In light of very public security breaches at Epsilon and Sony last year, 2012 could be the year during which companies start to sign up for security-breach insurance. Security-breach insurance protects a company in the event that its customer database is hacked and includes protection against lawsuits that the affected customers file. (It doesn’t protect consumers’ information from a potential breach.) Two analysts tell Consumers Digest that it’s unlikely that companies will pass on the cost of added premiums to their customers.
In October 2011, Securities and Exchange Commission created guidelines to address the way in which publicly held companies handle security-breach disclosures with their shareholders. The guidelines indicated that companies should notify shareholders when security breaches occur and disclose any measures the company has taken to safeguard against financial damages from a breach.
Rob Ayoub, who is a security-industry specialist with Frost & Sullivan, believes that companies who opt for security-breach insurance might be more apt to disclose security breaches with their customers because the insurance policy likely would cover class-action-lawsuit settlement costs.
However, he said that an insurance policy likely would cap settlement fees. This would limit the amount of money that a consumer would receive in damages.
Both Ayoub and Ben Ramirez, who also is a security analyst at Frost & Sullivan, believe that it’s highly unlikely that companies will seek ways to pass on the cost of premiums to their customers at such an early stage. “I think at this point, [companies are] just trying to get on board,” Ayoub says.
However, Ayoub believes that financial institutions will be the most likely to charge a fee in the future.
Other research firms that Consumers Digest contacted declined to comment on this matter, citing the emerging nature of security-breach insurance.