HBO hack, other recent breaches lay trail to cyber insurance
Attacks pique interest in data security, liability coverage; intellectual property protection unclear
By Byron Acohido, ThirdCertainty
Following on the heels of the two globe-spanning ransomware worms, the HBO hack—with its distinctive blackmail component—rounds out a summer of extortion-fueled hacks and destruction and theft of valuable data at an unprecedented scale.
WannaCry and Petya raced around the planet demanding ransoms after locking up servers at hundreds of organizations. The HBO hackers pilfered 1.5 terabytes of intellectual property and business documents from the television giant. Next, they heaved samples into the internet wild, and demanded $7.5 million to halt disclosures of even more highly perishable intellectual assets.
Related article: How WannaCry used NSA cyber weapons to spread ransomware
These high-profile cyber attacks have sent shockwaves through the insurance industry. Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services, agreed to supply some context and discuss the implications. Here are excerpts from our conversation, edited for clarity and length.
ThirdCertainty: How common is it for big media companies to hold cyber liability policies?
Goddijn: Cyber insurance is largely accepted by large organizations as an important and necessary part of their overall coverage portfolio. That’s not limited to just the big entertainment companies, that applies across the board to most large enterprises. Where we see a drop-off in the adoption rate is with small to midsize organizations.
3C: Is it likely HBO held a cyber liability policy?
Goddijn: It is likely there is some element of cyber coverage in place for HBO. It’s important to keep in mind it was HBO’s intellectual property that was compromised, not personally identifiable information. It’s not especially common to find cyber coverages that respond to the value of the policyholder’s creative content. So even with cyber insurance in place, it may not apply to this type of data compromise event.
3C: How do you expect the HBO hack to impact the emerging cyber insurance market?
Goddijn: We have already seen an uptick of interest in cyber coverage post-WannaCry and Petya malware events. This is yet another high-profile breach that highlights the fact that data has value. Attackers will go after what has value, which in turn can have a real financial impact on the breached organization. Cyber insurance is still the best option for addressing that monetary fallout.
3C: Could this accelerate wider implementation of third-party best practices; or, perhaps, smarter and wider use of encryption?
Goddijn: It’s hard to say. We’ve seen so many high-profile breaches come and go with little visible impact on security practices. Certainly that’s not true for all—as there is an argument to be made that the Target and Home Depot breaches accelerated the adoption of chip-enabled credit cards. What we can say is that each event like this does highlight just how important data security is to practically every business.
3C: Do you anticipate that the HBO hack will help give focus to cyber insurance?
Goddijn: Each breach that makes headlines the way the HBO event has puts more focus on cyber insurance options. What will be interesting to watch unfold is how the cyber market will address the increasing number of attacks targeting intellectual property.
3C: So what is being discussed in the insurance community with respect to extending coverages to include loss of intellectual property?
Goddijn: Traditionally, the insurance market has shied away from covering events like theft of trade secrets or damage to intellectual property. Perils like trademark or copyright infringement arising out of content created by the insured is widely available, but events such as the HBO breach—and more specifically the compromise of proprietary works—is not an area most carriers are comfortable entering.
Unlike a car or a building, it’s difficult to determine the value of something like a secret formula or an unreleased episode of a popular show. The actual value of the intellectual property itself is subjective and can change over time. Anytime there is that level of uncertainty around pricing a risk, it’s sure to cause hesitation for the underwriters.
3C: How far off on the horizon is wide availability of intellectual property coverage? A year or two? Beyond that?
Goddijn: The diligent buyer that is interested in third-party coverage for a compromise of the I.P. of others can find this in today’s marketplace. It may take some looking, and specific circumstances may prevent any carrier from offering the coverage to a specific buyer, but it can be found. As for first-party coverage for intellectual property, that is a very rare product. There are only a handful of carriers willing to offer this, and it comes with its own host of coverage caveats. Given the nature of the exposure, it’s not likely we’ll see insurance carriers jumping into this area anytime soon.
More about the changing cyber insurance landscape:
Now’s the time for insurers to develop meaningful cyber liability policies
Challenges and opportunities ahead for cyber insurance industry
Underwriters, InfoSec officers must close gap on risk management
Cyber insurance is a great investment, but can’t solve all security needs