9990016123_29d261209d_b

Should Retailers Invest in Cyber Liability Insurance?

June 4, 2024         By: Jane Genova

Should retailers, ranging from the Fortune 100 to the mom-and-pop boutique, purchase cyber liability insurance?

Post-Target credit card breaches, the availability of that category of insurance is down and the price is up for retailers. Unlike other industries, retailers are not benefiting from the increased competition among insurers which offer this special kind of coverage.

Ten years ago, cybersecurity protection was just being introduced as a new kind of product by insurance companies. Today it has gone mainstream.

In 2013, according to insurance brokerage firm Marsh LLC, sales had been up 20 percent. During that time, the Ponemon Institute estimates that each data breach cost affected organizations, both private sector and nonprofit, $5.4 million on average. That represented an increase in cost of 26 percent from 2012.

The cost of the protection depends on what kind of policy is selected. For a large non-retail organization the cost per $1 million limits on liability coverage could range between $17,500 and $50,000.

Just as applying for a mortgage involves a FICO score, in cybersecurity, coverage eligibility and cost increasingly are determined by a “security risk score.” One company which calculates that, based on big data analytics, is BitSight.

There is a broad range in what’s covered.

The options include costs for the actual data loss, forensic analysis, monitoring of affected customers’ credit accounts, public relations services for reputation management, paying off hackers to cease the attack, lawsuits, and augmenting bandwidth to assist with ending an attack.

It is rare than any policy will cover all the risk. What’s not covered in any policy, is the intellectual property itself.

On the one hand, all retailers which are public companies have incentive to buy this insurance as a way of reassuring investors. Shareholders need to know if the risk is covered and how much of it.

As of October 2011, the Securities and Exchange Commission (SEC) requires the reporting of cyber risk in all financial documents. A 2014 study of those filings by risk advisor and insurance broker Willis Group Holdings found that nine percent of retailers did not note any cyber risk.

Since that statistic has been heavily covered in the media, those nine percent of retailers will likely come under SEC scrutiny. Why didn’t they make note of risk in their financial documents?

They could be in denial. They could be concealing vulnerabilities. In addition, they might not have made public any attacks which had occurred.

Or – and this would mitigate against purchasing cyber insurance - they could have determined that they have adequate technical preventive measures in the infrastructure.

Also, they might have already adopted encryption for credit card processing.

Since that change-over from credit cards with magnetic strips to EMV is expensive and could drive away customers, they might not want to take on the added cost of cyber insurance. In addition, they may also be aware that such an “investment” would drive up their cost of doing business. This is not easily passed on to the customer in such a competitive retail environment.

For the non-public retailer, perhaps a mom-and-pop boutique, the risk may seem too abstract.

This group likewise might not see cyber insurance as necessary. Denial tends to be epidemic in the retail industry. Because of that, the small player would tend to rule itself out as a likely target. Why pay for cyber insurance when they are already burdened with paying for the risk of theft, fire and slip and fall?

On the pro side for purchasing cyber insurance is that more insurers are excluding any coverage of liability for events associated with electronic data from traditional policies. That leaves retailers completely open to the risks involved.

Also, as Target and other retailers abruptly learned, the bad guys tend to be one or more steps ahead of them. In its 2014 annual survey of cybercrime in the US, PWC was pessimistic on whether organizations were well positioned to prevent, never mind effectively respond, to future forms of hacking.

It’s possible that large or technologically ahead of the curve retailers have in place what they need to protect themselves.

The small ones might view it more financially prudent not to spend on cyber insurance. However, given the track record for hackers to surprise with their choice of targets and methods, it seems that, if retailers are eligible to buy cyber insurance, they should.