On Wednesday Reuters published an article on the Target Data Breach that included a look at how cyber liability insurance may help defray some of the breach expenses. From the article:
Target said of the $61 million in expenses related to the breach during the quarter, $44 million were offset by an insurance payment, bringing the impact to $17 million.
Mark Rasch, a former cyber crimes prosecutor who worked on some of the biggest U.S. payment card breach cases, said that it was too early to estimate how big the bill would be, but it would certainly be in the hundreds of millions of dollars and could top $1 billion. “We know it is going to be big. We just don’t know how big,” he said.
Target has declined to discuss exactly what sorts of costs its cyber insurance will cover or identify its insurers.
Insurers offer cyber policies that cover costs for items such as investigating breaches and repairing networks, compensating credit card issuers for fraudulent activity, fighting lawsuits and responding to regulatory probes.
Target said breach-related expenses may include costs for reissuing cards, lawsuits, government probes and enforcement proceedings, legal expenses, investigative and consulting fees, and capital investments.
Where do you see the “final” cost to Target being once all expenses related to this breach are calculated? What impact will this breach have on the overall cyber liability insurance market going forward? Share your thoughts in the comments below, and make sure to attend the 2014 PLUS Cyber Liability Symposium for more discussion and networking with the key players in this growing industry segment.
I think that insurance should play a bigger role i this scenario. The insurance premium level should be related to the types of security controls that the merchant implements.
We know that many PCI auditors are not really skilled to perform a quality PCI audit. The auditors are also selected by each merchant. The insurance premium could reflect the quality level of the compliance and security auditing performed at the merchant.
Some of the auditors are also selling their own security solutions and may not be totally unbiased in the audit they perform.
High quality audits could have helped Target and many other breached retailers to use adequate protection and at minimum follow basic best practices in the IT security area.
I read about retailers that are using best practices in an interesting report from the Aberdeen Group. The report revealed that “Over the last 12 months, data tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”.
I think that the Aberdeen approach can quickly address some of the urgent issues, while we start working to fix the other problems. The name of the study, released a few months ago, is “Tokenization Gets Traction”.
Ulf Mattsson, CTO Protegrity
[…] Typically the policies will pay for: […]