A Blog on managing risk in the Technology Sector

Managing Risk in the Tech Sector

Leave a comment

Hurricane Sandy: Negotiating an insurance claim is an art not a science

According catastrophe modelling firm Eqecat, ‘Superstorm’ Sandy could result in up to $20bn in insured losses – possibly making it the third costliest storm in US history. Total economic damage will be in the range of $30-$50bn. The estimates seem to be increasing by the day as the real impact of the hurricane is realized.

As New York slowly starts to return to work, those of us in the insurance industry are expecting a potential unprecedented number of claims to be made. What is less sure, is how the insurance carriers and how the policy language will respond.

As with all insurance contracts, the devil will be in the detail. Policyholders who have suffered a loss and will be submitting a claim should review their policy wording with their broker to determine:

  • Do their policies cover business interruption losses as a result of government action e.g. evacuation by order of government or is coverage contingent upon material damage?
  • Property damage has been caused as a consequence of wind, water damage, snow, fire, inland flooding and storm surge. Determining the cause of the loss for a claimant could be vital to coverage – for example most policies that exclude storm surge flood coverage afford limited coverage for flooding caused by sewer or drain back-up.
  • Other businesses may suffer a loss due to the impact of the storm on their customers or suppliers. Some insurance policies cover these types of contingent business interruption losses others will not.
  • Sandy was downgraded to a post-tropical storm just before it made landfall in New Jersey. This fact has one important consequence to insurers and policyholders – will insurers be able to enact a hurricane deductible, typically a % of the loss, as opposed to a flat deductible. The states of New Jersey and Maryland have already issued bulletins stating hurricane deductibles should not apply.

Insurers could be exposed to different rulings on coverage as each underlying policy would be subject to its own governing law and jurisdiction from state to state.  CBS news reported that the Hurricane’s impact covered across 20 states.

The good news is, despite suffering through a soft pricing market since 2005, as a whole the industry is well capitalized to withstand this type of loss. However, one of the first things I learnt when entering the insurance industry is that a policy is only a promise to pay and not all promises are equal.

Responding to and adjusting a large property and business interruption loss is an art, not a science and this is where appropriate contingency planning and broker loss adjusting support can really matter. At Bartlett, we employ a ‘Major Loss Advisor’ to respond to these kinds of losses. This ensures that the loss adjusting process is managed with minimal hassle and maximum support and our clients insurance policies respond as they were designed to – in our clients’ best interests.

Leave a comment

The Cost of a Data Breach – $3.94 or $194 per record? Unpicking the numbers.

Data breaches and identify theft is a common news story nowadays.

Although it’s usually the more high profile cases such as Sony, Linkedin, Wyndham Hotels and Zappos that you tend to read about, smaller and medium size companies are frequently the victims  of malicious or criminal attacks leading to data theft or inadvertently breach customer or third party data through negligence of their employees or ‘glitches’ in their IT systems.

According to the Identity Theft Resource Center, 23 million confidential records were exposed in 2011. 2011 also saw the expansion of what courts consider to be personally identifiable information (PII). After breaches at marketing firms Epsilon and Silverpop, email addresses are arguably considered as PII. The broadening of this definition, places further burdens on companies to ensure they comply with the notification requirements enshrined in both state and federal law, following a breach involving personal information.

Data breaches and cyber crime can cost organizations millions in fines, legal damages, notification costs, public relations expenses and loss of profits.  In a recently released report by NetDiligence, the average cost per breach was $3.7m, with the average cost per record at $3.94 per record. This data was driven from 137 insurable events that occurred between 2009 and 2011. As the report correctly points out the sample is a small subset of total data and only focuses of those costs which the insurance carriers incurred.

Another authoritative report is the annual benchmark study carried out by the Ponemon Institute. In 2011’s study, the cost of a data breach was reported at $194 per record and $5.5m per breach.

So which number is correct?

The Ponemon report studies 49 U.S. companies in 14 different industries and examines a wider range of business costs following a data breach including expense outlays for detection, escalation, notification, impact of lost business and cost of increased customer turnover or churn. As the NetDiligence report also points out – we shouldn’t get too hung up on the cost per record. Although notification costs will correlate to the number of records, the legal and forensic costs are more likely to correlate to the complexity of the breach and the specific requirements of the industry.

As one study focuses on insurable costs and the other on total business costs, we can infer a number of conclusions from the studies:

(1) Not all your exposure is insurable – it’s important your broker or risk manager is able to clearly articulate what coverage is being offered. Cyber insurance is constantly changing and responding to emerging risks and new legislation. As there is no standardized form in the market place, as a buyer you must be fully informed of the coverage and exclusions being offered. Don’t stick your head in the sand and wait for a claim to come in!

(2) Only 10% of the NetDiligence study sample includes first party claims. That is first party expenses (excluding notification costs and other ‘crisis’ services) and loss of profits following a data breach. The variance between the two studies, would suggest that first-party losses make up the bulk of an organization’s exposure.

(3) As the Ponemon study notes, companies are becoming better at employing data loss prevention strategies and response plans. Those companies that are better prepared benefit from reduced losses when a data breach occurs. The Leading insurance carriers will offer support in implementing such strategies and plans as part of their overall service –indeed cover will often be contingent on implementing such controls. The variance in costs may also indicate that the insurance carriers are underwriting the better quality risks.

The overall variance between the two studies show that risk transfer through insurance is not a panacea but only one of several strategies companies should employ to reduce their exposure to data breaches. Those companies working in the financial services, healthcare, retail and technology sectors continue to have a significant exposure.