Subscribe to Our Blog
The recent Equifax breach of 143 million individuals’ personal data was announced September 7, 2017. The hack included social security numbers, birth dates, addresses, driver’s license numbers and might also include credit card numbers. According to Privacy Rights Clearinghouse, “The number of people impacted and the sensitivity of the breached information may make this the most significant data breach ever.”1
The Privacy Rights Clearinghouse database includes 405 data breaches made public during 2017. The number of breached records was available for 251 of the 405 incidents. As shown below, this number is generally much smaller than the Equifax data breach. Only 2 of the 251 claims (less than 1%) had 10 million or more records breached.
In June 2017, the Ponemon Institute calculated an average cost to U.S. companies of $225 per lost or stolen record. These costs include direct expenses (forensic experts, hotline support, credit monitoring subscriptions and discounts for future products and services) and indirect costs (in-house investigations and communication, customer loss resulting from turnover or diminished customer acquisition rates).2
Bloomberg reports that Equifax’s $100 million to $150 million of cyber insurance coverage is likely inadequate to cover its costs.3 Although per record costs should be lower than the Ponemon average, a look at other large breaches shows that Equifax did not have sufficient coverage for a company with exposure to such a large volume of personal information. “Anthem paid $115 million to settle a class action suit for a breach that may have affected nearly 80 million customers and Target’s 2016 breach is expected to exceed $450 million.”4
The increase in cyber attacks is inciting more companies to purchase cyber insurance. “Property/casualty insurers wrote $1.35 billion in direct written premium for cyber insurance in 2016, a 35 percent jump from 2015, according to reports by Fitch Ratings and A.M. Best.”5 Demand for this coverage will likely continue to grow following the Equifax breach. “However 27% of United States firms do not intend to purchase cyber insurance. Cost and lack of clarity about insurance pricing was identified by researchers as why companies would not purchase cyber insurance.”6
In addition to lack of coverage, companies that do not purchase cyber insurance also miss out on loss prevention advice from their insurance providers. Insurers should review their policyholders’ risk and suggest needed improvements as part of their underwriting process. Providers are also experienced in breach response. The Ponemon study noted that the longer the delay in responding to a breach, the higher the costs.
Companies can also consider establishing or joining an existing captive insurance company to address their exposure. A captive insurance company, which insures the risks of its owners, could provide coverage for cyber insurance or cyber insurance in excess of commercial insurance coverage. For more information on captive insurers, see Pinnacle’s Knowledge Center. A company enterprise risk management strategy should determine the amount of cyber insurance coverage needed, and whether commercial insurance, captive insurance or a combination of the two is the best way to manage the organization’s risk.
Laura Maxwell is a Senior Consulting Actuary with Pinnacle Actuarial Resources, Inc. in the San Francisco, California office. She has over 25 years of actuarial experience in the property/casualty insurance industry and has provided consulting services since 2003. Laura is a Fellow of the Casualty Actuarial Society and a Member of the American Academy of Actuaries. She currently serves the Casualty Actuarial Society (CAS) as a member of the Examination Committee, Chair of the Webinar Committee and Secretary/Treasurer of the Casualty Actuaries of the Bay Area.
1 Equifax Data Breach: What Should You Do Now, Privacy Rights Clearinghouse Blog dated September 12, 2017.
2 2017 Cost of Data Breach Study, Benchmark research sponsored by IBNR Security, Independently conducted by Ponemon Institute LLC, June 2017.
3 Equifax’s Insurance Is Likely Inadequate for Breach, Sonali Basak and Jennifer Surane, Bloomberg, September 9, 2017.
4 “Cybersecurity, Insurance Execs See Opportunity in Equifax Data Breach”, Elana Ashanti Jefferson, Property Casualty 360, September 13, 2017.
5 “Cyber Insurance Premium Volume Grew 35% to $1.3 Billion 2016”, Insurance Journal, June 23, 2017.
6 “Why 27% of U.S. Firms Have No Plans to Buy Cyber Insurance”, Insurance Journal, May 31, 2017.
« Back to Blog