The Cost of Security Breaches

Security breaches are expensive to the company,
insurance company and the customer

Because we live in an insurance-minded world, you might think that a company doesn't have to payout all that much when it comes to the aftermath of security breaches. The typical offer to their customers/clients is a year of Identity Monitoring services with the Big Three Credit Bureaus, but a lot of people think insurance covers that.

Surprise! No, not all insurers do.  

Cyber insurance is a pick and choose type of coverage depending on what the company is willing to pay for and what they think they need. The bigger the company, you would think they'd have the better insurance coverage and that smaller company would have little, if any, insurance coverage at all. We are learning with each new breach details of what insurance actually covers and whether a company is adequately covered.

WHAT THE INSURANCE PAYS FOR

The majority of cyber insurance policies will pay for investigating breaches and for repairing networks harmed by Malware or Viruses, for covering the cost of fraudulent charges for each credit card holder, assistance in fighting subsequent lawsuits and re-educating (inservices) employees about safety.

WHAT THE BREACHED COMPANY PAYS FOR

For each person who contacts them, saying that they were affected by the breach, before the company must pony up the funds to pay for the year's worth of monitoring services they must pay for investigative services to make sure claimants are not filing fraudulent claims. 

The company also covers the cost to each credit card company/bank for reissuing credit cards to all who were affected by the breach as well as the brunt of costs of lawsuits and all of the settlements. They pay their legal consultants and cyber-consultants to come in to repair damage and to evaluate how to "fix" it and help to make sure it doesn't happen again.   

But most of all, companies have to deal with the fallout of declining sales and losing customer faith and patronage. If they offer stock to shareholders, they will likely have to deal with declining stock prices and people who will want to bail out and sell their stock. If they are fortunate, a company Board of Directors may buy the stock back to distribute/resell to its board members as dividends and bonuses.

Security breaches are not cheap and the bigger it is, the more costly it is to the company. 

According to inusrancejournal.com:


 "Target said of the $61 million in expenses related to the breach during the quarter, $44 million were offset by an insurance payment, bringing the impact to $17 million. Mark Rasch, a former cyber crimes prosecutor who worked on some of the biggest U.S. payment card breach cases, said that it was too early to estimate how big the bill would be, but it would certainly be in the hundreds of millions of dollars and could top $1 billion. “We know it is going to be big. We just don’t know how big,” he said. Target has declined to discuss exactly what sorts of costs its cyber insurance will cover or identify its insurers."

According to krebsonsecurity.com:


53.7 million is the estimated "income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70)."


According to Brian Krebs' column on the theguardian.com:


"Target is updating its cash registers to use so-called "chip-and-pin" technology, which makes it far more difficult and costly for crooks to create counterfeit credit cards ... while doing absolutely nothing to prevent the theft of the card data itself. The US is already embarrassingly far behind the rest of the world in its adoption. And as every other country that long ago moved to chip-and-pin can attest, this approach alone shifts more of the fraud to e-commerce transactions, where merely knowing a card number and expiration date is enough to push through gobs of fraudulent shoe purchases.



"There is an easy fix: if Target or Wal-mart adopted end-to-end encryption, the incentive for fraudsters to target payment terminals at all would be effectively removed, instantly. The data gets encrypted, and hackers have to go somewhere else – the bank or a processor – for a shot at your information. But there has been far too little discussion in the retail industry about adopting this additional security protection – mostly because it's much more costly to justify the expense in the short run."



Sources: Insurancejournal.com, krebsonsecurity.com,  theguardian.com