Bloomberg recently reported that Equifax Inc.’s insurance against cyber breaches is likely insufficient to cover the credit-reporting company’s costs tied to one of the biggest hacks in history. This hack is particularly ironic as Equifax – the guardian of information used to cast financial judgment on consumers – has itself been unable to guard that information. For that reason alone, the class action suit or suits are likely to be monumental.
According to Bloomberg, Equifax holds cyber-insurance policies that will cover $100 million to $150 million. With 143 million records breached, the insurance would only cover $10 per victim… not including attorney’s fees or any other costs. The breach revealed Social Security numbers, birth dates and driver’s licenses, and a multi-billion dollar class action lawsuit has already been filed in addition to multiple costly state and federal investigations.
The past few years have demonstrated that cyber-attack is one of the greatest threats many businesses face, and it is only going to get worse. Furthermore, most businesses are underinsured for this risk – in some cases grossly underinsured. Also, while large companies make the headlines for cyber breaches, mid-market and small businesses are not immune. In addition to implementing more robust mitigation approaches, what can mid-market and small businesses do? At a minimum, businesses can significantly bolster their cyber insurance through a captive insurance company. A captive insurance company is described as “captive” because it is typically owned by the business, its holding company or the owner(s) of the operating business(es). Captive ownership reflects a choice to “own your own insurance company.”
Owning a captive is an ideal choice for cyber insurance or excess cyber insurance because the insurance purchased is not a sunk cost, meaning if the business does not have a claim in a given year, it keeps all the insurance premiums paid as profit in its captive. Cyber losses can be massive as Target and Equifax have clearly shown us. When facing the prospect of potentially massive losses, most businesses are underinsured either by choice or because commercial insurers limit their potential losses as well. Target and Equifax are two examples of large corporations with intelligent risk managers, CFOs and CEOs that were severely underinsured for cyber breach. Presumably, Target and Equifax either couldn’t purchase enough cyber coverage commercially or were unwilling to massively increase their insurance budgets (a sunk cost) to address this risk.
An ideal approach to insure against cyber risk is to blend commercial coverage with coverage from a captive. Owning a captive insurance company enables a business owner to be prepared for cyber threats while turning sunk costs into sunk profits.