This is the third blog in a series in which I have discussed the overarching categories of cyber incidents, and then the event vectors that can lead to data compromise loss. In this post I will outline one of the most useful new modeling features in this summer’s release of ARC (Analytics of Risk from Cyber), which is the ability to break out the losses by insurance coverage.
Insurance Cover Buckets
After a thorough review of the cyber insurance landscape, we have chosen to split the losses into 14 different categories. This allows our users to enter policy terms specific to each type—for example, if a policy doesn’t cover one of these or if one of them is sublimited—to ensure that the gross losses calculated by the model most accurately represent the intended financial terms of the insurance contract. Because dealing with the legalese concerning 14 coverages can be overwhelming, this blog will give a layperson’s definition of each. (As a disclaimer, I am a modeler and not a lawyer, so please always work with your legal team to ensure that the contract wording meets your company’s needs.)
Call center costs: When a major breach happens, lots of unhappy customers will need information on how to repair their credit, get credit monitoring, learn if they were part of the breach, etc. Call center costs cover the fees associated with setting up a hotline for potentially impacted customers to call to get information about the incident.
Communication costs to regulators: If there is a breach of certain types of records (medical, credit card, and others), this must be communicated to regulators in a specific time period. This coverage helps with those associated costs.
Credit/identity monitoring: When credit card, medical data, or other protected personal information is breached, companies offer a year or two of credit and identity monitoring services. These services can be quite expensive, hence the need for this coverage.
Crisis management: These are costs associated with managing the overall company posture when it suffers a breach. In some cases, an external breach coordinator or coach is brought in to oversee all the aspects of recovering from a cyber incident.
Extortion: While this coverage includes ransom payments made in response to ransomware demands, it also can cover more traditional cyber extortion losses. For example, it could cover the payment if a bad actor breaches data and says they will release it unless a payment is made.
Cyber forensics/incident remediation: When an incident happens, it’s critical for a company to understand what happened, and try to prevent it from happening again in the future. This coverage allows the company to pay for a forensics team to conduct an investigation.
Funds transfer fraud: This category covers bad actors hacking banking information to maliciously transfer money. We have kept these costs as a separate coverage, as some traditional cyber policies do not cover these losses.
Legal defense costs: When an incident happens, in many cases, customers and clients will threaten to go into legal proceedings or actually initiate legal proceedings. This coverage is for the costs associated with bringing in a legal team to help respond to potential litigation.
Notification costs to data breach victims: When data is breached, many companies have an obligation to let their customers know. This involves mailing information out to each impacted individual, which has costs for postage and preparing and printing the information.
PCI & regulatory penalties and fines: When companies face regulatory fines (such as PCI fines, GDPR fines, or similar), some insurance products will cover those costs. Note that in ARC, if you choose to model potential GDPR fines, those are added into this coverage.
Public relations: When a company suffers a cyber incident, their reputation may suffer. This coverage allows a company to bring in a public relations company to put together an action plan to repair their reputation.
Data/asset recovery and reconstruction: In some cyber incidents, it is possible to get data back—potentially from an offsite backup or by removing malware or ransomware from a system. There are steep costs associated with recovering data, and this coverage can help cover those costs.
Third-party liability: In some cases, a lawsuit against a company after a cyber incident will be successful or will be settled out of court. In fact, the vast majority of third-party liability to date has been settled out of court. This coverage can pay those settlements or judgments.
(Contingent) business interruption: Many cyber incidents, especially service provider downtimes and ransomware attacks, will lead to a business interruption cost that can be covered by cyber insurance.
ARC provides the ability to split losses into these various coverages to allow you to better understand the risk in your cyber insurance portfolio. Further granularity in the results, can also help drive expansion of coverage in the insurance market. We are very excited for the release of the new version of ARC, and look forward to your feedback on all its new features and models.