Q: What trends are you seeing related to private clubs and cyber insurance? Are businesses required to carry this type of insurance?
A: A small but growing number of private clubs have experienced a data breach. Luckily, many of these clubs had cyber insurance. A common misconception is that cyber liability is for Internet-related risk only. In fact, no computer or crime is required for loss. While hacker attacks and virus/malicious code incidents are most commonly reported in the news, in other cases, privacy issues such as accidental or unauthorized release of confidential member information, social engineering and rogue employees are responsible for security liability—as well as reputational damage—to the club.
The Ponemon Institute, a well-known research firm, publishes an annual “Cost of a Data Breach” report. In partnership with IBM, the 2014 report indicated that 32 percent of organizations in the study have a cyber insurance policy to manage the risk of attacks and threats.
An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, their research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.
While there is presently no law that requires a business or organization to carry cyber liability, there is a national trend in business contracts for proof of this coverage. In addition, the SEC is encouraging disclosure of this coverage as a way of demonstrating sound information security risk management. Laws such as HIPAA-HITECH and Gramm-Leach-Bliley and state-specific data breach laws are continually driving demand as requirements for notification in the wake of a data breach become more expensive.
The Symantec “2014 Internet Security Threat Report” indicates that small businesses like clubs accounted for 30 percent of targeted spear-phishing attacks in 2013. In 2012, Verizon reported that approximately 40 percent of all data breaches that year occurred among companies with fewer than 100 employees. Even more alarming is the fact that 60 percent of companies that have been a victim of cyber-attacks are out of business within six months. While breaches involving public corporations and government entities garner the vast majority of headlines, it is the small business that can be most at risk. With lower information security budgets, limited personnel and greater system vulnerabilities, small businesses are increasingly at risk for a data breach.
The Ponemon Institute “2014 Cost of a Data Breach” report indicated that the average cost paid for each lost or stolen record is $201. These numbers are reflective of both the indirect expenses associated with a breach (time, effort and other organizational resources spent during the data breach resolution, customer churn, etc.), as well as direct expenses (customer notification, credit monitoring, forensics, hiring a law firm, etc.).
Because every breach is different, and the per-capita cost of a breach depends largely on the number of records compromised, it is helpful for small to mid-sized organizations to start with a lower number of $65/record, (the average direct costs associated with a breach in the Ponemon study)—multiply this number by the estimated number of records containing PII, PHI or financial account information in the insured’s control. By engaging in this simple exercise, businesses quickly understand the financial value of implementing cyber insurance as a risk transfer vehicle. More information can be found at www.ponemon.org.
Tom Walker is area executive vice president of RPS Bollinger – Sports & Leisure. He serves as the program manager, with oversight for all operations, sales, financial performance and key broker, industry association and carrier relationships. He has served on several club boards and committees, and is a recognized authority on club insurance issues. He can be reached at 800-446-5311 (ext. 8098) or [email protected].