Insurance News

Data Explosion Expands Breach Exposure, But Insurers More Open To Handling Risk

Posted on: July 24, 2009

The problem with securing data and insuring its safety is that there is simply so much more stored electronically these days that opportunities for outside hackers or insiders to steal valuable, confidential information off a company?s computer systems are growing exponentially, according to those in the insurance industry who make it their business to cover this expanding exposure.

Indeed, ?you can take out more data in a thumb drive now than people could take out in a super-computer 10 years ago,? according to Kevin Kalinich, co-national managing director for Professional Risk Solutions at Aon.

The risk of a data breach is very real for companies large and small across almost any industry, noted Mr. Kalinich. He cited a report from the University of California, Berkeley, that more data has been aggregated and stored in the last three years than in the entire history of mankind.

He also noted that between 75 and 85 percent of Fortune 2000 companies have suffered a ?material data breach,? meaning there is a growing market for those selling insurance coverage for liability and repair costs, as well as loss control services.

Companies that take an ?it won?t happen to me? approach to securing data need only look at news headlines to see that organizations are often hit by breaches, and as more data is being stored electronically, the potential for, and impact of possible breaches increase.

Princeton, N.J.-based credit and debit processing company Heartland Payment Systems reported that it had been compromised in 2008 in a breach that involved up to 100 million records, which would be tops for number of records accessed in a breach.

The Heartland incident would displace the 2007 breach of TJX, in which over 45.6 million credit and debit card numbers were stolen. The TJX breach, in turn, took the record set by a breach of CardSystems Solutions in 2005.

Breaches can occur at companies outside the sectors typically considered risky.

Indeed, while companies such as retailers and banks are typically thought of as holding personal information susceptible to theft, something as simple as applying for college involves the university obtaining sensitive financial and health information, noted Kim Quarles, senior vice president of the E&O and eRisk product team at Willis Executive Risks Practice.

Law firms, accounting firms, real estate companies and, of course, insurance companies hold data that could be valuable to thieves, warned Ms. Quarles, speaking at an April meeting of the Association of Professional Insurance Women.

For the insurance industry, the risk of a data breach has gone from an intentional exclusion on general liability policies to an exposure that is better understood and for which broad coverage can be acquired at reasonable prices, market sources say.

Originally, the industry was taken off guard when data breach losses were filed with general liability carriers, which led to the denial and exclusion of claims, according to Jim Whetstone, senior vice president at specialty insurer Hiscox.

?But as typical,? he added, insurers ?developed new products to fill gaps.?

Meanwhile, insurer understanding of the risk has increased considerably over time, said Mr. Whetstone, explaining that underwriters have learned how claims are brought, the importance of taking action in the first 48 hours after a breach, how hackers get into systems, as well as who gets involved from a claims-filing and legal standpoint.

Mr. Kalinich noted that an issue for insurers was to understand how to underwrite the risk. With a standard property insurance exposure, such as fire, an insurer will have decades of data and will realize that damages can be reduced by a certain percentage though certain loss measures, such as having a sprinkler system.

But underwriting factors used for other lines of insurance are not as useful with a risk like data breach, he explained.

Insurers have learned instead to differentiate between companies that use best practices and encrypt and back-up data, from clients that do not, Mr. Kalinich said. He added that insurers also have tested procedures to see how a company measures up to industry standards and also account for how much and what type of data is stored.

For example, if a company does not have prime security measures in place, but holds a minimal amount of data, insurers may not treat that account as a catastrophic risk, Mr. Kalinich noted.

With respect to understanding claims better, Mr. Kalinich used the Heartland breach as an example. He said three different types of claims were filed due to the breach.

? The first set of claims involved consumer class-action lawsuits resulting from invasion of privacy and the potential for identity theft. Mr. Kalinich said about 20 such class actions were filed.

? Financial institutions, such as banks and credit card companies, comprised the second set of claims. These companies, Mr. Kalinich said, had to cancel and re-issue around 100 million cards, with costs ranging from $35-to-$50 per card. He said 11 class actions resulted from these financial institutions.

? Four securities class-action suits were also filed, Mr. Kalinich noted, involving charges that directors and officers did not have adequate oversight measures in place.

Before these types of losses revealed what claims activity would be like, Mr. Kalinich said it was difficult for insurers to know how to price the risks. But over the last 18 months, he said insurers have been reviewing files, determining the causes of breaches and finding ways to differentiate good risks from bad.

Additionally, Mr. Kalinich said new policies are coming to market with regularity, noting that Lloyd?s had announced a new product on the day he spoke with National Underwriter.

As far as understanding the risk of data breaches, the insurance industry has taken big steps, but work remains to be done.

Jim Epting, vice president and branch manager of Burns & Wilcox?s Atlanta office, said he is still educating himself and is getting up to speed on the exposure through seminars on targeting products for small and midsize companies, rather than Fortune 500 companies.

Small and midsize companies are targeted more often, according to Mr. Epting, because they may not have the same security measures in place.

The industry is also working with insureds to better protect its data. Mr. Epting said his market has a Web site that provides information on data risk management.

Panelists at the APIW meeting said companies should have a recovery plan in the event of a breach and should strive to collect the minimum amount of personal data needed. Beth Diamond, claims manager for Beazley, noted that a Social Security number, for example, is not essential information for job applicants.

She also said companies should be aware where sensitive information is stored and should minimize access to that data. Employees should not be allowed to download personal information to laptops, and companies should consider loaner laptops for traveling employees, Ms. Diamond said.

Looking forward, Mr. Whetstone said new technology is always being developed, and ?unfortunately, security is an afterthought.? But he noted software companies are doing a better job of building security into their products.

For the insurance industry, the learning process continues. Mr. Whetstone noted that the TJX breach, for instance, showed insurers how heavily credit card companies will be involved in the claims process.

Success for insurers will be depend on how proactive they can be in anticipating risks, and also how well they react and respond to issues that emerge, according to Mr. Whetstone.

© Copyright 2009 National Underwriter Property & Casualty. A Summit Business Media publication. All Rights Reserved.

Ward Group Names 100 Top Performing InsurersICW Group Insurance Named One of the Top 50 US Carriers by Wards

%d bloggers like this: