Mitigating Cyber Security Risks with Cyber Insurance in 2012

Mitigating Cyber Security Risks with Cyber Insurance in 2012

by Vince Crisler

The sophistication and capacity of the cyber insurance market has evolved in the last five years. Cyber insurance can fill the insurance gap but mitigating cyber security risks with cyber insurance is not a simple solution. Counsel should revisit cyber insurance with directors and senior management in 2012 so that they understand their company's exposure and can align their expectations with evolving market offerings.

Excerpt:

Companies collectively lose hundreds of millions of dollars to security breaches and thousands of new threats are surfacing on the internet every year. Understandably, directors and senior management are concerned about their company's insurance coverage in light of the growing threat of today's cyber security environment. Their concern is justified because losses and damages from cyber incidents are generally outside the coverage or explicitly excluded from traditional insurance policies. Cyber insurance can fill the insurance gap by providing coverage for data breaches, business interruption, and actions required resulting from privacy law violations. However, mitigating cyber security risks with cyber insurance is not a simple solution. While cyber insurance can serve as an effective risk management tool, there are significant limitations to the risk that can be transferred through this tool. Those limitations notwithstanding, the sophistication and capacity of the cyber insurance market has grown over last five years. Therefore, Counsel should revisit cyber insurance with directors and senior management in 2012, so that they understand their company's exposure and can align their expectations with evolving market offerings.

The cyber insurance market has evolved dramatically in the past few years. Greater numbers of companies have purchased stand-alone cyber insurance since traditional insurance policies generally exclude costs associated with security breaches. Moreover, these costs have risen sharply due to the increase in cyber-attacks and new government mandates requiring the notification of affected consumers in the event of a data breach. Today, almost every state requires companies to notify customers if a security breach exposes their confidential personal information, and some require further action to remediate the resulting damage. Furthermore, Congress is debating whether to enact national standards for data breach notification.

In addition to greater risks and increased liability driving companies towards cyber insurance, insurance underwriters are more informed than they were five years ago about the actual costs for certain cyber incidents. As a result, the availability of customized policies covering narrow areas of cyber risk has increased. Specifically, underwriters have been able to quantify the costs related to the loss, theft, or unauthorized access of confidential personal information. They've determined that the average cost to notify customers in the event of a data breach is between $75 and $100 per individual, not including other related services, such as public relations, crisis management, credit monitoring, and identity restoration. Insurance companies use this information to underwrite coverage for losses suffered from a data breach. Nonetheless, underwriters still lack the actuarial and statistical data about the frequency of security breaches to create a standard cyber insurance policy. [footnotes omitted]

Access the full version of "Mitigating Cyber Security Risks with Cyber Insurance in 2012" with your lexis.com ID. Additional fees may be incurred.

If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.

Lexis.com subscribers can access the complete set of Emerging Issues Analyses for Cyber & E-Commerce Law and the Cyber & E-Commerce Area of law page.

For more information about LexisNexis products and solutions connect with us through our corporate site.

Vince Crisler joined Zeichner Risk Analytics, LLC in April 2009 as the Senior Director, Cyber Initiative Programs.

Prior to accepting this position, Vince served in two different leadership roles at the Executive Office of the President (EOP). Most recently, he served as the Director of Customer Advocacy and was responsible for standing up a new customer-focused directorate in the Office of the Chief Information Officer using Customer Relationship Management principles. Additionally, he served as the Director of Information Assurance and led a significant modernization program overhauling IT Security to include the creation of the first-ever 24x7x365 Security Operations Center for the EOP. His efforts included significant work with the Department of Homeland Security, the National Security Counsel, the Homeland Security Counsel, the National Security Agency and the Defense Information Systems Agency.

Prior to joining the EOP, Vince was an Officer in the United States Air Force and served in the White House Communications Agency, the National Military Command Center in the Pentagon and Ramstein Air Base in Germany. Vince graduated from The Ohio State University with a degree in Computer and Information Science.