Some security pros would argue that it’s less a question of whether your company’s confidential files will get hacked than it is a matter of when.
If it seems as though no one is safe, 4.2 million active and former federal workers would agree with you. The theft of their personal information was revealed this month. That was the same week when local medical software company Medical Informatics Engineering acknowledged its own breach of private patient information.
Other high-profile hacking victims have included Chase, Home Depot, Target, Anthem, Staples, Kmart, Dairy Queen and SuperValu. The number of individual victims of identity fraud was a staggering 12.7 million last year, according to Javelin Strategy & Research.
The insurance industry has responded with policies that cover data breaches. Some local companies have embraced the protection, and others say they are too busy taking care of business to investigate the option.
Jeff Donnell, Medical Informatics Engineering’s vice president of marketing, last week said his firm is covered. The biggest advantage, he said, is that it offers policyholders access to experienced, independent legal and forensics consultants after a hacking incident. The experts are still trying to determine how many individuals’ information might have been compromised in the attack, which was detected May 26.
"Without question, having that insurance in place has been a tremendous asset as we work on recovery," Donnell said.
Cyber insurance has exploded into a $2 billion industry, with demand doubling or tripling in some areas in each of the past two years, according to Financial Services Roundtable, a Washington, D.C., banking advocacy group. Annual sales of the policies totaled less than one-tenth of that amount just 12 years ago.
PricewaterhouseCoopers, one of the public accounting firms that recommend cyber insurance to clients, advised in a paper published last year that corporate executives must step up and understand the risks – and stop labeling data security as a problem best delegated to information technology staff.
Rae Pearson, founder and president of Alpha Rae Personnel Inc., said her Fort Wayne staffing firm has had coverage for some time.
"It’s important, particularly if you do things online, to protect the customer," she said.
Her policy protects the company if an employee breaches confidentiality or commits fraud. Pearson considers it a cost of doing business.
Karen Cameron, executive vice president of Fort Wayne-based iAB Bank, said the business has cyber insurance. It made sense to secure coverage, she said, because of the prevalence of hacking attacks and stringent regulations imposed by the banking industry.
But iAB doesn’t rely exclusively on that policy’s protection, she said.
Bank officials focus on policies and procedures designed to lessen their risk of identify theft. They also try to educate customers about ways to protect themselves, she said.
The company’s policy pays for breach-related expenses, including business interruption, crisis management and the costs of creating and mailing new account cards to customers.
More than 50 companies issue policies, including AIG, Travelers and Lloyds.
Cyber Data Risk Managers is a broker specializing in cyber insurance in the U.S. and Australia. The firm gives prospective clients a taste of how much they can expect to spend.
A fiber optics communications provider with $35 million in revenue would pay about $47,000 in annual premiums for $10 million in cyber coverage. A financial services provider with $100 million in revenue would pay about $37,000 in premiums for $1 million in coverage.
Meanwhile, a social worker with a $120,000 salary would pay $859 a year for coverage of claims up to $1 million.
The brokerage offers more than two dozen examples of premiums based on policies with payout potential of $1 million or more because getting hacked can get expensive – fast.
Victims often lose customers and jobs after an event, Financial Services Roundtable said. After being hacked, companies typically have to bring in experts in data security, invest in upgraded systems, conduct investigations, notify affected customers, pay for identify theft protection and repair their reputations.