Tag Archives: cyber insurance

Not Getting The Right Cyber Insurance Cost PF Chang’s $2 Million

P.F. Chang’s restaurant chain suffered a cyber breach in which about 60,000 credit cards were stolen.  The breach only affected 33 of the company’s approximately 400 restaurants, so it could have been much worse, even though it lasted 8 months.

Still, the restaurant spent about $1.7 million recovering from the breach.  If the breach hit all of their locations at the same rate, that number might have been around $20 million.  This is still small compared to, say, Target.

Chang’s had purchased cyber breach insurance from the Federal Insurance unit of the insurance giant Chubb just in case of an event such as this, but as I have said in the past, cyber breach insurance is not a standard form policy and as a result, you don’t always get what you expect.  This is why we recommend conducting a cyber insurance assessment.

As the story moves forward, Bank of America, their credit card processor, fines P.F. Chang’s $1.9 million to cover the costs of reissuing cards and losses.  Notice that this number is greater than the rest of the expenses that P.F. Chang’s had from the breach.

P.F. Chang’s paid B of A and then asked Federal Insurance to reimburse them.  Federal said no and ultimately, Chang’s sued Federal.

This month a verdict in that suit came in and it validates my comment that you don’t always get what you expect.

There were some interesting twists and turns in the trial.

First, Chubb said that there was no coverage because Bank of America suffered the loss, not Chang’s, even though Chang’s was contractually required to reimburse B of A,

Then Chang’s said it should be covered under the privacy notification clause.  This seems a bit strange to me and the answer from the court was no.

Next Chang’s said it should be covered under the business interruption clause. This usually covers extra expenses you have to pay as a result of a covered event.  Again, the court said no.

Ultimately, it boiled down to the fact that Chang’s did not have PCI DSS coverage in their policy.  Whether they understood that at the time the policy was written or not is unclear.  Whether their broker understood that or not is unclear.  Whether Federal Insurance understood that and figured it was a great way to limit their liability in case of a breach is unclear.

What IS clear is that P.F. Chang’s gets to cover that check out of their pocket.

While they will not go broke over this, it is a great lesson for other people to make sure that they understand what they are getting, because $1.9 million to cover a breach of only 60,000 cards could sink a lot of companies and 60,000 cards is not a large breach.

This is only one example of how you can go wrong when it comes to buying cyber insurance.  The first step is to understand what coverage you need to have.  The second step is to make sure that your policy provides that coverage.  Outside help may be required in both cases.



Information for this post came from National Law Review and Lockton’s Blog.

Insurance Companies Deny Cyber Insurance Claims

As I predicted (which did not require a large amount of clairvoyance) after the Cottage Health fiasco, insurance companies prefer to deposit premium checks and have begun to fight cyber insurance claims.  Since most people don’t read their insurance policies and even fewer make sure that they are in compliance with the terms of the policy, this is kind of like taking candy from a baby – an unfair fight.

In the Cottage Health case, Cottage was breached and their cyber insurance carrier, a division of CNA, paid the $4 million claim.  CNA later said that Cottage was not in compliance with the terms of their policy even though the insurance carrier initially paid the $4 million claim, and is suing to get their money, legal fees and other costs back.  That suit is currently withdrawn pending back room negotiations between the two parties.

There are now two new lawsuits.

Ameriforge Group is suing Chubb because they were suckered into a business email compromise (where a hacker convinces someone in the company to wire money to some place because of a secret deal the CEO is working on or whatever).  Chubb says that the policy covers fraud (where someone writes a bogus check or wire, for example), but in this case, an authorized employee got suckered and, sorry to be impolite, there is no sucker coverage in the policy.  In this case the loss was around $500,000.

The second case is similar.

Earlier last year, Chubb was sued by Medidata Solutions after it was suckered out of about $5,000,000 in a similar “super secret” deal.  Even though in this case, the company said there was some hacking involved, Chubb said the employee voluntarily sent the money, so no coverage.

The moral in this story is that companies need to understand what coverage they have and what coverage they do not have.  Cyber risk insurance is not a standard form of insurance, so policy coverages vary significantly.

And, as Cottage Health discovered, even if you have coverage you have to make sure that you follow the rules if you want to get paid.

Information for this post came from Krebs on Security.


Cyber Insurance Premiums Skyrocket

For those companies who ask why they should invest in reducing cyber risk when they have cyber breach insurance – here is why.

As a result of recent breaches, cyber insurance premiums for those companies whom insurance companies deem to be in high risk industries saw their premiums go up, on average, 32%.

In addition, insurers are raising deductibles and in some cases, limiting coverage.

Not surprisingly, retail and insurance have been the hardest hit, but I expect that insurance companies will realize the risk is higher than they expected in other industries as well.

Anthem said that their renewal rates, after the breach, were prohibitively expensive and difficult to get.  They did eventually get the coverage they wanted, but only after they agreed to pay the first $25 million in breach costs.

American International says they are turning clients away and I know that other carriers are doing this as well.

Berkshire Hathaway started offering cyber insurance this month but says that they are going to be very selective in writing policies.

Insurance companies are finally telling clients that they need to tokenize credit card numbers or implement end to end encryption if they want to get their policies renewed.

And, the brokers are saying that the restrictions that insurers are writing into policies today will be the basis for litigation two or three years from now.

Which is why cleaning up your cyber risk act may soon be a requirement for getting carriers to write a cyber risk policy at all.

Soooo, you can be proactive and do what every carrier will be telling you have to do in a couple of years and do it now.  OR, you can scramble when your policy is up for renewal – if you are able to get coverage at all because the solutions to the problems are expensive and take time to implement.



Information for this post came from Reuters.

Sony Breach May Break Even More New Ground

Everyone knows  that the Sony breach was different than, say, the Target or Home Depot breach because of the damage that Sony is still, 10 weeks later, trying to recover from.

But now, the insurance experts are adding yet another wrinkle – thanks Sony.

According to the Hartford Courant, Sony may break new ground in the insurance world too.

Cyber insurance policies tend to be a bit vague on coverage in case of acts of war or terrorism.  Since the government has blamed North Korea for the attack, one might call it an act of war or terrorism.  The President was careful to call it cyber vandalism.  I suspect a number of attorneys argued about that decision and part of that decision may have been to try and avoid trouble with Sony’s cyber insurance policy.  Of course, whether the President calls it vandalism has little impact on what the insurance company calls it and while we have no indication yet that Sony’s insurance carrier is going to try and wiggle out of their policy, they still may.  Writing a $60 million check does cause people to pucker up.

So then, you might rightfully say, if it is terrorism, did Sony have a terrorism policy?  That issue has not come up yet, so we don’t know.

And terrorism insurance is designed to cover losses like the World Trade Center on 9-11, not a hacker erasing some computer disks and posting your new movies on an underground message board.

Suffice it to say, this is all new ground.

It certainly would be smart for companies and their insurance brokers to review their coverages and exclusions in light of this.  And, at renewal time, it behooves them to read the policy carefully.

Whether Sony’s insurer will try playing this card is unknown – I guess we will have to wait and see.  And even if they do, it will take years to sort out.

One more time Sony is breaking new ground.


Small Businesses Face Big Cyber-Risks

Is your business prepared for a cyber breach?  Besides the cost, there is the potential for damage to your reputation , loss of customers, distraction while dealing with it and the potential for lawsuits, which can go on for years.

An article at AZCentral.com talks about the subject and the fact that hundreds of small businesses have been hacked recently.  The challenge with cyber-breaches is that the bad guy gets your data but you still have it too, so you might not even be aware that you have been attacked.

Sometimes you are never aware that you have been attacked.  Other times, the media catches it and announces it – like with Home Depot.  Still other times, law enforcement pays you a visit and lets you know.

Don’t think that because you are a small business that you are immune.  In fact, hackers assume that small businesses likely have less defenses and are less likely to discover an attack.  Statistics indicate that about a third of all data breaches are against organizations with less than 100 employees.

Cyber-insurance may help with the costs and your defense in court if it goes there (there are over 50 lawsuits pending against Target right now), but that won’t help with the distraction and the damage to your reputation.

Cyber-insurance is a non-standard product meaning that the exclusions and limitations vary from policy to policy.  Assuming you don’t have cyber liability insurance, you should consider it.  If you do, you should review it to understand what is covered and what is not covered.  This is a case where surprises are not a good thing.

For many businesses, cyber risk mitigation is an area where bringing in outside expertise is a good idea.

Mitch Tanenbaum

Is cyberinsurance an effective tool to protect against the costs of a cyberattack?

An article at Investors.com made a number of good points, but I have a bone to pick about one point.

First the good points –

One of the many changes that the Internet brought about is that it is easier than ever to steal someone’s data.  You don’t have to break in to someone’s house or office — you can be thousands of miles away – which means that the odds of getting caught are very low.

People are buying more and more cyberinsurance.  It seems like a good thing.  Have a risk?  Insure against it.  The attacks are endless and mindnumbing – Target, eBay, Boeing, Lockheed.  The list seems to go on for ever.  Attacks are more prevalent and harder to detect.

The industry has been writing fire insurance for over a hundred years.  They have been writing cyber insurance for less than ten years.  Do you think the insurers have this figured out?  Do YOU know what is covered in your cyber liability policy and what is not covered?

The article points out that we don’t even know what percentage of companies have cyberinsurance. Three different studies reported very different results – from 52% to 33% to only 6%.  Even if you are very optimistic, it means that half of the companies don’t have cyber insurance.  That’s probably not a good plan today.

Now the bone –

The article says “Yet challenges remain to raise awareness that cyberinsurance can be an effective tool to protect against the costs of repairing and defending against cyberattacks.”

Far be it from me to suggest that people should not buy cyberinsurance.  I think most companies should have some cyberinsurance, BUT, all that will do is help defray some of the costs – after the fact.

While Target is not the typical breach, it is representative.  It has been reported that Target had $100 million in cyber insurance.  I don’t know if that is true, but that has been reported. It has also been reported that Target will likely spend more than a billion dollars mitigating the attack.  That includes everything from PR to lawsuits.  Of course it depends on the outcome of the 50 lawsuits that have been filed against Target, but the cost might be several billion dollars.

So, if you are optimistic, Target’s insurance will cover 10% of the cost of mitigation.  If you are pessimistic, it might only cover 1%.  Ignoring for the moment the purely financial impact of paying to mitigate the breach, Target has been the recipient of an awful lot bad publicity and their sales fell significantly after the breach as well.

What companies really need to do – besides making sure that they do have cyberinsurance – is to take some positive action to reduce their own risk of being the victim of a cyberattack.  What most companies do is install anti virus software and a firewall and call it good.  Tomorrow I will write a post on the downside to anti virus software – check that out.

What companies need to do today is way more than that.  To start with, do you have a Chief Risk Officer (not someone who does 10 things plus risk management)?  Do you have a chief data security officer?  If you a small to medium size company, these could be part time or they could be fulfilled by a contractor, but these need to be well defined jobs.  AND, they need to brief the board of directors on a regular basis.  Ultimately, this is a bet the company issue.  Studies report that somewhere around two thirds of companies that suffer a data breach go out of business.  Whether that number really is 66% or 40% or even 33%, the number is significant and as a result, this issue needs real ongoing visibility at the board level.  What this likely means is spending money, changing processes, dealing with people complaining about change and a whole lot of other things.

Alternatively, be prepared to be the next Target.  At Target, the CEO, CIO and CISO all lost their jobs.  Among other people.