Target’s massive security breach could well be, in Malcolm Gladwell’s vernacular, a “tipping point” that dramatically changes the way companies view cyber-risk, cybersecurity and insurance.
I floated the idea by my good friend and computer security consultant Scott Aurnou. He responded that it would be the first time a serious breach triggered a needed change in the corporate viewpoint. Fair point.
Serious breaches hit the headlines every day. They are ubiquitous. So one would think that cybersecurity already would be front and center on the corporate stage. But it’s not.
Despite the pervasiveness of cybersecurity incidents, and the ever-increasing and evolving cyber-risk threat, a January 2014 Ponemon Institute study found that only 20 percent of IT professionals frequently communicate with C-Suite executives about potential cyberthreats. That is troubling.
In addition, notwithstanding SEC guidance advising that appropriate disclosures would include a description of cybersecurity insurance, the majority of companies do not purchase cybersecurity insurance.
But cybersecurity is ripe for a tipping point. Why might Target be that tipping point? Because Target is unique.
For starters, the Target breach is the largest and most prominent in recent history. Most breaches, even serious ones, are in and out of the news pretty quickly. Not Target. Having already garnered extraordinary media attention, Target remains in the daily headlines — an ever-present reminder to executives of the parade of horribles that follows in the wake of a breach.
Likewise, while most organizations suffering a data breach of any consequence inevitably will incur significant costs for forensics, breach notification, credit monitoring and other crisis management activities, the Target breach is a tale unto its own. Since the breach, more than 70 putative class actions have been filed against Target. Yes, you read that right — 70.
Target’s directors and officers face shareholder derivative litigation alleging a 10 percent plus a drop in share price. Its executives testified Feb. 4 before the Senate Judiciary Committee. Financial institutions are now pursuing Target for reimbursement of their costs for issuing replacement credit and debit cards. It goes on and on.
Can any company seriously debate the importance of heightened attention to cybersecurity at the C-Suite level?
The Target insurance tale is also unique to say the least. Insurance can be a pretty dry subject of discussion. But the Target breach insurance tale is cloaked in mystery and suspense.
It was first reported that Target did not have cybersecurity insurance. Then, Business Insurance broke the news Jan. 19 that Target has at least $100 million of cybersecurity insurance. The retailer declined to comment. As my friend Randy Maniloff remarked in his Coverage Opinions newsletter, it’s not often that insurance news stories read in such “cloak and dagger” terms.
The critical role that cybersecurity insurance can play in a company’s overall strategy to address and mitigate cyber-risk remains elusive to approximately 70 percent of companies. A recent study reported by the Wall Street Journal found that only 31 percent of companies have cybersecurity insurance.
Unlike other types of insurance, cybersecurity insurance policies commonly provide “first dollar” coverage for forensic investigation, breach notification and other “crisis management” expenses, and offer pre- and post-loss risk management services, including cybersecurity and incident response templates.
After a breach, the policies can afford access to established industry experts. All of this greatly assists in mitigating ultimate exposure. And the application process itself shines a spotlight on the company’s current cybersecurity risk management practices and is likely to reveal potential cybersecurity weaknesses that should be addressed.
Every company should appreciate that it is a vulnerable next “Target” for a serious cybersecurity incident. It is time for elevated attention to cybersecurity. In addition, because even the most robust and sophisticated network security will fail — no firewall is unbreachable, no security system impenetrable — all organizations should be considering cybersecurity insurance as part of their overall strategy to address and mitigate cyber-risk.
Roberta D. Anderson is a partner at the law firm K&L Gates LLP and a member of the firm’s global insurance coverage and cyberlaw and cybersecurity practice groups. The views expressed in this opinion are her own and do not necessarily reflect those of her firm or its clients.