"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax CEO Richard F. Smith said in a press release. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."

Although Equifax carries cybersecurity, crime, general liability, property and business interruption insurance, these policies are likely insufficient to cover the company's expenses related to this breach.

Consider that Anthem agreed in June to pay $115 million to settle class-action lawsuits stemming from its 2015 cyber breach that may have affected nearly 80 million customers, and the price tag on Target's 2016 cyber breach is expected to top $450 million by year's end, according to Forbes. (Target reportedly carried $100 million in cybersecurity coverage.)

Cyber insurance industry representatives said that the Equifax cyber insurance program is carried by Marsh, with Beazley as the primary carrier. Representatives from Beazley did not reply to emails requesting comment for this story.

Cyber Liability Wake-Up Call

Michael Born is vice president and account executive of the Cyber Technology Practice at Lockton Companies, based in Kansas City, Mo. He said that many of his colleagues "have been waiting for this shoe to drop," or the arrival of a massive cyber breach such as this one that has the likelihood of furthering the cybersecurity and cyber insurance markets.

"Cyber insurance is a very soft market," Born said. "There are a lot of new players, coverage is broadening, pricing is going down, and underwriting is getting a little looser … But I think you may see that change."

Born said there are generally two stages in recovering from any cyber breach. The first stage is the initial impact of the breach and the subsequent identity theft monitoring. This is the process in which Equifax is currently involved. "The next part is a longer tale," Born said, "and that's the liability portion."

Growing Class Actions

There will certainly be regulatory investigations and class action lawsuits. These suits may come from consumers impacted directly as well as Equifax business clients who relied on the company to safeguard employee data.

"We could see (cyber insurance) pricing change and underwriting getting more stringent within the next couple of months," Born said.

Cybersecurity executive Sidd Gavirneni concurred.

"Other recent attacks have had an impact on pricing for sure," said Gavirneni, CEO and co-founder of Zeguro, a San Francisco-based cyber insurance MGA that provides cybersecurity services. "The scale of the Equifax breach will lead to a higher demand for cyber insurance. The users whose data has been compromised will take this fear to work and to the businesses they run. Also, underwriters now have more data to base pricing on."

The Equifax breach, he added, is a chance for agents and brokers to illustrate just how catastrophic a cyber breach can be for business. This will be a chance to "provide customers with insights into why and how the Equifax breach happened, and help them understand the cyber risks their businesses face," Gavirneni said. "Only then can they understand the real need for cyber insurance."

IT Hygiene

Dan Burke, vice president and Cyber Product Head at Hiscox USA, said any business that handles sensitive customer information on part with the type of information that hackers accessed from Equifax (names, Social Security numbers, birth dates, addresses, driver's license numbers and credit card information) must now be well-aware of the importance of information security hygiene.

"Hackers are incredibly crafty at finding cybersecurity and data vulnerabilities," Burke said. "To keep hackers at bay, businesses should aim to supplement technology protections by creating a 'human firewall,' meaning all employees are trained and have an awareness of the potential warning signs of an attack. It's much easier to hack people than the technology. Have the strategy, resources and processes in place before a hack occurs, in order to identify a breach early and get back to business as quickly as possible. This is still a major concern – for more than half of U.S. business, it will take two or more days to return to business as usual after a large breach."

Three other top cyber insurance carriers contacted for this story — Zurich North America, Travelers and Chubb — declined to comment.

Human Resource Issues

Tracey Malcolm, the Global Future of Work Leader for Toronto's Willis Towers Watson, said the Equifax breach could spur organizations to build cybersecurity into employee functions at every level.

"We are seeing organizations really have to get real about what is the readiness of their cybersecurity workforce," Malcolm said. "We're seeing a shift in acquisition strategy with more corporations interested in both executives and employees who possess a hybrid of business acumen and cybersecurity training."

Willis Towers Watson's Cyber Pulse Survey conducted ealier this year found that while three out of four U.S. businesses believe their organizations are safeguarded against a cybersecurity breach, there remains a disparity between feelings of preparedness and the increasing number of cybersecurity incidents. To that end:

• 79% of U.S. employees believe they have an insufficient understanding of cybersecurity risks;
• 45% spent 30 minutes or less on cybersecurity training during 2016; and
• 25% of U.S. employees received no cybersecurity training whatsoever in 2016.

"As the world has seen with the proliferation of phishing scams, most recently highlighted by the global WannaCry ransomware attack, the opening of just one suspicious email containing a harmful link or attachment can lead to a companywide event," Anthony Dagostino, head of global Cyber Risk at Willis Towers Watson, said in a press release about the Cyber Pulse Survey. "However, there appears to be a disconnect between executive priorities around data protection and the need to invest in a cyber savvy workforce through training, incentives and talent management strategies."