Last week, Christmas shoppers got one more glimpse of the changing landscape of crime. Target (TGT 0.18%) announced that a cyber breach had occurred over a period of three weeks, and that payment information for more than 40 million customers was exposed. Just two days before Target's announcement, American International Group's (AIG -0.13%) CEO of property-casualty insurance, Peter Hancock, gave a prophetic warning to businesses: You're not prepared.
CYA -- Cover your assets
Hancock was speaking at an industry conference last Tuesday when he noted the lack of preparedness on behalf of most major businesses with big online presences. Cyber attacks and breaches are an ever-increasing risk for businesses, said Hancock. "It's a very real risk, and one that's massively under-insured."
Breaches such as the one Target is facing can cost a lot fines, lawsuits, and other clean-up activities. And with regulations stating different requirements based on both state and federal laws, companies are often not even aware of the steps they need to take when a cyber breach occurs.
Drumming up awareness
AIG is one of the nation's leading providers of cyber-threat insurance, but as Hancock mentioned in his talk, few companies purchase the coverage. According to Hancock, a lack of awareness has lead to customer passivity in terms of cyber insurance:
Without greater awareness, there's not much customer demand. Without much customer demand, the industry's capacity is rather small. And without the large capacity, the customers say, "Why buy it?"
Of course, there's a certain amount of self-serving intention in Hancock's statement -- he is responsible for the success of AIG's P&C division, which provides the policies in question.
Adding it up
But according to a Ponemon Institute study that reviewed security breaches from 2009 through 2013, the average cost of a cyber breach in the U.S. was $5.4 million. The study viewed cases where the records accessed were less than 100,000 -- so the Target breach of 40 million customers' credit and debit cards is far more substantial. At $188 per record -- the average U.S. cost from the Ponemon study -- Target could be looking at more than $7 billion in costs, though that wouldn't take repeat customers into account.
Though there's no telling just how big the costs could be for Target, the lawsuits are already starting. At least 11 customers have already filed suit, and there are sure to be more in the works. With very little guidance on how much responsibility a company has for the protection of customer information, there's no big precedent for how a court ruling would fall.
Insuring against risk
Companies are collecting more and more data as customers find convenience in online transactions. With highly motivated cyber criminals gaining access to companies' databases and websites, there is little chance that breaches will decrease in either frequency or severity. Though the market is small today according to Hancock, cyber insurance could be one of the insurance industry's biggest products in the coming years.
