Cybersecurity itself is a relatively new field.
Even more so for cyber insurance.
And in this emerging arena, we're seeing new cases every day about the developing relationship between companies, their data breaches, and the insurance policies that cover them.
The latest example? More fallout from Target's 2013 mega breach.
Why is Target suing its insurance company?
In 2013, Target's data breach was one of the largest of its kind.
The company has since paid $138 million in damages.
Now, it claims that its insurer, ACE American Insurance Co., should reimburse the company for new payment cards it gave out in the wake of the 2013 breach.
The StarTribune covered the lawsuit:
Target argues that its general liability policy with ACE should have covered those costs because the policy defines property damage as including "loss of tangible property that is not physically injured."
"That is precisely this case," Target said in the lawsuit. "Target was held liable for the loss of use of plastic payment cards that were not physically injured."
The total cost of the cards, according to Target, is about $74 million.
The emerging world of cyber insurance
Should Target have to pay for these replacement cards? It looks like that's for a judge to decide.
But the case is an interesting example of the developing field of insurance policies organizations obtain.
How much of a cyber incident will a general policy cover? And what about cyber specific policies?
Ponemon Instititute on cyber insurance
We asked Dr. Larry Ponemon, Chairman of the Ponemon Institute, about what organizations needs to know about this developing field of cyber insurance.
"I'm sure that there are organizations that can just kind of underwrite it themselves and end up with a good outcome. But a lot of organizations could benefit pretty significantly by having a policy that provides coverage of sharing it [the expense]. Especially big issues which are low frequency, like a data breach of more than a million records, as an example," Ponemon told SecureWorld Director of Content Bruce Sussman at our Detroit conference.
Ponemon also has a warning for any organization shopping for cyber insurance: you must read your policy, or you may regret it:
"If you look at like life insurance, you know, 80% of the life insurance policy, it looks the same between policies. But if you look at a policy for cyber insurance, it may be like 20%, or even less than that, is consistent across the board. So read it.
And I think some of you [in the SecureWorld audience] have negative experiences where you do have a data breach and you try to collect and you don't get paid for it by the insurance company, or the amount of work you have to go through to prove your case is just enormous. So there are those kind of kinks.
However, I'm net favorable on cyber insurance."
What about the future of cyber insurance?
And experts in the field have some additional perspectives on Target's litigation against its insurer.
Steve Durbin, Managing Director of the Information Security Forum, knows that this field is fast-moving and constantly evolving:
"Insurance policies are traditionally written around past precedent, and in such a fast moving environment as cyber, I expect to continue to see such cases arising where courts will be asked to set precedent in the absence of historical reference points. We are all continuing to learn as we go in cyber with regard to insurance."
And Jack Kudale, Founder and CEO of Cowbell Cyber, emphasizes the need to separate cyber insurance from other insurance:
"Until cyber insurance can be provided as a standalone policy, aligned to individualized risk and covering the gaps in insurability, insurance companies will not be able to bring effectiveness in post-breach scenarios that is manageable and can provide better last mile experience.
The best underwritten cyber policy will incorporate decisions based on inside-out exposure assessment, out-side view, loss cost analysis, business interruption forecast, and dark web scores."