FIGURE 3
Average Cost of Data Breach
2008–2011
Enterprisewide Risk Management
Although this is a relatively new and emerging exposure, the
commercial market has reacted swiftly to meet the growing demand for property and liability insurance products to protect
against the spectrum of cyber risks. Because of the multitude of
issues that arise from a data breach, many commercial carriers
have developed a package policy approach to cover both first-and third-party damages and expenses. These include:
■ ■ Cyber liability coverage for loss and expense amounts resulting from a covered data breach;
■ ■ Privacy notification and crisis management coverage related
to affected party notification requirements and loss mitigation efforts;
■ ■ Reward expense coverage, which offers compensation to an
informant who provides information relevant to an arrest
and conviction of the individual responsible for the breach;
■ ■ E-business interruption and extra expense coverage for the
loss of income and to reimburse expenses to continue operations during the period of recovery;
■ ■ E-extortion coverage for funds or property surrendered and
expenses incurred as a result of a direct threat to take over
an insured’s information system(s);
■ ■ E-vandalism coverage for expenses incurred to replace or
reproduce data and/or media that have been altered, damaged, or destroyed.
Although the scope and capacity for commercial cyber risk insurance is growing, ever advancing technologies continue to spawn
new and emerging risks and accentuate the importance of internal
controls over organizational risks. The adage “an ounce of prevention is worth a pound of cure” has never been more appropriate
when it comes to preparing an organization for a cyber attack that
can cost millions of dollars in remedial expenses, lost productivity, and reputational damage. Given the frequency of data breaches
caused by internal negligence and/or persons with legitimate access,
organizations should place cyber risk high on their list of operational
risks and consider an enterprisewide strategy for the prevention and
mitigation of the inevitable occurrence of a cyberattack.
Significant data breaches that have occurred recently offer
important lessons for those organizations that are paying attention to the risk:
■ ■ Not all data represent the same exposure to risk. Identifying,
prioritizing, and segregating personal and confidential data
by risk exposure can reduce both the scope of prevention-management activities and potential costs in the event of a
data breach.
■ ■ Operational risks, including cyber risks, are enterprisewide
exposures. Develop, communicate, and monitor strict adherence to comprehensive data security policies and procedures
among all employees.
■ ■ Most data breach notification laws have exceptions for encrypted data. Ensure that all sensitive data are subject to
state-of-the-art encryption technologies.
Ex Post
Response
23.1%
Notification
7.9%
Detection and
Escalation
5.4%
Lost Business
63.5%
Source: 2011 Annual Study: Cost of a Data Breach, Daneman Institute,
March 2012
■ ■ To ensure business continuity after a data breach has occurred, organizations must review commercial insurance
coverage against various direct and indirect costs from the
event. In addition, this analysis should include developing
strategies to control the costs resulting from loss of business
and damage to reputation.
Although it is virtually impossible to safeguard an organization entirely against a data breach, a proactive and systemic
approach to enterprisewide, cyber risk management has been
shown to reduce both the incidence and the costs of such an
event. As is the case with homeowners who take common-sense
steps to minimize the potential for a break-in or robbery, an
organization that takes appropriate preventive measures can
cause a potential cyber criminal to move on to an easier target.
PETE S. RAUNER, a fellow of the Casualty Actuarial Society
and a member of the Academy, is senior consulting actuary with
Pinnacle Actuarial Resources Inc. in Bloomington, Ill.
This article is solely the opinion of its author. It does not express the official
policy of the American Academy of Actuaries; nor does it necessarily reflect
the opinions of the Academy’s individual officers, members, or staff.
Resources
“Chronology of Data Breaches, Security Breaches 2005–Present,” Privacy
Rights Clearinghouse, http://www.privacyrights.org/data-breach
“Cyber Insurance Offers I T Peace of Mind—or Maybe
Not,” www.computerworld.com. Jan. 13, 2012. http://
www.computerworld.com/s/article/9223366/
Cyber_insurance_offers_IT_peace_of_mind_or_maybe_not
“Insurance Against Cyber Attacks Expected to Boom,” New York
Times, Dec. 29, 2011. http://bits.blogs.nytimes.com/2011/12/23/
insurance-against-cyber-attacks-expected-to-boom/
“Sony PlayStation suffers massive data breach,” Reuters,
April 26, 2011. http://www.reuters.com/article/2011/04/26/
us-sony-stoldendata-idUSTRE73P6WB20110426
2011 Risk & Finance Manager Survey, Towers Watson, April 2011. http://
www.towerswatson.com/research/4481
JUL | AUG. 12 CONTINGENCIES 21
