US credit-reporting firm Equifax is the latest company to claim from its insurers following a major cyber attack, but the cost of the breach looks set to far exceed any insurance recovery.
COUNTING THE COST
An unpatched vulnerability on Equifax’s website led to a breach in May last year that affected the data of around 147 million of its customers. The breach resulted in the theft of personally identifiable information of US, UK and Canadian consumers, including names, social security numbers, birth dates, driver’s license and credit card numbers.
Equifax said in April that the 2017 data breach has so far cost the company more than USD 242 million in related expenses. In the first quarter, Equifax spent USD 46 million on breach related IT and security costs, USD 29 million on legal and regulatory investigative fees and USD 4 million on product liability costs and customer support.
In a regulatory filing, Equifax recently revealed that it has some USD 125 million of cyber security insurance under which it had already received commitments to pay USD 60 million in recoveries. Equifax said that it expects to fully utilize the policy. However, Equifax’s insurance is looking inadequate compared with the expected costs associated with the data breach, one of the largest in history. The cost of the data breach could take years to crystallize but it is expected to be several multiples higher than the insurance payout.
Equifax recently disclosed that breach related costs through the end of this year are expected to reach USD 439 million, of which just USD 125 million is insured. The Ponemon Institute said that the breach could end up costing Equifax USD 600 million, making it one of the most expensive breaches of all time.
Last year it emerged that US pharmaceutical company Merck was set to claim hundreds of millions of dollars from its insurers following a ransomware attack in 2017. Merck suffered business interruption in June 2017 after it was affected by the global malware outbreak NotPetya.
Like Equifax, Merck’s insurance cyber insurance coverage is unlikely to prove adequate. Merck said the cyber attack had already cost USD 260 million in lost sales and USD 320 million in additional costs since June. It also expects the attack to cost a further USD 200 million in 2018.
So far the company has already received USD 45 million from insurers, although Property Claim Services (PCS) estimated that insurers will eventually pay at least USD 275 million.
FedEx was also hit by the NotPetya attack in 2017, costing the logistics company USD 300 million and resulting in reduced profits for 2017. However, FedEx did not have cyber insurance in place to cover the attack, but it has since engaged with the market to assess potential cyber insurance solutions.
For more information on cyber insurance, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.