Cyber insurance rises to meet increasing security challenges

Commercial risk management includes accounting for cyber risks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Editor’s note: Cyber attacks pose a new set of expo­sures all busi­ness­es must address, just like the risks asso­ci­at­ed with a fire or earth­quake. In part one of a three-part series, Third­Cer­tain­ty exam­ines how cyber insur­ance is tak­ing shape to mit­i­gate this exposure.

You can’t sue Uncle Sam. Thus the U.S. Office of Per­son­nel Man­age­ment real­ly won’t have to wor­ry about pay­ing any legal set­tle­ments to the 22 mil­lion peo­ple for whom OPM lost sen­si­tive per­son­al data.

But what about pri­vate-sec­tor orga­ni­za­tions? Cyber spies, hack­tivists and data thieves are assault­ing both pub­lic and pri­vate net­works as inten­sive­ly as ever.

Cyber dis­rup­tions can play out in cost­ly net­work shut­downs like the ones that tem­porar­i­ly derailed the glob­al oper­a­tions of Unit­ed Air­lines, the New York Stock Exchange and the Wall Street Jour­nal last week. (No evi­dence of mali­cious attacks in any of those inci­dents has surfaced—yet.)

Info­graph­ic: Com­pa­nies see cov­er­age need, but are slow to act

Mean­while, relent­less cyber assaults on cor­po­rate net­works reg­u­lar­ly cul­mi­nate in the direct theft of crown-jew­el data. Just ask Kather­ine Archule­ta, the embat­tled head of OPM, who stepped down July 10 after admit­ting hack­ers breached her agency mul­ti­ple times.

Cyber lia­bil­i­ty expo­sures are mate­r­i­al and grow­ing. Major net­work breach­es at Tar­get, Home Depot, Neiman Mar­cus, Sony Pic­tures, JP Mor­gan, Mor­gan Stan­ley, Com­mu­ni­ty Health Sys­tems, Anthem and Pre­mera Blue Cross rep­re­sent just the tip of the iceberg.

One bot­tom-line met­ric: The glob­al cost of data breach­es is ris­ing near­ly 3 per­cent a year, from rough­ly $600 bil­lion this year to $2.5 tril­lion in 2020, accord­ing to Juniper Research, a con­sul­tan­cy based in Hamp­shire, England.

In most years, cat­a­stroph­ic weath­er dis­as­ters won’t cause any­where near that much dam­age in the world of glob­al com­merce. Yet, insur­ing against phys­i­cal and nat­ur­al dis­as­ters is a long estab­lished, ful­ly under­stood cost of doing business.

Types of risk

sh_tornado_400There is much to sug­gest the cyber insur­ance, now in its infan­cy, is des­tined to fol­low a sim­i­lar arc and even­tu­al­ly become as com­mon as busi­ness insur­ance cov­er­ages for fire, floods and earthquakes.

Cyber insur­ance is a risk-man­age­ment tool that com­pa­nies can use to help man­age the finan­cial impact of a data breach, which can be sig­nif­i­cant,” says Shawn Dougher­ty, direc­tor of cyber com­mer­cial lines prod­uct devel­op­ment for ISO Insur­ance Pro­grams and Ana­lyt­ic Ser­vices.

Avail­able for rough­ly the past five years, cyber insur­ance typ­i­cal­ly cov­ers the costs involved in con­sumer noti­fi­ca­tion, cred­it checks, busi­ness inter­rup­tion and law­suits that could stem from a hack­er attack of cor­po­rate networks.

Two main types of risks are cov­ered by cyber insur­ance that now dom­i­nate the mar­ket, accord­ing to research from Tyler Moore, pro­fes­sor of com­put­er sci­ence and engi­neer­ing at South­ern Methodist University.

First-par­ty” risks refer to dam­ages stem­ming from busi­ness inter­rup­tion, data destruc­tion, iden­ti­ty theft and cyber extor­tion. “Third-par­ty” risks refer to net­work secu­ri­ty lia­bil­i­ty and soft­ware and Web con­tent liability.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

In an era of mount­ing cyber threats, cyber insur­ance for busi­ness­es seems to be a no-brain­er. What com­pa­ny would not want to guard against poten­tial cyber losses?

Yet many busi­ness­es still are gun-shy at buy­ing such poli­cies. Lloyd’s of Lon­don says only a small per­cent­age of busi­ness loss­es attrib­ut­able to cyber attacks are insured. Mean­while, com­pa­nies that do pur­chase cyber insur­ance poli­cies tend to view them as a nec­es­sary evil.

That’s the upshot of a recent sur­vey of mem­bers of The Risk and Insur­ance Man­age­ment Soci­ety, a renowned pro­fes­sion­als’ group with 11,000 mem­bers in 60 countries.

Under­es­ti­mat­ing the threat

A whop­ping 98 per­cent of respon­dents to the 2015 RIMS Cyber Sur­vey said that their com­pa­nies bought cyber insur­ance because it was a reg­u­la­to­ry or busi­ness-relat­ed “con­trac­tu­al obligation.”

And yet some 75 per­cent of sur­vey tak­ers indi­cat­ed they planned to buy cyber insur­ance some­time in the next two years.

The RIMS sur­vey high­lights the com­plex chal­lenge com­pa­nies face deal­ing with cyber expo­sures in the Infor­ma­tion Age.

Many busi­ness­es con­tin­ue to under­es­ti­mate cyber threats. While orga­ni­za­tions, in gen­er­al, have made progress in lim­it­ing their expo­sure to cyber threats, too many senior exec­u­tives still do not ful­ly under­stood these emerg­ing expo­sures, accord­ing to the Cen­ter for Insur­ance Pol­i­cy and Research.

Net­work breach­es are still wide­ly viewed as just anoth­er tech­ni­cal issue to be addressed by the IT staff. Truth of the mat­ter is that cyber threats increas­ing­ly are prov­ing to be a mate­r­i­al obsta­cle that can under­mine a company’s core busi­ness model.

sh_see no evil_400The obliv­i­ous­ness of busi­ness lead­ers isn’t the only obsta­cle. The insur­ance indus­try also has a lot of work to do. As with every young sec­tor, cyber insur­ance resem­bles a wild, emerg­ing mar­ket with hun­dreds of insur­ers and prod­ucts, fast-chang­ing tech­nol­o­gy, and bud­ding indus­try practices.

A recent report for the Cyber Secu­ri­ty Pol­i­cy and Research Insti­tute (CSPRI) found that the nascent mar­ket, while promis­ing, faces a range of road­blocks that include poor stan­dards, “uncer­tain­ty about lia­bil­i­ty,” “spot­ty cov­er­age and insur­ance loop­holes,” and oth­er issues.

Com­pli­cat­ing mat­ters, lit­tle actu­ar­i­al data exists for cyber insurance—unlike auto, prop­er­ty and nat­ur­al dis­as­ters. That means that cau­tious under­writ­ers must wres­tle with wide-rang­ing risk esti­mates and pric­ing for pre­mi­ums that scare away businesses.

Unde­fined costs

Mean­while, many com­pa­nies already are spend­ing small for­tunes on infor­ma­tion secu­ri­ty tech­nolo­gies, includ­ing fire­walls, intru­sion detec­tion sys­tems, and encryp­tion ser­vices. Cyber insur­ance rep­re­sents anoth­er expen­di­ture, and the costs are undefined.

Depend­ing on the breadth of cov­er­age, the size of the busi­ness, and the strength of its exist­ing secu­ri­ty, pre­mi­ums can range from hun­dreds of dol­lars to hun­dreds of thou­sands of dol­lars a year.

Ola Sage, CEO of the e-Man­age­ment con­sult­ing firm, said in a recent con­gres­sion­al hear­ing that the whole expe­ri­ence of buy­ing and renew­ing cyber insur­ance left her “stunned, sur­prised, frus­trat­ed, con­fused, discouraged.”

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

Many com­pa­nies are just plain unaware of the exis­tence of cyber insur­ance prod­ucts. Some think that their cyber loss­es will be cov­ered by tra­di­tion­al poli­cies, such as com­mer­cial gen­er­al liability.

Yet, most insur­ers today offer sep­a­rate “stand-alone” cyber poli­cies that cov­er loss of data, busi­ness inter­rup­tion, cyber extor­tion, breach of pri­va­cy, direc­tors and offi­cers’ lia­bil­i­ty, and oth­er coverage.

When busi­ness­es take their insur­ance com­pa­nies to court, the courts have sided with insur­ers. Case in point: In ear­ly 2014, the New York Supreme Court ruled that Sony’s gen­er­al lia­bil­i­ty insur­er Zurich Amer­i­can Insur­ance Co. did not cov­er “per­son­al and adver­tis­ing injury” in con­nec­tion with a head­line-grab­bing data breach of Sony’s PlaySta­tion sys­tem in 2011.

That rul­ing “has sparked a lot of con­ver­sa­tion,” says Lin­da D. Korn­feld, a cyber insur­ance attor­ney with Kasowitz Ben­son Tor­res & Fried­man. “Ques­tions are being asked about whether it’s less like­ly that you can rely upon tra­di­tion­al insur­ance to pay when you have a (cyber) claim.”

Vir­tu­ous cycle

sh_cycle_400Com­pa­nies that decide to buy a sep­a­rate cyber insur­ance pol­i­cy can some­times feel like they’ve been put through a wringer. They must endure an exten­sive appli­ca­tion process that includes doc­u­ment­ing net­work secu­ri­ty poli­cies and cri­sis response strate­gies. They typ­i­cal­ly also must demon­strate com­pli­ance with fed­er­al, state and pay­ment card indus­try rules and regulations.

Often bro­kers who excel at sell­ing tra­di­tion­al cov­er­age don’t do such a great job at explain­ing com­plex cyber poli­cies and show­ing com­pa­nies, through real-world exam­ples, the tan­gi­ble ben­e­fits of such cov­er­age, says Nate Spurri­er, direc­tor of busi­ness devel­op­ment for IDT911, which spon­sors ThirdCertainty.

Insur­ance bro­kers who do under­stand the poten­tial and take the time to push sales of avail­able poli­cies actu­al­ly could help trig­ger a vir­tu­ous cycle, says Moore, of SMU.

Com­pa­nies seek­ing cyber cov­er­age would begin to adopt bet­ter secu­ri­ty prac­tices. And as more poli­cies get sold, the insur­ance indus­try should begin to make sim­pli­fied poli­cies more wide­ly available.

Wider avail­abil­i­ty of afford­able cyber insur­ance could “incen­tivize firms to imple­ment good secu­ri­ty prac­tices,” Moore says, and insur­ance com­pa­nies could “low­er pre­mi­ums for firms that adopt safe­guards to mit­i­gate risk.”

Cyber insur­ance series

Part 2: Despite bar­ri­ers, cyber insur­ance is catch­ing on in key sec­tors.

Part 3: Not all poli­cies are equal — tips for busi­ness­es shop­ping for cyber insurance

Q&A: Com­pa­nies tap cyber insur­ance to man­age risks