The credit report agency’s latest cyber security infiltration underscores the need for risk protection.
A data security infiltration last July could end up costing Equifax more than its insurance currently covers. Although Bloomberg reported that, while the Atlanta-based credit recording agency’s current coverage offers between $100 million and $150 million in payouts, it might be liable for a greater amount if it’s hit with a multibillion-dollar class action lawsuit in addition to fines imposed by the federal government.
An Equifax spokesperson told Bloomberg the agency currently carries cybersecurity, crime, general-liability, as well as other insurance policies. The spokesperson added that the company has initiated discussions with its insurers. Cyber risk specialist Beazley Plc is reportedly the lead insurer; the London-based firm declined to comment to Bloomberg.
Even before news of the massive data breach broke, Equifax executives expressed concerns regarding the extent of its cyber risk insurance protection. “Our property and business interruption insurance may not be adequate to compensate us for all losses or failures that may occur,” Equifax said in its annual filing.
If hackers expose sensitive consumer information, the company could also be subject to “litigation, regulatory fines, penalties or reputational damage, any of which could have a material effect on our cash flows, competitive position, financial condition or results of operations.” The firm further noted that “our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention.”
How It Happened
A report in Yahoo detailed how hackers may have taken advantage of a security flaw in Cisco Systems Inc.’s Apache Struts software, a program often used to build interactive websites where customers fill out online forms. Equifax incorporated Apache Struts into a website on which consumers dispute credit report errors.
Cisco first detected the malfunction in March, and informed users — including Equifax — of the potential problem. At that time, Equifax said its IT personnel were working to identify and correct the defect.
In late July, however, Equifax noticed a spike in callers requesting that their bank deposit numbers be changed. When it investigated further, Equifax determined that the calls were fraudulent and subsequently disclosed the breach. After the disclosure, those calls declined to what the firm termed normal levels.
Nevertheless, between mid-May and late July, hackers gained access to the personal information of 143 million U.S. citizens, including names, addresses, dates of birth, and Social Security numbers. In the hands of hackers, such information can be used to impersonate Equifax customers and steal their identities.
A New York Times report added that hackers stole the credit card numbers of 209,000 consumers in addition to documents containing personal information input during disputes of 182,000 people. The same article noted that Equifax believes the intrusion was limited to the website software and that no unauthorized activity was discovered on its main consumer or commercial credit reporting databases.
What Agents Can Do
Such high-profile data breaches prompt questions from your clients if they are an Equifax customer. On their behalf, you can contact Equifax to determine if their data was breached. Discuss options such as a credit freeze, which restricts access to your credit report, or free credit monitoring and identify theft protection from Equifax.
For your business clients, this is an opportunity to emphasize the importance of cyber risk and business interruption insurance. And as an insurance agent, you, too, must protect much of your clients’ sensitive information. So if you haven’t explored cyber security insurance, you should now.