Capital One, the U.S. and global banking and personal finance group, has disclosed a $400 million cyber insurance tower that the market is now watching closely, following its hacking and loss of data for more than 100 million of its customers.
Capital One said on July 29th that an individual accessed its IT systems, in particular application data linked to its credit card systems, resulting in the loss of personal data associated with 106 million customers, 100 million in the United States and 6 million in Canada.
The Capital One hacking and data breach is among the largest ever in the banking and financial world.
Capital One explained that the majority of the data accessed by the individual or hacker was the kind of personal data collected when consumers applied for one of its credit cards.
As a result this included including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
On top of this the hacker also accessed portions of credit card customer data including, credit scores, credit limits, balances, payment history, contact information, as well as fragments of transaction data covering 23 days during 2016, 2017 and 2018.
Around 140,000 Social Security numbers of Capital One credit card customers were also accessed, along with around 80,000 linked bank account numbers of secured credit card customers, the bank said. In Canada approximately 1 million Social Insurance Numbers were also accessed in the hack and resulting data breach.
The perpetrator of the cyber hack has been arrested by the FBI and Capital One said, “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” commented Richard D. Fairbank, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
The specific vulnerability that was exploited has now been closed by Capital One and the bank is in recovery mode, with likely escalating costs related to customer communications, retention efforts and other direct contact activities with the 106 million affected people.
Capital One said that the data breach and hacking is likely to generate the firm incremental costs of approximately $100 to $150 million in 2019, that’s largely for customer notifications, credit monitoring, technology costs, and legal support.
Capital One explained that it has a $400 million cyber insurance tower in place to cover “certain costs associated with a cyber risk event.”
The Capital One cyber insurance is subject to a $10 million deductible and also standard market exclusions.
Typically cyber insurance covers can support customer contact, credit monitoring and some legal costs related to hack attacks or data breaches, so it does seem likely that this coverage will be triggered, given the relatively low deductible and the high number of customers impacted by the breach.
But how large the Capital One cyber insurance loss will become remains uncertain at this stage, as to does the potential for it to result in any reinsurance market impacts, as it is impossible to tell how much of the estimated up to $150 million in costs incurred could be claimed back.
We discussed the Capital One cyber incident with Property Claim Services (PCS) Co-Head Tom Johansmeyer, given his team collect and aggregate cyber insurance market loss estimates under its PCS Global Cyber product.
Johansmeyer explained that it’s important to be cautious in the early stages of a reported cyber incident, “Early reports on the event are still coming in, so now is the right time to review exposures and continue to understand the event, rather than rush to conclusions on the size of the insured loss. Capital One has confirmed publicly a $400 million tower, which puts it among the larger programs in the market. The nature of the event should drive whether it attaches and the extent to which the cover is used.
“We’re actively monitoring this event and are in communication with our market to ensure timely and accurate reporting.”
Johansmeyer further explained, “We haven’t designated this event, as it’s too early in its evolution. If we believe the insured loss is likely to exceed US$20 million, we’ll add it to PCS Global Cyber.
“However, in the cyber reinsurance market, patience really is a virtue these days. While many may rush to showcase a perspective, getting in early doesn’t mean getting it right. As the independent voice of the sector, our team is committed to the latter.”
It could be some time before the magnitude of cyber insurance or reinsurance market loss from the Capital One hack and data breach is understood.
Rating agency Standard & Poor’s said that while the breach of cyber security at Capital One Financial Corp. “increases its reputational risk,” the direct costs incurred should be manageable.