She added: “There is a lot you can do to protect yourself if you focus on vulnerabilities.”
Coverage however isn’t one size fits all. Variations can be enormous, said Karen Stevenson, an attorney with Buchalter Nemer in Los Angeles. She elaborated: “Cyber insurance is as good as what you buy. A company has to understand its risks and buy appropriate insurance. Insurers are offering more-nuanced products. I have financial institution [clients] that have coverage that they specifically negotiated, to cover e-vandalism, e-theft and cyber attacks.”
Some financial institutions also have sought coverage for costs associated with Distributed Denial of Service outages, said sources.
In buying coverage, Stevenson stressed, “look at your specific risks and buy coverage accordingly.”
One worrisome reality that may underline the need for cyber insurance: “80% of breaches are rooted in employee negligence,” said Bruemmer. “People are human, they make mistakes.”
Good technology often can be undermined by bad human decision-making.
That may up the risks for credit unions, noted Gates, who earlier in her career worked as the chief information security officer at a large telecommunications company. “As technical controls and protections get better, bad guys are looking for the easiest way to compromise an organization. They look at the human factor. How do you deal with that? It is tough in a customer-focused culture; your people want to be helpful.”
Bottom line: breaches are becoming part of everyday life in financial institutions. Defending against them is of course job one. But – in the event they occur despite the best defenses – getting help cleaning up the mess just may be crucial. That’s where cyber insurance comes in.