The Ponemon 2016 Cost of BreachStudy underscores the need for companies to take allnecessary measures to combat the scourge of data breaches.

These include the establishment of a chief information securityofficer, appropriate data loss prevention controls, encryption wherenecessary and a robust cyber insurance program. The study foundthat “Incident response plans and teams in place, extensive use ofencryption, employee training, Business Continuity Managementinvolvement or extensive use of Data Loss Prevention reduced thecost of data breach.”

The study confirms the resiliency of the hacking plague, andoffers no hope that it will cease, or even diminish, in theforeseeable future. In the 11 years that Ponemon has conducted itsstudy, the cost of a data breach has not fluctuated significantly.In 2016, the overall cost of a data breach was about $7 million, and the costof each single lost record was $221, which are both slightincreases from the previous year. The Ponemon Study only included“average” breaches; breaches in excess of 100,000 records were notused in the study. (The average number of breached records inincidents used in the Ponemon Study was 29,611.)

About two-thirds of the cost of a breach represented indirectcosts, such as diversion of manpower to deal with the breach andloss of customers. Health care had an average cost per compromisedrecord of $402, while the cost in the hospitality industry was$148. Moreover, unlike in earlier years, data breaches are notlimited by a company's size or industry. For example, restaurantsand supermarkets have been significant victims of recentbreaches.

The threat of data breach and other computer crimes isconstantly evolving. “Phishing,” by which an outsider passes itselfoff as a customer or financial institution and causes the transferof funds to a false account, is rife. Ransomware and cyberextortion, in which the attacker freezes a company's data untilit's paid off, have become major threats. No one knows whattomorrow may bring.

Impact of the Internet of Things

This may be the year in which the Internet of Things will createmajor vulnerabilities in our networks. These connected devices arecreated to share information that's not necessarily secure, andthey're not designed to protect the data they collect. GartnerResearch expects there to be more than 20 billion such devicesby 2020.

The conclusion of 2016 saw two developments that underscored thegrowing importance of the Internet of Things. One of the employeesat a Vermont utility checked his Yahoo account on his work laptop,which was connected to the utility's network, raising a red flagthat suggested the computer was connected to an IP addressassociated with the hack on the Democratic Party. The good news isthus far there's no sign that the hackers were able toaccess the nation's power grid. Nonetheless, top politicalfigures as well as businesses fear in 2017 that malware will beused to affect critical infrastructure, such as the power grid,water supply, energy, nuclear reactors and the communicationsector.

The U.S. Food and Drug Administration (FDA) issued aformal advisory warning that medical devices such as pacemakers,defibrillators and insulin pumps are easily hackable. Pacemakersfirst came under scrutiny in August 2016 when a batch ran out ofbattery three months earlier than they were expected to. “Ifexploited, the vulnerability could result in permanent impairment,a life-threatening injury, or death,” according to the FDA.

Cyber insurance marketplace: the WildWest

Many companies have turned to their insurance programs toprotect themselves against cyber attacks; however,most traditional commercial general liability and propertypolicies don't provide any relief from data breaches. Fromabout 2012 to 2014, litigation raged over whether general liabilitypolicies covered data breaches. However, the insurance industryadded a broad data breach exclusion by endorsement that eliminatescoverage for data breach or network or system failures on policiesthat contain the exclusion.

As a result, many companies have turned to “cyberinsurance.” Fitch Ratings estimates that cyber insurancepremiums in 2016 totaled in excess of $3 billion and are expectedto be around $20 billion in written premium by 2020. The policiesare considered to be reasonably priced, and with few exceptionsthey haven't produced coverage litigation, at least not yet.

More than 60 insurers now offer cyber policies, but no standardpolicy form exists, and the marketplace is like the Wild West. Thepolicies are highly complex and confusing, with dozens ofdefinitions, exclusions and conditions.

A company must understand its cyber risks and its needs beforeit approaches the market to transfer those risks. Is it looking forfirst-dollar coverage or catastrophic coverage? Working with anexperienced cyber insurance professional is absolutely essential,and there aren't many of them.

Cyber policies principally provide insurance coverage for databreaches, the first-party and third-party legal responsibilities acompany has post-breach, and the associated risks that can includegovernmental investigations, notification costs, businessinterruption and class actions.

One feature of cyber policies that has proven to be most usefulis event response coverage, which coverage begins when thepolicyholder discovers the breach. The insurance company providesthe policyholder with recommended attorneys — known as data breachcoaches — and consultants to address the situation. It alsoprovides coverage for those measures necessary to preserve thecompany's brand up to the policy limit.

Exclusions are key

With the burgeoning growth of ransomware, cyberinsurance also can afford cyber extortion coverage andbusiness interruption coverage. This becomes incredibly importantwhen businesses are not able to operate due to their network beinglocked down (extorted). The business interruption coverage (whichdoes not come standard with all cyber policies) will pay thepolicyholder for the lost profits that it was not able to collectbecause its network was compromised. This can be very meaningfulfor companies who rely heavily on their computer and network.

It's important to review the exclusions in a cyber policy.In view of the growing importance of the Internet of Things,companies should be aware that cyber policies typically precludeinsurance coverage for property damage and bodily injury, althoughit may be possible to negotiate for limited coverage for suchrisks. However, traditional general liability policies that providecoverage for property damage and bodily injury may apply to suchclaims. Although general liability policies typically contain a“cyber exclusion,” such exclusions usually run to data breach, notphysical or bodily injury.

The original focus of data breach was hacking, which remains apre-eminent threat. However, in 2017, a company must also guardagainst phishing and cyber extortion, and be cognizant of dangersposed through the Internet of Things. Companies must employ a fullpanoply of resources to protect themselves, and one of theseresources should be cyber insurance.

Robert D. Chesler, a shareholder in Anderson Kill'sNewark office, represents policyholders in a broad variety ofcoverage claims against their insurers and advises companies withrespect to their insurance programs. Chesler is also a member ofAnderson Kill's Cyber Insurance Recovery group. He can be reachedat 973-642-5864.

Marc D. Schein, CIC, CLCS, a risk management consultant forMarsh & McLennan Agency, assists clients by customizingcomprehensive commercial insurance programs that minimize oreliminate the burden of financial loss through cost-effectivetransfer of risk. He can be reached at 516-395-8504.