The last time that Infosecurity looked at the cyber-insurance market, the hype machine was in overdrive about taking it out, what it covers and how much coverage you could get. However, the big question remains on whether or not it’s really worthwhile having insurance to protect you from an unknown threat.
After all, Target had at least $100 million of cyber-insurance to cover its 2013 breach, and typically cyber-insurance covers first and third party cases with the first party covering internal costs incurred by the company, and third party coverage handling the fallout from cybersecurity events that affect other companies and individuals.
According to research released in June by Mimecast, firms are unsure about how their cyber-insurance policies are affected by evolving email attacks. Its survey of 436 IT experts found that 45% of firms with cyber-insurance are unsure if their policy is up-to-date for covering new social engineering attacks, and only 10% believe it is completely up-to-date. Just 43% of firms with cyber-insurance are confident that their policies would pay out for whaling financial transactions. Nearly two-thirds (64%) of firms don’t have any cyber-insurance at all.
“Cyber-insurance uptake is growing quickly, but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms,” said Steven Malone, director of security product management at Mimecast.
“While insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account. Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered.”
“With the cybersecurity landscape constantly evolving, cyber-insurers will have great difficulty keeping their coverage up-to-date. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.”
Mimecast are not alone in highlighting this issue – PwC’s Global State of Information Security Survey for 2016 found that 59% of businesses were implementing cyber-insurance to improve their posture, while the survey of attendees to the 2015 Black Hat USA conference found that 37% of respondents said it was either “highly likely” or that they “have no doubt” that they would face a major breach in the next 12 months; in 2016, that figure has risen to 40%.
One solution to the problem could be a central database of cyber-incidents, which would help tackle the lack of data to enable insurers to properly price the cyber-risk and help the cyber-insurance market to grow and provide more choice for businesses.
This was proposed by the Association of British Insurers (ABI) which it said would be a not-for-profit database to contain details of incidents including business interruption losses, ransom demands, loss of confidential data, and damage to IT systems.
The anonymized data would be made accessible to insurers who could then use it to improve pricing, and potentially put the UK at the forefront of the global market. Brunella Flackett, client partner for Financial Services and Private Equity with Armstrong Craven, believes the database can be of benefit in other ways too. “We have completed an insight project for an insurance client which wanted to understand the optimal organizational structure for a number of different areas including digital; they wanted to know what best practice looked like in other sectors as well as their own and this included how others were addressing the cyber issue,” she said.
“Because cyber is a fast emerging area, the talent is scarce and therefore in high demand. Organizations are moving fast to map and pipeline the best talent in this very specialist field to ensure they have the best possible strategy in place in the event of attack.”
In this section we will look at the cyber-insurance sector, with opinions on coverage, underwriting and how information security, attacks and insurance are coming together.
Reducing the Exposure of a Breach – Dan Trueman, underwriter at Lloyd’s
Catastrophic losses from data breaches can affect any business, of any size or industry. Even for those covered by insurance policies, many will be unaware of the specifics and whether a cyber-attack is included in their cover or not (known as “silent cyber”). According to research from Mimecast, an alarming number of businesses have little or no idea whether they are covered against particular threats – a worrying prospect.
Without expert insight, it is quite challenging for many businesses to quantify their exposure to a cyber-attack. As such, it is vital for businesses to increase levels of insurance for better risk management.
Understanding Cyber-Insurance
Traditionally, cyber-insurance covers the losses relating to damage to, or loss of information from, IT systems and networks, but today, it does much more than that. It covers both the liability of holding large amounts of data, whilst also covering a business’ resilience.
In today’s threat landscape, insurers are capable of covering various types of risk, from cyber-extortion and ransomware to liability for holding payment data. Working with underwriters who understand this risk from the beginning will benefit a company’s security strategy enormously, as this will allow businesses and insurers to identify their risks from the off-set.
This also means better value, cheaper premiums and more accurately aligned tools in place to protect the organization – working with the C-suite, security teams can protect the business from the perils based on vulnerabilities, not just ones they think they need protection from. It’s all about building cyber-insurance in alongside tools that protect the business from the inside out from the beginning – not bolting it on when a new threat appears.
Data is the New Oil
Hand-in-hand with a good cyber-insurance policy is the implementation of security software and hardware that can help protect an organization’s most valuable commodity – data. It’s vital that this asset is kept safe and insured for extra protection. Shareholders and customers are already judging businesses by how they handle a breach.
With data now nicknamed the ‘new oil’, it is a high risk commodity and because of this there is a huge requirement for better expertise and importance around consolidating and best practice.
Because the cyber-insurance industry has been dealing with notification for many years, it understands where the risks lie and also the possible exposure of a data breach. Having cyber-insurance implemented from the beginning can ensure any notification is effective, risks are reduced and any communication is accurate.
Protecting the Balance Sheet, Together
Huge hacks such as those on TalkTalk and Ashley Madison have highlighted how it’s now a matter of “when, not if” a company suffers a cyber-attack or breach, but they shouldn’t be company-ending events. This is where the expertise from the security industry and insurers can work together to combat the growing threat.
It’s no longer an “us vs them” when it comes to insurance and security teams. Insurers deal with thousands of organizations a year and it’s important for these teams to work together to minimize the risks of cyber-events.
Insurers are not there to tell businesses that they are not doing enough, but instead to help them understand what effective and efficient best practice is. By doing so, businesses can protect their balance sheet, also ensuring that catastrophic loss is minimized, making sure there is value – even if the incidents are small. Cyber-insurance can also help to improve standards and give CISOs the tools or standards to get buy-in from the board for more effective security investment.
What Does the Future Hold?
Online operations are now essential to all modern business. With data the life blood of an organization, cyber-insurance looks increasingly likely to become the main type of insurance businesses look to take out. Other types of insurance that are currently more mainstream, such as property, will soon become a simple add-on.
In today’s digital landscape, it’s about organizations working more closely to reduce their levels of risk, and also protecting a company’s balance sheet, when the worst does happen.
Writing for the Underwriter - Matt Cullina, CEO of IDT911
Matt Cullina is CEO of IDT911, a US-based cybersecurity and identity theft protection firm with a strong foothold in the cyber-insurance space. He explained that his biggest partner is the B2C insurance market and working with 17 of the top 20 underwriters, it develops a program that involves underwriting and coverage development for brokers.
He said: “To information security, at our core we manage crisis and if someone is calling fire and facing security incidents, for 90% to 95% of policies we are the first number they call. We create a coverage form and that gets into our data breach response team.”
The company builds a co-branded program, builds a policy and a carrier underwrites it. With GDPR coming into force from May 2018, where the reporting of data breaches will become mandatory, Cullina said that users need to be sure there are the processes and abilities to make these cases and the correct steps are taken for the regulator.
So are cyber-insurance policies hard to write? Cullina said that normally it is an endorsement or add-on to liability insurance of £50, £100 or £200 to add the cyber element on, and that is typically the market we have gone with.
“The risk tends to be proportionate to the number of records, so you can have a small accountancy firm with sensitive data or have a large manufacturing company with exposure due to distribution, but it is not compared to number of employees they have, so it is about looking at risks and damage coverage,” he said.
“For the average business, the best cost is not just for crisis response, it is also for coverage of downtime during ransomware, and if a small business is targeted and has its website taken down and money is lost, it is reimbursable. So it is not just for crisis cover, but if damage is done when business was down.”
Cullina said that the company’s fastest growing area is smaller retailers who deal exclusively through the Amazon Marketplace, and cyber-insurance covers them as the last thing that they want to do is blend cyber with personal risk.
So have they seen more interest and demand in the past few years? “The education issue with small businesses is that they don’t understand the value of the records that they truly hold, and their element of IT is that they don’t think they are responsible for risk, so we combat that with training sessions with the brokers.”
“A lot of small businesses don’t have budget to deal with pressures, so we went where there is high risk and no coverage. A small business with a total insurance spend of £2500 is not going to spend again on a cyber-risk that they don’t deem to be important, so bring limits and policies and improve to a point, and it becomes a much more attractive proposition for them, and those businesses have some level of protection.”
Cullina explained that in the USA, regulations are more developed and there is more of a reason to buy as if you are breached there are steps you have to take. “As soon as the CEO thinks logically about the requirements of a data breach, it becomes more and more worth it,” he said.
“It’s not about how many records or employees you have, it’s about how you store the data and what type of business you are. In a typical claim scenario, legal is the biggest expense, but in cyber it is forensics and often it is a needle in the haystack situation.”
“Information security costs range and that can create a limit. There are certain cases where a company has lost 4000 records, and should you be informing those customers or making better use of that spend.”
Understanding What You Are Covered For - Norton Rose Fulbright partner Ffion Flockhart and associates Steve Hadwin and Rahul Mansigani
Cyber-risk is constantly evolving. As IT professionals know, the risks are many and varied; with over one million new types of malware being developed every single day, cyber-attacks can cost companies dearly in terms of business interruption and reputational damage. Additionally, with cyber-security and data protection now firmly a priority on the global regulatory agenda, businesses may also be exposed to legal liability if they do not adequately protect the personal data of their customers and employees.
Cyber-insurance offers one way for businesses to manage these risks. It can be used to “plug the gaps” in cover which traditional insurance products leave behind.
Cyber-Insurance – What is Covered?
Cyber-policies cover certain direct losses to the business and/or liabilities to third parties that arise out of unauthorized access to, or use of, an organization’s electronic information, or the destruction or loss of that information. Most policies in cybersecurity also offer a number of valuable add-on incident response services, such as legal, forensic, PR and crisis management support. Such services can be an invaluable means of swiftly dealing with adverse incidents and mitigating their impact including from a legal and regulatory perspective.
In terms of direct losses to the business, these may include instances where a hacking attack takes place and money is siphoned away from the company’s account or valuable data or intellectual property is lost. Cyber policies may also cover business interruption where the interruption was caused by a cyber-incident, such as a system failure (whether due to malicious hacking or not). For these types of loss, cyber-insurance affords protection in circumstances where traditional lines of insurance are unlikely to respond.
For instance, under most property damage insurance, the insured would be unlikely to get business interruption cover unless there has been some physical damage to property, which is generally less likely where a cyber-attack has occurred. Cover is also now increasingly becoming available for losses caused by cyber-terrorism (i.e. acts of terrorism committed via an organization’s electronic systems), which are usually expressly excluded from traditional terrorism cover.
Businesses are often concerned about reputational damage caused by a cyber-incident. This type of loss is, however, difficult to quantify in real terms and provides a challenge for insurers as they attempt to price the risk. At the moment, stand-alone cover for reputational damage is not generally available under cyber policies, but this is an area which the insurance industry is frequently being asked to consider.
In terms of potential liabilities to third parties, cyber-related losses are often not covered by professional indemnity insurance as they do not directly relate to the actual performance of professional services. For example, if an employee lost their laptop outside the workplace, inadvertently losing a vast amount of sensitive client data, a PI insurer might reject a claim on the grounds that it did not fall under the employee’s performance of professional services. With the majority of cyber-breaches within organizations last year being caused by employees, either deliberately or accidentally, companies may be exposed to potentially significant losses if broader cover insurance is not in place.
Changes to the Risk Landscape
The risk landscape in terms of potential liability to third parties has recently been widened by the English Court of Appeal’s landmark ruling in the case of Vidal-Hall v Google, which indicated that data subjects can sue without having suffered any financial loss. While this point is currently being appealed to the Supreme Court, the practical consequence could be that, if a business compromises an individual’s personal information, it could be subject to liability in damages for emotional distress, even if the individual hasn’t suffered any actual monetary loss.
From a regulatory perspective, undoubtedly the biggest development in terms of insurable risk is the General Data Protection Regulation (GDPR). Due to come into force in May 2018, the GDPR will place significantly enhanced data protection obligations on organizations whose goods and services are directed at EU citizens. The extra-territorial reach of the GDPR means that its provisions, including the substantial fines, will still apply to UK organizations even if Britain was no longer a member state. This will include any UK-based service providers who process personal data of EU citizens and, more widely, any UK companies that have an online sales presence in the EU, meaning the implications may be potentially huge.
Those companies are expected to look increasingly to cyber-insurance to cover the risks that arise out of these obligations. This growth in cyber-insurance uptake reflects the position in the USA, where cyber-insurance is a considerably more mature market.
Under the GDPR, national data protection authorities will have powers to impose fines of up to £20 million, or 4% of annual global turnover, on companies who breach their data protection obligations. However, the extent to which these fines may be covered under a cyber-policy is uncertain under English law.
As a matter of public policy, there is a general reluctance to allow companies to pass on liability for unlawful acts to insurers, and so the insurability of a fine will therefore depend on the nature of the business’ conduct. English law suggests that any deliberate or reckless behavior is not insurable. The parties to a cyber-policy therefore need to be aware that the position on insurability of fines is not clear-cut, and the insured will need to carefully consider its potential exposure under the GDPR and put in place strategies to mitigate potential loss.
Cyber-insurance provides protection against a range of risks that may not be covered by traditional insurances, and is an increasingly attractive option for many businesses as they consider how to manage and mitigate the exposure they face.
As indicated above, the risk landscape faced by businesses is constantly changing as a result of ever-evolving cyber threats and a developing legal and regulatory environment. It is therefore increasingly important that businesses scope out the risks they face and consider whether to obtain cyber-insurance appropriate to their specific needs and exposure.