Cyber insurance rises to meet increasing security challenges
Commercial risk management includes accounting for cyber risks
By Byron Acohido and Edward Iwata, ThirdCertainty
Editor’s note: Cyber attacks pose a new set of exposures all businesses must address, just like the risks associated with a fire or earthquake. In part one of a three-part series, ThirdCertainty examines how cyber insurance is taking shape to mitigate this exposure.
You can’t sue Uncle Sam. Thus the U.S. Office of Personnel Management really won’t have to worry about paying any legal settlements to the 22 million people for whom OPM lost sensitive personal data.
But what about private-sector organizations? Cyber spies, hacktivists and data thieves are assaulting both public and private networks as intensively as ever.
Cyber disruptions can play out in costly network shutdowns like the ones that temporarily derailed the global operations of United Airlines, the New York Stock Exchange and the Wall Street Journal last week. (No evidence of malicious attacks in any of those incidents has surfaced—yet.)
Infographic: Companies see coverage need, but are slow to act
Meanwhile, relentless cyber assaults on corporate networks regularly culminate in the direct theft of crown-jewel data. Just ask Katherine Archuleta, the embattled head of OPM, who stepped down July 10 after admitting hackers breached her agency multiple times.
Cyber liability exposures are material and growing. Major network breaches at Target, Home Depot, Neiman Marcus, Sony Pictures, JP Morgan, Morgan Stanley, Community Health Systems, Anthem and Premera Blue Cross represent just the tip of the iceberg.
One bottom-line metric: The global cost of data breaches is rising nearly 3 percent a year, from roughly $600 billion this year to $2.5 trillion in 2020, according to Juniper Research, a consultancy based in Hampshire, England.
In most years, catastrophic weather disasters won’t cause anywhere near that much damage in the world of global commerce. Yet, insuring against physical and natural disasters is a long established, fully understood cost of doing business.
Types of risk
There is much to suggest the cyber insurance, now in its infancy, is destined to follow a similar arc and eventually become as common as business insurance coverages for fire, floods and earthquakes.
“Cyber insurance is a risk-management tool that companies can use to help manage the financial impact of a data breach, which can be significant,” says Shawn Dougherty, director of cyber commercial lines product development for ISO Insurance Programs and Analytic Services.
Available for roughly the past five years, cyber insurance typically covers the costs involved in consumer notification, credit checks, business interruption and lawsuits that could stem from a hacker attack of corporate networks.
Two main types of risks are covered by cyber insurance that now dominate the market, according to research from Tyler Moore, professor of computer science and engineering at Southern Methodist University.
“First-party” risks refer to damages stemming from business interruption, data destruction, identity theft and cyber extortion. “Third-party” risks refer to network security liability and software and Web content liability.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
In an era of mounting cyber threats, cyber insurance for businesses seems to be a no-brainer. What company would not want to guard against potential cyber losses?
Yet many businesses still are gun-shy at buying such policies. Lloyd’s of London says only a small percentage of business losses attributable to cyber attacks are insured. Meanwhile, companies that do purchase cyber insurance policies tend to view them as a necessary evil.
That’s the upshot of a recent survey of members of The Risk and Insurance Management Society, a renowned professionals’ group with 11,000 members in 60 countries.
Underestimating the threat
A whopping 98 percent of respondents to the 2015 RIMS Cyber Survey said that their companies bought cyber insurance because it was a regulatory or business-related “contractual obligation.”
And yet some 75 percent of survey takers indicated they planned to buy cyber insurance sometime in the next two years.
The RIMS survey highlights the complex challenge companies face dealing with cyber exposures in the Information Age.
Many businesses continue to underestimate cyber threats. While organizations, in general, have made progress in limiting their exposure to cyber threats, too many senior executives still do not fully understood these emerging exposures, according to the Center for Insurance Policy and Research.
Network breaches are still widely viewed as just another technical issue to be addressed by the IT staff. Truth of the matter is that cyber threats increasingly are proving to be a material obstacle that can undermine a company’s core business model.
The obliviousness of business leaders isn’t the only obstacle. The insurance industry also has a lot of work to do. As with every young sector, cyber insurance resembles a wild, emerging market with hundreds of insurers and products, fast-changing technology, and budding industry practices.
A recent report for the Cyber Security Policy and Research Institute (CSPRI) found that the nascent market, while promising, faces a range of roadblocks that include poor standards, “uncertainty about liability,” “spotty coverage and insurance loopholes,” and other issues.
Complicating matters, little actuarial data exists for cyber insurance—unlike auto, property and natural disasters. That means that cautious underwriters must wrestle with wide-ranging risk estimates and pricing for premiums that scare away businesses.
Meanwhile, many companies already are spending small fortunes on information security technologies, including firewalls, intrusion detection systems, and encryption services. Cyber insurance represents another expenditure, and the costs are undefined.
Depending on the breadth of coverage, the size of the business, and the strength of its existing security, premiums can range from hundreds of dollars to hundreds of thousands of dollars a year.
Ola Sage, CEO of the e-Management consulting firm, said in a recent congressional hearing that the whole experience of buying and renewing cyber insurance left her “stunned, surprised, frustrated, confused, discouraged.”
Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction
Many companies are just plain unaware of the existence of cyber insurance products. Some think that their cyber losses will be covered by traditional policies, such as commercial general liability.
Yet, most insurers today offer separate “stand-alone” cyber policies that cover loss of data, business interruption, cyber extortion, breach of privacy, directors and officers’ liability, and other coverage.
When businesses take their insurance companies to court, the courts have sided with insurers. Case in point: In early 2014, the New York Supreme Court ruled that Sony’s general liability insurer Zurich American Insurance Co. did not cover “personal and advertising injury” in connection with a headline-grabbing data breach of Sony’s PlayStation system in 2011.
That ruling “has sparked a lot of conversation,” says Linda D. Kornfeld, a cyber insurance attorney with Kasowitz Benson Torres & Friedman. “Questions are being asked about whether it’s less likely that you can rely upon traditional insurance to pay when you have a (cyber) claim.”
Companies that decide to buy a separate cyber insurance policy can sometimes feel like they’ve been put through a wringer. They must endure an extensive application process that includes documenting network security policies and crisis response strategies. They typically also must demonstrate compliance with federal, state and payment card industry rules and regulations.
Often brokers who excel at selling traditional coverage don’t do such a great job at explaining complex cyber policies and showing companies, through real-world examples, the tangible benefits of such coverage, says Nate Spurrier, director of business development for IDT911, which sponsors ThirdCertainty.
Insurance brokers who do understand the potential and take the time to push sales of available policies actually could help trigger a virtuous cycle, says Moore, of SMU.
Companies seeking cyber coverage would begin to adopt better security practices. And as more policies get sold, the insurance industry should begin to make simplified policies more widely available.
Wider availability of affordable cyber insurance could “incentivize firms to implement good security practices,” Moore says, and insurance companies could “lower premiums for firms that adopt safeguards to mitigate risk.”
Cyber insurance series