LONDON—Reputational risk experts embarked on a lively debate here, but there was some agreement about the reputational effect of a cyber breach.
While the panelists at Advisen’s Cyber Risk Insights Conference agreed incident response plans and training to handle a cyber event were generally lacking at organizations, they sparred a bit on issues related to consumer sentiment following a cyber breach—especially of payment card information.
Jennifer Coughlin, partner at law firm Lewis Brisbois, admitted she shopped at Target the day after the retailer’s payment card breach was announced.
Consumers have been “desensitized” to payment card breaches because they call banks to get the situation cleared up, she said. Theft of Social Security numbers, however, are “more concerning” to consumers, she said.
While Melanie Dougherty Thomas, CEO of public relations firm Inform, said breaches violate the trust of consumers, Matt Hogg, underwriting manager at Liberty Specialty Markets, said surveys have concluded that “isn’t always the case.” In fact, 61 percent of consumers expect to be breached, he quoted from one survey.
The experts also differed on when to issue statements, if at all. Coughlin said to be careful what goes in writing because it could come back to hurt the organization if the breach has not been understood and contained. She said sometimes it is better to “shut your mouth while you figure it out.”
But typically, something needs to be said due to notification requirements and shareholder concerns. Dougherty Thomas said many organizations have lifted the same boiler-plate messages of other hacked companies. This, she said, “is entirely inappropriate.
Studies have shown no real definite connection between a cyber breach and a long-term effect on stock prices.
READ ADVISEN’S WHITE PAPER: Reputational risk: Does it have a bad reputation?
So how then does an insurer quantify a loss from alleged reputational damage following a cyber breach?
Hogg said the claims process looks familiar to one involving traditional business interruption. There are only a few options for this risk in the market. Products have “struggled to get off the ground.” The take-up rate is low, as it’s tricky for underwriters to establish triggers for coverage based on various policyholder business models and other revenue volatility factors.
Take, for instance the Target breach during the holiday season. Some could say the retailer’s stock price dropped due to its breach but there were other things happening within the corporation. Plus, shopping habits that holiday season were off for most retailers.
Products are mostly used for in cases involved theft of personal identifiable information rather than theft of intellectual property and they have yet to be tested “to the degree to draw conclusive analysis” about the policy’s effectiveness.