Equifax Breach: Cyber Insurance To The Rescue?!

This is the seventh blog in the running series on the Equifax data breach.

1. Equif*@#$d: Equifax Breach Response Off To A Rough Start
2. Equifax Breach: Legal, Vulnerability Blame Game, and the Big Technical Debacle
3. Equifax Breach: EULAs, Size Doesn’t Matter, and Where’s The Data?
4. Equifax Breach: The Bigger Picture, Identity, Impact, and Advice
5. Equifax Breach: Ambulance Chasing, FireEye, and a News Roundup
6. Equifax Breach: Timeline, International, Patching, Gender, PCI, oh my!
7. Equifax Breach: Cyber Insurance To The Rescue?!

Any time there is a big data breach that impacts millions of people, you can expect the lawsuits to spin up and significant costs to follow. As we mentioned in our initial post in this blog series, the first lawsuit against Equifax was filed within hours of the breach announcement on Thursday, September 7th. By the following Monday, at least 25 federal lawsuits and 2 Canadian suits had been filed. In fact, at least 250 lawsuits have been filed against Equifax since September 7th and more are surely to come!

Undoubtedly, this is going to be an extremely costly event. So much so that Equifax has taken the step of already posting a statement to investors (PDF), advising them of the breach and its potential financial implications. From the statement:

9. Do you have an estimate of the costs you expect to incur related the cybersecurity incident, including timing? Does Equifax have cyber insurance and to what extent will it offset the financial impact of this incident?

At this time, it is too early for us to provide specific estimates of the costs we expect to incur related to the cybersecurity incident. The most significant near-term costs expected to be incurred will be delivering our TrustedID Premier identity theft protection and credit file monitoring product for a period of 12 months to consumers who enroll. In addition, Equifax will incur legal, forensic consulting and other costs related to the incident. Equifax carries cybersecurity, crime, general liability and other lines of insurance, and we have begun discussions with our carriers regarding the incident.

10. How will you disclose the costs related to the cybersecurity incident in your financial statements and public filings?

Equifax will separately disclose costs specifically related to this cybersecurity incident, as well as any insurance reimbursements that offset these costs. These costs and reimbursements will be treated as non-GAAP items in our presentation of Adjusted EPS and Adjusted EBITDA margin. The timing of the accrual for or incurrence of related costs may differ from the timing of recognizing insurance reimbursement for those costs.

11. Do you expect this cybersecurity incident to impact your long term financial model?

Equifax remains committed to delivering on the long term financial model of 7-10% revenue growth and 11%- 14% growth in Adjusted EPS on average over a business cycle. Equifax’s long term financial model reflects our continuing fundamental ability to utilize our unique and differentiated data assets and leading analytical capability to deliver high value products and services to our customers.

While the cost of a data breach has been, and is still highly debated, no one can discount that a data breach does cost money. Luckily for Equifax, they have integrated cyber insurance into their risk management plan and that should help offset some of the costs, but how exactly that coverage will apply is a very curious question.

Other than confirmation that Equifax does have Cyber Insurance, there has been no official details provided by anyone directly involved as to how much insurance Equifax actually has or how it might respond to the many different costs this breach is generating. What we have seen so far in other published articles is that Equifax has a potential “tower” (a series of insurance policies purchased from multiple carriers) between $100M and $150M. It is rumored and has been published that Beazley is the primary carrier on the tower and the first layer is $15M.  

Some anonymous sources have provided additional clarity about their insurance policy, and it appears that there is $130M of coverage in place. Based on all information available the tower has a structure expected as follows:

5M - Self Insured Retention
$15M - Beazley
$10M - ?
$10M - ?
$15M - ?
$10M - ?
$10M - ?
$10M - ?
$10M - ?
$10M - ?
$25M - ?
--------------------------
$130M Total Limits

For the most part, many will assume that the normal coverages in the Beazley’s cyber insurance policy (BBR) will apply for the Equifax tower. But what is not yet clear is how these limits will be allocated to the lawsuits and regulatory actions (a.k.a. the liability component) versus breach response costs (a.k.a. first party costs). Regardless, $130 million is likely to come up short compared to the total cost of the event when all said and done. A Bloomberg article stated as much when they reported that the cyber policy Equifax has in place was “likely inadequate to cover the credit-reporting company’s costs”. This was further justified from the Equifax statement:

“Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur,”

“Also, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.”

So, if $130M is not adequate, then what amount should have Equifax had in place? We decided to look as some cost estimates based on studies and models that have previously provided Cost Per Record numbers.

So, while there are disputes on what the proper cost per record post-breach estimate should be, based on the table above using multiple data points from previous studies, it becomes clear quickly that $130M in coverage would not be sufficient given the amount of data compromised.

Certainly the decision to purchase $130 million or more of coverage was aided by the brokers that placed this coverage and further validated by the financial decision makers within Equifax. It’s also possible this is the most coverage Equifax was able to obtain. What is certain is that there are few companies with more first-hand knowledge than Equifax when it comes to understanding breach response costs.

In fact, Equifax has been a partner of Beazley’s – yes, the very same Beazley that is said to provide the first layer of cyber coverage to Equifax – providing breach resolution and mitigation services on behalf of policyholders since at least May of 2014. What’s more, Equifax describes themselves as data breach specialists, going so far as to say they are “ideally placed to help businesses if they experience a data breach.” With such deep roots in the cyber insurance and breach response industries, Equifax should have been well informed as to potential costs.

The mostly likely component of a cyber insurance policy to pay out after a breach is the first party, or breach response, coverage. This includes the various costs that are incurred by the impacted organization for things like the forensic investigation, credit monitoring, notification and call center support, and identity protection services – all activities currently underway at Equifax. Third-party costs have not yet been be as impactful as many lawsuits face an uphill battle in proving actual damages from the breach as is evidenced by the failed attempts against Horizon BCBS, Schuncks, and CareFirst.

Assuming Equifax’s cyber coverage includes breach response costs including credit monitoring expenses – which we expect it would assuming that Beazley is the primary carrier – there are two possible ways their carrier can handle subscription cost:

• Pay a lower cost per person and guarantee credit monitoring for all impacted persons; or
• Pay a higher cost per person, but pay only for those persons that sign up for the credit monitoring services.

Given the choice, most organizations lean toward the pay-as-you-go route based on the assumption that breach fatigue is setting in and only a small percentage of impacted persons will take up the offer of credit monitoring, ultimately costing less than the monitoring-for-all option.

What makes the Equifax situation especially curious is that they are offering their own product for identity theft protection and credit file monitoring. As we mentioned previously, Equifax has a partnership in place with Beazley, the primary carrier on the tower. The question immediately comes to mind; does this mean their insurance policy could conceivably reimburse Equifax for the cost of their very own services? What’s more, now that Equifax has decided to temporarily “waive” the cost of a credit freeze, could they go on to seek reimbursement for their “lost” freeze revenue? It’s difficult to conceive of any insurance company writing a check to their customer for the cost of providing their own service, but this may in fact be the case.

If, in fact, Beazley is the primary insurer for Equifax as we believe and more sources are validating, it may be a moot point. It is a common practice among insurers to cap or otherwise limit the amount of coverage provided under the first party cost component. So even with $130 million of limits, it’s conceivable the dollars available to pay for first-party costs is quite a bit less. The popular Beazley Breach Response (BBR) policy has wording that references they can respond to a breach of up to several million records, but it typically carries the caveat the most the company will pay during the policy period for all Privacy Breach Response Services is $10,000,000. If such a sublimit is in place for Equifax, it is possible the entire amount could be spent on other first-party elements such as the forensic investigation, the cost of notification, the call center expense, and legal fees incurred in the immediate aftermath of the breach. That could raise another conundrum for Beazley’s insurers – whether or not those carriers that are in excess of Beazley would “drop down” to pick up costs exceeding the underlying sublimit.

As has been detailed in this series and by the media at large, Equifax’s handling of the initial breach response has been less than stellar. Much has been made about the role of cyber insurers and how they can bring order to an otherwise chaotic breach situation. For most organizations, having a cyber insurance policy provides excellent response resources with the best pricing possible. Beazley states as much in their promotional materials, touting their experience and in-house abilities that helped handle over 6,000 data breaches:

Given the collective experience of both Equifax and Beazley with data breach response, again, one can’t help but wonder why is it that the response has been so poorly handled thus far and comes across as if they were unprepared for a breach. Did Equifax choose not to involve their primary carrier in the response? If they did, was Beazley’s input disregarded? Who is running point on the breach response? Another thought is once Beazley was made aware of the Equifax breach, when did they notify the other impacted carriers in the tower and how informed have they been during the process?

Either way, not reporting a breach in a timely fashion or failing to abide by the policy terms and conditions can have serious consequences for Equifax and the amount of insurance ultimately available. Most cyber policies include language requiring insureds like Equifax to report losses “as soon as practicable” after discovering the breach. We know from Cyber Risk Analytics, that Equifax became aware of the incident on July 29th, which means they should have been working with their business partner/insurer Beazley well before the breach was announced on September 7th. Likewise, most policies include clauses requiring the insured to cooperate with the carrier and generally not incur expense without the carrier’s consent. It’s not clear the extent to which such language is included in Equifax’s cyber coverage, but if they have not met their obligations it is grounds for reducing – and possibly even denying – coverage. 

What other costs should Equifax’s cyber insurance policy potentially cover?

Unlike other coverages that tend to be more standardized, cyber insurance policies are unique creations. Even the excess policies that are part of larger insurance tower can be quirky and veer away from the coverage written into the primary cyber insurance policy. That said there are core items included in the vast majority of cyber policies which should help defer breach costs. This list isn’t an attempt to be all inclusive but to provide some thoughts on a few areas.

Defense Costs

• Just because negligence or damages are hard to prove doesn’t mean lawsuits can be ignored. Suits must be defended and defense attorneys costs money. The policy should respond accordingly here.

Forensic Costs

• Complex attacks require complex investigations. Certainly the attackers here spent much time and effort probing systems and escalating their privileges. It’s been reported the attackers used as many as 30 web shells and about 35 IP addresses for accessing the network. The investigation of this size and scope is expensive. Even if Equifax has a pre-negotiated agreement with Mandiant – the same provider they turned to earlier this year for another breach investigation – this is going to end up costing a lot of money.
• This will be covered no doubt, but the extent of how much of the tab will be picked up by insurance is definitely at question. Beazley has provided some great claims data previously, and has highlighted that some of the most expensive parts of dealing with a breach are the Forensic Costs. As such, you can expect to find sub-limits on forensic costs in many policies. If there is a cap in the Beazley policy, and if that very same policy has already paid for Manidant’s investigation of the March event, there may not be much left to cover Mandiant’s fees related to this breach. This is another situation that opens to the door to the question of whether the dollars available to respond are contained in the primary layer of coverage or if the other layers above Beazley will drop down and pick up where the primary coverage ends.

Notification Costs

• Forensics isn’t the only cost driver. Significant expenses can come from notifying impacted persons that their information has been compromised. Equifax initially choose to make the breach known through media outlets rather than send snail-mail notifications. However, since the initial announcement notification letters have begun popping upon breach reporting sites. How many have actually been mailed out is another question. Under many of the data breach laws there are exceptions that can be made for alternative notifications such as when the organization lacks sufficient information to reach a customer by mail. Since addresses are a part of a person’s’ credit records, it is very hard to believe Equifax wouldn’t have the information necessary to send letters.
• Once mailings start in ernst, there will obviously be a cost for someone – most likely an attorney – to write the letter, get it printed, stuffed into envelopes, and postage paid. The less obvious cost here is time it can take for attorneys to coordinate notification across all 50 states. Much like cyber policies themselves, breach notification rules vary from state to state, with different timing requirements and differing requirements for what type of information must be included in the letter. There have been on-again off-again efforts over the years to move to a national breach notification standard but such bills have not made much headway in the past. The Equifax breach might just change that. H.R.3806 has been introduced to establish a national data breach notification standard, and other purposes were introduced on 9/18/2017 by Rep. James Langevin and co-sponsored by Rep. Ted Lieu.

Credit Monitoring & Freezes

• We have already discussed monitoring at length, and it will be interesting to see the costs and how they are handled.
• Typically credit freezes have not been covered by most carriers, so whether or not this made it into the policy is unsure but unlikely.

Call Center

• Any time you have a breach, even a small one, let alone one that impacts 143 million people, you are going to have people that are upset and want to talk to someone on the phone to get their questions answered.
• Cyber policies typically have coverage for crisis communications such as call centers, and the costs are usually based on either per phone call or the amount of staffing that is required.
• Equifax has a call center set up and it had some initial issues (much like the rest of their original breach response) but they stated that they “had tripled the size of its call center team to more than 2,000 agents, with more to be added.”
• No matter how you slice it, by call or by staff, this expense is going to add up quickly. Granted at some point it will slow as call volume decreases and less staff is required.

Regulatory Fines and Penalties

• Whenever there is a statutory obligation to protect data, you can bet there is a governmental agency tasked with enforcing that obligation. Lack of empathy for the victims, perceived lackadaisical security practices, or many millions of people impacted all act as red flags for catching regulators attention and the Equifax breach has all three in spades. So expect a spat of regulatory actions in the coming months. We have seen quite a few similar incidents on the HIPAA/Hitech side, but nothing quite yet on the breach side outside of a smattering of FTC enforcement actions. In a signal of things to come, the FTC did take the unusual step of confirming they have already started an investigation into the breach.
• This breach certainly has the potential to generate punitive fines or penalties from the authorities but it will take some time for those the develop.

PCI Fines and Assessments

• Any time there is a breach including credit cards there is potential for PCI related penalties. Upwards of 200,000 payment card details were also compromised, which should trigger some backlash as to whether Equifax was compliant with the PCI Data Security Standard at the time of the breach. It will take some time for that to be reviewed and any actions to come out of it, but it should be expected. Note that Equifax is on the PCI Security Standards Council.
• There may be costs to reissue credit and debit cards.
• There is also a potential that there will be fraudulent credit card transactions based on a smaller number of compromised credit cards. There are PCI assessments (not a risk assessment) that Equifax could be made to pay and the possibility of charge-backs to cover subsequent fraudulent charges. It should be noted that not all cyber policies in the market have this coverage, so Equifax may be on their own to pay these bills.
• It has been shared that Equifax has violated PCI, since they were historical transactions.

What costs do we not expect the policy to cover or other gotchas Equifax may face?

We have to remember that without seeing the policy wording, it is very hard to know the exact coverage for this tower. But there are some typical things that are not usually covered as well as some “gotchas” that Equifax might experience when they read the find print of their policy.

Company Reputation

• This is a typical ‘no cyber coverage’ for your tarnished reputation or diminished brand value. While there has most certainly been an impact to the Equifax brand, there is nothing they will be able to recover from their policy. There may be some crisis management coverage to assist with the costs for the firm they have retained to help them clean up there image, but they will not be able to claim a monetary amount for their bruised reputation.

Stock Fluctuations

• There is typically no cyber coverage for this type of issue.

Valuation Impact

• There is typically no cyber coverage for this type of issue either. While Equifax has lost approximately $4B in valuation since the breach, there will be nothing that the cyber policy will do to help recover this loss, not to mention that the stock may recover in the coming year.

Co-insurance Clauses

• There are situations where the policy wording will be exactly what is needed for an organization, and even on the declarations page the coverage limits are what you believe are proper as well. But buried in the policy you will find a co-insurance clause hidden. This has been something that has been notoriously overlooked and companies that believe they have a certain amount in coverage, come to the unfortunately realization that yes they do have that amount, but they are required to pay a certain percentage of the costs as well.

Exclusions

• In some cases carriers will add exclusions to their policies for coverages that they feel are high risk. Given that Equifax may have been considered a higher hazard class of business there may have been some additional coverages that were not included that would normally be covered for other classes or business.

Sublimits

• Sub-limits are commonly used to help control coverage parts that are deemed to be more risky or likely to be exhausted more quickly than others. Sub-limits will be an area to watch closely as they could dictate how much additional coverage in the tower is available after the first layer is exhausted.

What other Equifax insurance coverage in place might respond?

As we have wrote about previously, there is a big difference between a Cyber Insurance Policy and General Liability or other professional liability lines. There have been quite a few cases that made it clear there would be no cyber coverage under other types of insurance, and then of course other rulings that left the door open for potential coverage. A company the size of Equifax is sure to have other insurance policies and with the massive impact this has already incurred, they will most likely be looking at all of the coverage in place to see what other assistance outside of the dedicate cyber tower they can find – including their General Liability (GL) policy, Errors & Omissions (E&O), and Directors and Officers (D&O) policies. We wanted to take a moment to discuss the D&O potential and share some thoughts.

• D&O coverage definition from Wikipedia:Directors and officers liability Insurance (often called “D&O”) is liability insurance payable to the directors and officers of a company, or to the organization(s) itself, as indemnification (reimbursement) for losses or advancement of defense costs in the event an insured suffers such a loss as a result of a legal action brought for alleged wrongful acts in their capacity as directors and officers. Such coverage can extend to defense costs arising out of criminal and regulatory investigations/trials as well; in fact, often civil and criminal actions are brought against directors/officers simultaneously. Intentional illegal acts, however, are typically not covered under D&O policies.
• We aren’t currently aware of what D&O policy or tower may be in place. We have asked around but haven’t had any feedback yet. If you have some insight that you would like to share, send us a message!
• There is a good change that they have a D&O tower in place, as it makes sense for a publicly traded company like Equifax to carry this coverage.
• There are quite a few things that have come out about the Equifax breach that will lead to the questions regarding what the Executives have done or not done (even ignored!) as it relates to this breach.
• There have apparently been warnings to Equifax about issues for quite some time it appears with no action. One item that was publicly shown was that there were security issues with how the pins were issues using the timestamp.
• The impact to the company has been massive already, with a staggering $4B valuation drop, and the potential is larger with the forecasted losses moving forward.There may be several lawsuits related to the notion that the executives didn’t invest in security heavily enough or response to documented issues putting the company at risk.
• We have covered that the executives that sold stock right before the breach and how that was viewed as very sketchy and potentially illegal. We knew it was coming and as expected, there is now a criminal investigation being conducted by the SEC. While a D&O policy may exclude this at some point (ie: criminal activity) they for the most part with provide defense costs.

Does Equifax have any reasonable excuse or defense that this breach occurred?

If you have ever read any of our Data Breach QuickView reports, you know that data breaches continue to happen at alarming rates. There is no organization that is immune to a breach, and many companies that take security very seriously can still find themselves in an unfortunate situation. As more pressure mounts against Equifax, we wanted to provide some thoughts on how we believe things will play out as they try to defend themselves.

• If you ask consumers or any person you speak to for that matter, basically the verdict has been decided – there is no excuse from Equifax and people are genuinely angry.
• While the courts will ultimately decide the outcome, it is pretty clear that Equifax is in an uphill battle to try to justify their security posture.
• What we have seen so far, we believe makes it extremely hard for them to defend themselves and convince people that they had in fact implemented the right amount of security.
• Even points that are being heavily used against them such as the failure to patch the vulnerability that opened the door into their system, are in fact decently normal for many other companies, it’s just too hard to convince someone that it is acceptable (and lets be honest it really isn’t!)
• While they had a Chief Security Officer (CSO), which is always a good thing, there are too many signs that an information security program was not properly implemented.
• On the topic of the CSO, some are pointing out that her educational background is in music. While those of us in the security industry know that the degree you have means very little for the most part, when explaining this to other professions where a degree carries more weight can be problematic.
• When we look at Cyber Risk Analytics we see that Equifax has been no stranger to previous data breaches, they currently have 18 breaches that we have tracked.
• Patching security vulnerabilities in an environment as expansive as Equifax’s is a herculean task. But just try telling someone that isn’t in IT that a known security patch was available for 4 months and yet Equifax hadn’t gotten around to implementing it throughout their organization. When you see their reaction you know that is how the courts, a jury, and other non-IT people will react, in horror.
• In looking at the timeline of events, it took Equifax 117 Days to notify the public. If they really cared about the victims, wouldn’t they have notified them faster?
• The breach response was so horrible, it creates the appearance Equifax didn’t take it seriously enough to try to protect those affected.

Whether you believe any of these points or not, the list keeps growing and is going to put Equifax in an almost impossible situation trying to justify that they did everything possible to protect those affected by the unauthorised access.

What happens to cyber insurance now that we have had the Equifax breach?

With confirmation that Equifax had a cyber liability insurance policy in place, a breach of this magnitude has been thought to quickly exhaust the policy and will likely lead to a “hardening” of cyber insurance rates. When a breach of this size occurs, for the most part it tends to have an impact on pricing for all buyers and in some cases can lead to insurance carriers halting coverage for certain classes of business. 

Hard Cyber Market

• In the insurance world the words Hard and Soft Market get tossed around all the time. In a “soft” market, the appropriate price for coverage is difficult to get, with competition between carriers driving down prices as they fight to write the same business. Cyber insurance much like the rest of the industry for the most part has been in a “Soft Market” for a long time. When there are substantial loses, pricing “hardens” as competition wanes. In other words, it is an opportunity for carriers to increase their rates. It is unclear that this is one of those events. With so many other breaches occurring with no effect on pricing, we don’t believe that the Equifax breach will change rates nearly as much as it should.

Increased Cyber Insurance Adoption

• The current adoption of cyber insurance has been slow thus far but increasing, but when reviewing the market as a whole the numbers are still very low. There is a long way to go until cyber insurance is fully accepted and furthermore, widely purchased.
• With the rise of Ransomware we have seen a lot more questions and interest in cyber insurance this year, and specifically it has been rumored that after WannaCry the market would increase pretty dramatically.
• 2017 has had more than its share of big events. If ever there was a wakeup call for companies to integrate cyber insurance, 2017 is it. Leaders can no longer claim they didn’t hear the alarm! To be fair, we seem to say this a lot!

We at Risk Based Security have long supported cyber insurance as a valuable tool for helping to mitigate the financial fallout of a data breach and a valuable resource for companies when they have to respond to a data breach. Like most complex contracts, all insurance policies come with terms and conditions that can influence how much is paid once the dust settles. That said, it should be a key element of every risk manager’s strategy for data breach response and recovery. Only time will tell where this particular aspect of the Equifax story will lead but we expect there will be substantial costs. It will be interesting to follow further disclosures when it comes to their exact expense line items and more specific how much of those actual costs will be offset by Cyber Liability insurance.

What we can say for sure is that, at this point, there are enough questions swirling around the curious nature of Equifax’s coverage that it probably won’t make a good example for the cyber insurance coverage. Any bashing of cyber coverage based solely on the Equifax experience would be misguided.

If you have any points that we missed or would like to contribute to this analysis please contact us!