On Tuesday, January 14, BusinessInsurance.com reported that,
Target Corp., which last month had a massive data breach that exposed the credit and debit card information of some 70 million customers, has at least $100 million of cyber insurance, including self-insured retentions, and $65 million of directors and officers liability coverage, according to insurance industry sources.
Target’s $100 million policy is likely to be worthless if it is determined (and it will be) that they were not compliant. However, let’s assume for a minute that Target’s policy is actually deemed valid, and not determined to be voided by misrepresentation. For example, if Target is able to demonstrate that there were no gaps in their security controls, and that every precaution was taken to prevent this type of breach, they would still be covered by the multiple policies they have and would potentially be subject to less severe regulatory fines.
Even IF the policy pays out, 100 Million is just a drop in the bucket compared to the cost of the damage.
Based on Ponemon Institute Direct Cost Estimates and information from DATALOSSdb.org we know the below information about other retailers who experienced a breach:
Based on the type, and amount, of information stolen in the Target breach (110 million) records including credit/debit card information, email addresses, home addresses and other Personally Identifiable Information) we can loosely expect that they are looking at over 2 billion in expounded costs based on Ponemon estimates. That’s a lot more than the 100 million dollar policy would cover.
So, should they have bought a larger policy? Is it even worth it? We answer those questions, and explain how to use insurance as part of an overall risk strategy in our latest webinar:
Cyber Liability Insurance & Security:
A discussion of CFOs’ concerns surrounding gaps, risk, and voided policies in light of the Target & Neiman Marcus breaches.