Breaking news earlier this month reported one of the biggest cyber attacks ever. A cybercrime gang of less than a dozen people from south central Russia had amassed a staggering 1.2 billion user name and password combinations and 500 million email addresses from poorly protected sites. The level of complexity involved in their work seems worryingly basic—checking company websites for vulnerabilities, and then once found, stealing user credentials. An attack of this magnitude should cause all business owners and managers to reconsider the security of their systems and question whether their risk protection is adequate. As headline stories of cyber attacks and data breaches have increased so has the demand for cyber insurance grown among companies as they expand their risk mitigation strategies.
What Is Cyber Insurance?
The cyber insurance market is still in its infancy and as such cyber insurance is not a standard product. Policies are tailored to the unique needs of the insured but protect against first party and third party risks.
Third Party Coverage—Insures for the liability of the policyholder to third parties, including clients, business associates and governmental entities. This type of insurance is more readily available than first party insurance, described below.
• Litigation and regulatory costs of lawsuits, judgments, settlements and penalties
• Legal and other professional expenses in responding to inquiries from governmental entities and the related expenses of fines, penalties or other sanctions
• Costs to notify clients, employees or victims of a cyber event
• Crisis management and public relations costs of a cyber event
• Media liability for copyright, trademark or service mark infringement for online publication by the insured
• Liability to clients or employees for a privacy breach
First Party Coverage—Insures for losses to the policyholder’s data, lost income or other harm to the business. This type of insurance is less prevalent because of the limited amount and nature of coverage it offers.
• Destruction or loss of data due to a cyber event
• Theft and transfer of funds
• Legal and other professional services to assess, mitigate or stop a cyber attack
• Business interruption and lost income related to a cyber event
• Extortion payments for threats to disclose sensitive information and related investigations
• Loss of computer-related assets and data restoration
The Department of Homeland Security Cybersecurity Insurance Workshop Report states that one of obstacles in developing a robust cyber insurance market, especially first party coverage, is the widespread, mistaken belief that standard corporate insurance policies and/or general liability policies already cover most cyber risks. Some of the elements of cyber insurance coverage may be interconnected or overlap with existing coverage but be aware of the battle raging between companies and insurers over the definition of property damage. A standard definition of property damage includes “physical injury” to “tangible property”, including all resulting loss of use of that property. Insurers typically argue that data is not “tangible property” that can suffer “physical injury” and, therefore, is not “property damage”. However, a number of courts have disagreed holding that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” Companies that lack explicit cyber coverage often try to bring cyber incident claims in under other policies which is leading insurers to add exclusions for cyber incidents in general liability policies. What losses are covered under general liability policies and what losses will be segregated out for separate coverage is an evolving area.
Premiums for cyber insurance vary widely. Although cyber insurance has been around for more than ten years, there still is little empirical data on incidents. Companies don’t want the public to know about security breaches and other vulnerabilities in their systems, so many incidents go unreported. Therefore, standardized insurance prices and policies are hard to come by. The nature of the risk for any given business is often unique so policies are built and priced around the needs of the business, but even the same set of circumstances can result in divergent premium amounts because insurers and buyers don’t always understand the risks that are being transferred. In order to purchase cyber insurance, a company will have to demonstrate that its first line of defense against a cyber incident is self-protection through a comprehensive risk management program.
Who Needs Cyber Insurance?
In general, small and midsize businesses are ideal candidates for cyber insurance, because they may be less prepared for a cyber incident and less able to absorb the associated costs. They often rely on someone else to host their Web sites, track inventory or authorize credit card purchases and generally have no control over those systems’ reliability and maintenance. Larger companies, with more substantial risk management and legal departments, are better equipped technically and financially for a cyber incident, which could make insurance a less effective risk management tool. Larger corporations usually do things in-house and can keep an eye on processes better.
Third-party risks exist for just about any business, though. Any business that collects protected health information or personally identifiable, non-public information like bank account numbers, credit card numbers, or Social Security numbers, has an insurable risk. One of the biggest risks for a company is unauthorized access from a virus, allowing a third-party to breach the system. Data breach notification laws require a business is to comply with those laws in addressing the breach and notifying potential victims. The aftermath of an incident is far reaching, can drag on for months and result in devastating losses.
The Computer Security Institute Computer Crime and Security Survey report offered a sobering insight which makes a case for including cyber insurance in the risk management strategy of any business. Respondents did not seem to feel that their challenges were attributable to a lack of investment in their security programs or dissatisfaction with security tools, but rather that, despite all their efforts, they still could not be certain about what was really going on in their environments, nor whether all their efforts were truly effective. This lack of visibility into the severity of threats and the degree to which threats are effectively mitigated is a perennial problem in security and it presents problems for anyone trying to make sense of the state of information security.
What Is Government’s Role?
In recent years, the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) has brought together a diverse group of private and public sector stakeholders – including insurance carriers, risk managers, IT/cyber experts, critical infrastructure owners, and social scientists – to examine the current state of the cybersecurity insurance market and how to best advance its capacity to incentivize better cyber risk management. Its efforts are fueled by the belief that a robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Between November 2012 and July 2014, DHS has convened the stakeholders for four workshops on the topic of cyber insurance. Read the workshop reports at http://www.dhs.gov/publication/cybersecurity-insurance.
C3 Advisors, LLC
August 15, 2014
C3 Advisors converges the three essential business elements—Process, People and Technology—to help businesses thrive, not just survive, by improving profitability and reducing risk. Our services help our clients improve process optimization, people integration and technology maximization.
We have specific expertise in post-acute healthcare, technology and service companies. Please visit our website at http://www.c3advisors.com and for direct information about how C3 Advisors, LLC can assist your business, please call us at (630) 510-3181 or e-mail us at debd@c3advisors.com.
Find us on Facebook and LinkedIn. Subscribe to our newsletter by emailing debd@c3advisors.com.
C3 Advisors 