Target’s Cyber Insurance: A $100 Million Policy vs. $300 Million (So Far) In Costs

Patterson Belknap Webb & Tyler LLP
Contact

When it comes to buying cyber insurance, businesses can take comfort that they have mitigated the financial risks that come with a data breach.  Just not all of them.

Target Corporation’s high-profile hack is a case in point.  In a securities filing last week, Target said costs associated with its 2013 holiday season data breach – which exposed the personal information of more than 100 million customers – are approaching $300 million.  As of January 2016, Target has incurred $291 million in breach-related costs including legal fees, crisis communications and forensics costs.  Of that amount, less than one-third or about $90 million is expected to be covered by cyber insurance.  At the time of the breach, Target had $100 million in cyber insurance coverage from multiple underwriters, on top of a $10 million deductible.

According to its public filings, Target’s cyber insurance policy contained a $50 million sublimit for settlements with payment card networks.  In 2015, Target entered into settlement agreements with all four of its major credit card providers, which are in various stages of court approval.  Visa, for example, cut a $67 million deal with Target.  MasterCard later entered into a $19 million settlement.  But Target hasn’t disclosed whether its settlements with the credit card companies will come from a portion of the cyber insurance, subject to the sublimit, or if those settlements will be funded by other sources (such as its corporate general liability policy or from its operations).

And the financial pain isn’t close to over.   Although Target has resolved many of the more than 100 lawsuits filed after the breach, it still faces several shareholder class action lawsuits, a separate lawsuit filed in Canada and ongoing investigations by State Attorneys General and the U.S. Federal Trade Commission.

Several industry analysts forecast that Target’s breach-related losses will reach $1 billion.  After disclosure of the breach in early 2014, Target’s profit was cut in half – down 46 percent over the same period the year before.

The “hard” costs covered by cyber insurance oftentimes are only the tip of the iceberg.  Cyber policies don’t usually cover intangible harm like lost sales, plummeting customer goodwill and trust or damage to the brand.  Most policies also exclude some forms of major attacks like state-sponsored espionage or ransomware – which has been on the rise especially in the healthcare industry.

Target’s experience with cyber insurance isn’t uncommon.  It’s a fast-growing and evolving market with dozens of underwriters offering coverage.  With the increase in headline-grabbing breaches and the sophistication of cybercriminals, demand for coverage is high and business brisk. Total cyber insurance premiums paid in 2014 were about $2.5 billion and the market is expected to reach $7.5 billion by 2020.  In comparison, cybercrime costs the global economy about $400 billion per year and that number isn’t expected to slow anytime soon.

One expert told me that the most cyber insurance an organization is likely to acquire is in the $300 million range – using multiple underwriters.  That’s significantly less than the billions of dollars’ worth of coverage available for other organizational risks such as property and casualty damage.

The cyber policy coverages, exclusions and premiums vary widely.  The more comprehensive policies reimburse for forensics firms, notification to customers and credit card monitoring for victimized customers.  Some policies coverage legal fees.  Much is open to negotiation and some of the risks might even be covered by other policies already in place such as general corporate liability or error and omissions coverage.

If there’s a lesson to be taken from Target’s experience, it’s that not all cyber insurance policies are created equal.  While cyber coverage can be an important risk allocation tool, it is only one piece of a much larger puzzle.  Organizations need to start with an overall cyber risk analysis – looking not only at IT risks but at exposure to governance, regulatory and legal liability – to fully assess and identify the most likely risks in the event of a cyber event and consider the coverage that best fits their own risk profile.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.