HBO hack, other recent breaches lay trail to cyber insurance

Attacks pique interest in data security, liability coverage; intellectual property protection unclear

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Fol­low­ing on the heels of the two globe-span­ning ran­somware worms, the HBO hack—with its dis­tinc­tive black­mail component—rounds out a sum­mer of extor­tion-fueled hacks and destruc­tion and theft of valu­able data at an unprece­dent­ed scale.

Wan­naCry and Petya raced around the plan­et demand­ing ran­soms after lock­ing up servers at hun­dreds of orga­ni­za­tions. The HBO hack­ers pil­fered 1.5 ter­abytes of intel­lec­tu­al prop­er­ty and busi­ness doc­u­ments from the tele­vi­sion giant. Next, they heaved sam­ples into the inter­net wild, and demand­ed $7.5 mil­lion to halt dis­clo­sures of even more high­ly per­ish­able intel­lec­tu­al assets.

Relat­ed arti­cle: How Wan­naCry used NSA cyber weapons to spread ransomware

These high-pro­file cyber attacks have sent shock­waves through the insur­ance indus­try. Inga God­di­jn, exec­u­tive vice pres­i­dent at Risk Based Secu­ri­ty Inc., a Rich­mond, Vir­ginia-based sup­pli­er of risk man­age­ment ser­vices, agreed to sup­ply some con­text and dis­cuss the impli­ca­tions. Here are excerpts from our con­ver­sa­tion, edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: How com­mon is it for big media com­pa­nies to hold cyber lia­bil­i­ty policies?

Inga God­di­jn, Risk Based Secu­ri­ty Inc. exec­u­tive vice president

God­di­jn: Cyber insur­ance is large­ly accept­ed by large orga­ni­za­tions as an impor­tant and nec­es­sary part of their over­all cov­er­age port­fo­lio. That’s not lim­it­ed to just the big enter­tain­ment com­pa­nies, that applies across the board to most large enter­pris­es. Where we see a drop-off in the adop­tion rate is with small to mid­size organizations.

3C: Is it like­ly HBO held a cyber lia­bil­i­ty policy?

God­di­jn: It is like­ly there is some ele­ment of cyber cov­er­age in place for HBO. It’s impor­tant to keep in mind it was HBO’s intel­lec­tu­al prop­er­ty that was com­pro­mised, not per­son­al­ly iden­ti­fi­able infor­ma­tion. It’s not espe­cial­ly com­mon to find cyber cov­er­ages that respond to the val­ue of the policyholder’s cre­ative con­tent. So even with cyber insur­ance in place, it may not apply to this type of data com­pro­mise event.

3C: How do you expect the HBO hack to impact the emerg­ing cyber insur­ance market?

God­di­jn: We have already seen an uptick of inter­est in cyber cov­er­age post-Wan­naCry and Petya mal­ware events. This is yet anoth­er high-pro­file breach that high­lights the fact that data has val­ue. Attack­ers will go after what has val­ue, which in turn can have a real finan­cial impact on the breached orga­ni­za­tion. Cyber insur­ance is still the best option for address­ing that mon­e­tary fallout.

3C: Could this accel­er­ate wider imple­men­ta­tion of third-par­ty best prac­tices; or, per­haps, smarter and wider use of encryption?

God­di­jn: It’s hard to say. We’ve seen so many high-pro­file breach­es come and go with lit­tle vis­i­ble impact on secu­ri­ty prac­tices. Cer­tain­ly that’s not true for all—as there is an argu­ment to be made that the Tar­get and Home Depot breach­es accel­er­at­ed the adop­tion of chip-enabled cred­it cards. What we can say is that each event like this does high­light just how impor­tant data secu­ri­ty is to prac­ti­cal­ly every business.

3C: Do you antic­i­pate that the HBO hack will help give focus to cyber insurance?

God­di­jn: Each breach that makes head­lines the way the HBO event has puts more focus on cyber insur­ance options. What will be inter­est­ing to watch unfold is how the cyber mar­ket will address the increas­ing num­ber of attacks tar­get­ing intel­lec­tu­al property.

3C: So what is being dis­cussed in the insur­ance com­mu­ni­ty with respect to extend­ing cov­er­ages to include loss of intel­lec­tu­al property?

God­di­jn: Tra­di­tion­al­ly, the insur­ance mar­ket has shied away from cov­er­ing events like theft of trade secrets or dam­age to intel­lec­tu­al prop­er­ty. Per­ils like trade­mark or copy­right infringe­ment aris­ing out of con­tent cre­at­ed by the insured is wide­ly avail­able, but events such as the HBO breach—and more specif­i­cal­ly the com­pro­mise of pro­pri­etary works—is not an area most car­ri­ers are com­fort­able entering.

Unlike a car or a build­ing, it’s dif­fi­cult to deter­mine the val­ue of some­thing like a secret for­mu­la or an unre­leased episode of a pop­u­lar show. The actu­al val­ue of the intel­lec­tu­al prop­er­ty itself is sub­jec­tive and can change over time. Any­time there is that lev­el of uncer­tain­ty around pric­ing a risk, it’s sure to cause hes­i­ta­tion for the underwriters.

3C: How far off on the hori­zon is wide avail­abil­i­ty of intel­lec­tu­al prop­er­ty cov­er­age? A year or two? Beyond that?

God­di­jn: The dili­gent buy­er that is inter­est­ed in third-par­ty cov­er­age for a com­pro­mise of the I.P. of oth­ers can find this in today’s mar­ket­place. It may take some look­ing, and spe­cif­ic cir­cum­stances may pre­vent any car­ri­er from offer­ing the cov­er­age to a spe­cif­ic buy­er, but it can be found. As for first-par­ty cov­er­age for intel­lec­tu­al prop­er­ty, that is a very rare prod­uct. There are only a hand­ful of car­ri­ers will­ing to offer this, and it comes with its own host of cov­er­age caveats. Giv­en the nature of the expo­sure, it’s not like­ly we’ll see insur­ance car­ri­ers jump­ing into this area any­time soon.

More about the chang­ing cyber insur­ance landscape:
Now’s the time for insur­ers to devel­op mean­ing­ful cyber lia­bil­i­ty policies
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry
Under­writ­ers, InfoS­ec offi­cers must close gap on risk management
Cyber insur­ance is a great invest­ment, but can’t solve all secu­ri­ty needs

Posted in Featured Story