Data Breach Recovery Costs Are Climbing: Insights for Cyber Insurance Companies

Cyber threats continue to threaten individuals, families and businesses, and data breaches are more severe than ever. Against that backdrop, it’s understandable there’s been rising interest among policyholders to secure cyber insurance coverage. The challenge for insurers is how to create a cyber program that’s profitable and sustainable against the backdrop of climbing claims and losses.

Recently, growing costs for data breach recovery have added new headwinds for cyber insurance companies looking to protect personal and commercial line policyholders. While the cyber insurance market is expected to reach $16.3 billion this year, new inflationary pressures, rising legal expenses and more business interruption claims are hampering the abilities of insurers looking to make their mark.

When underwriting policies and managing claims, cyber insurance companies need to keep the following considerations top of mind.

1. Forensic analysis of exposed data

Following a cyber attack, a critical first step is Digital Forensics Incident Response (DFIR). The process determines the scope of the breach, finding the root cause of how the threat actor gained entry, assessing what data was compromised, and identifying whose information was exposed. This forensic analysis not only informs how to respond to the current event but also guides what changes are needed to avoid future incidents.

Because DFIR services are highly specialized and in demand, the costs can be significant. Investigations typically involve coordinating with the organization’s information technology (IT), information security (InfoSec) and compliance teams, as well as retaining third-party consultants with expertise in DFIR efforts. Unfortunately, a shortage in cybersecurity talent continues to drive hourly rates higher — and the licensing of advanced tools and solutions required can also be quite expensive.

Basically, the greater sophistication of today’s attacks and complexity of modern IT environments now makes investigations more time consuming, which increases billable hours. Meanwhile, data mining and document review expenses — combined with fees for documenting and reporting findings to regulators and legal counsel — has become a cost multiplier.

2. Legal expenses of class action lawsuits

While cyber attacks and data breaches historically generated sizable attorney fees, recent changes are escalating the potential for more legal expenses and losses. In multiple states, courts have certified class action lawsuits with far fewer potential victims than has typically been required. Breached organizations must now deal with threats of suits involving as few as 200 individuals — while plaintiffs’ attorneys become even more aggressive. As a result, a company’s legal team must spend more time examining the forensic findings, documenting the company’s defenses and negotiating potential settlements.

In the wake of a cyber incident, organizations must be mindful of their actions as well. Delays in notifying potential victims could be viewed negatively in any subsequent legal proceeding, resulting in greater damages being rewarded and an increase in regulatory scrutiny.

Considering the increased legal exposure, insurers should ensure policyholders have cyber coverage insurance policies with limits that cover related legal expenses. Insurers should also provide incident response services that include access to lawyers who specialize in handling cyber incident cases.

3. Business interruption coverage and claims

One effect of cyber incidents — whether they’re accidental or malicious in nature — is the potential for significant losses caused by unexpected downtime. Those losses are why business interruption (BI) ranks as the second highest risk by surveyed organizations.

BI insurance covers the net income lost due to an unexpected closure. Unlike other covered events like natural disasters (which follow a more established loss history), damages from a cyber incident may cause a company to reach its policy limits more quickly. As a result, the insurer may need to reevaluate coverage levels and premiums.

Given the accelerating cyber threats to commercial policyholders, successful BI coverage requires insurers to concentrate on accurate underwriting and risk assessment practices.

4. Breach notification requirements and costs

One of the fastest-growing costs following a cyber incident is breach notification. Several factors are included in this projection.

First, the country’s biggest increase in postal rates takes effect on July 13, significantly increasing the cost of mailing breach notification letters. Pitney Bowes reports the cost for mailing services will increase 7.4% on average. Considering the number of potential victims breached organizations must notify, this jump in postage costs will be acutely felt.

Compounding that price increase is the fact there’ve been proposals by some states and industry regulators to expand what data qualifies as personally identifiable information (PII). Broadening the definition of PII would require more individuals be notified if their data is suspected of being exposed.

How to minimize legal exposure

During the past few years, companies have adopted a broader approach to breach notification. In the eyes of regulators, this strategy is often well-regarded because it shows concern for the largest group of potential victims.

That approach is becoming unsustainable, however. The postage increase alone puts pressure on the financial resources available for responding. Plus, when more individuals are notified, it creates a larger pool of potential victims plaintiffs’ attorneys can try to recruit for class action lawsuits.

While casting a wide net might be the most cautious action, reducing the number of individuals being notified makes the most business sense. Thankfully, there are ways organizations can better identify potential victims of data compromise, including:

• Detailed data mining. As part of an organization’s incident response, data mining can establish clear parameters for PII potentially exposed in an attack.
• Cross-referencing internal files. The organization of company data may be suitable for daily operations, but it’s not always clean enough for notification efforts. Following a breach, records analysis must look for and reconcile duplicate accounts, outdated addresses, name changes, and so on. Otherwise, notification efforts can be messy, slow and costly.
• Validation of customer records. Working with incident response specialists who can validate the mined data files against current, clean and established consumer records can further reduce inaccuracies, streamlining the notification process.

These steps come at a cost but, as the saying goes, “an ounce of prevention is worth a pound of cure.” Breached organizations need to look to responsibly reduce the size of the population they must notify to limit their legal exposure. Conducting a thorough data mining, cleaning and validation cycle can better ensure the individuals at risk are notified, those not at risk are not panicked, and the potential impact of legal action is reduced.

Containing costs and reducing risks

Cyber incidents have always been pricey, but rising costs and recent cybercrime trends are adding to the financial burden. For insurance companies advising policyholders and evaluating coverage offered, it’s vital they take these cost increases into consideration. By connecting policyholders with proactive cybersecurity solutions, threat monitoring tools and incident response services, insurers can help manage risks to clients and the bottom lines of their cyber insurance programs.

For more guidance on how to enhance your cyber insurance program by offering incident response services, visit TruEmpower^TM Incident Response Solutions.