U.S. businesses are now spending more than $2 bn annually for cyber insurance policies as interest in this coverage has grown dramatically following numerous high profile data breaches. These breaches impacted millions of Americans, especially those who’d interacted with major retailers and health insurers.
“Technologies once seen as highly secure have subsequently been penetrated by hackers”
In 2015, 781 data breach events were publicly acknowledged, resulting in the release of more than 169.1 million records. The U.S. government has also been targeted. As many as 14 million current and former civilian government employees, for example, had their personnel records compromised in two separate hacker attacks. In 2014, the number of U.S. data breaches tracked hit a record 783, with 85.6 million records exposed.
Despite conflicting analyses, the costs associated with these losses are increasing. McAfee and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime at $445 bn a year, with a range of between $335 bn and $575 bn.
Cyberattacks have the potential to be massive and wide-ranging due to the interconnected nature of this risk, which can make it difficult for insurers to assess their likely severity. In fact, that is one of the reasons some observers believe that cyber exposure is greater than the insurance industry’s ability to underwrite adequately the risk.
More than 60 carriers offer stand-alone cyber insurance policies, and Marsh, a major insurance broker, estimates the U.S. cyber insurance market has the potential to triple by 2020, growing to $7.5 bn.
In Cyber Risk: Threat and Opportunity, Claire Wilkinson, who writes the Insurance Information Institute’s award-winning Terms + Conditions blog, and I examined where the cyber threats are coming from—from foreign governments and criminal enterprises to disgruntled employees—and how U.S. businesses can protect themselves from the substantial economic fallout of a data breach. Released in October 2015, the white paper also surveyed the rapidly evolving market for cyber insurance, including pricing and limits purchased.
Stand-alone cyber insurance policies typically feature the following coverages:
Liability—Covers the costs (e.g., legal fees, court judgments) incurred after a cyberattack, such as data theft, or the unintentional transmission of a computer virus to another party, causing them financial harm.
Crisis Management—Covers the cost of notifying consumers about a data breach that resulted in the release of private information, and providing them with credit monitoring services, as well as the cost of retaining a public relations firm, or launching an advertising campaign to rebuild a company’s reputation.
Directors & Officers (D&O)/Management Liability—Covers the cyber liability risks faced individually by a company’s key decision makers while acting on behalf of the company.
Business Interruption—Covers loss of income due to an attack on a company’s network that limits its ability to conduct business.
Cyber Extortion—Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down the blackmailers.
Loss/Corruption of Data—Covers damage to, or destruction of, valuable information assets as a result of “viruses, malicious code and Trojan horses.”
Adam Hamm, North Dakota’s Insurance Commissioner and the chairman of the National Association of Insurance Commissioners’ (NAIC) Cybersecurity Task Force, has correctly noted that criminals target insurers because they keep personal, financial and health information.
Yet other industries, law enforcement, and consumers worldwide are also paying close attention to the risk of cyberspace and developing a corresponding response.
Indeed, “Cyber Crime, Information Technology (IT) failure, espionage” climbed to number five on Allianz’s Top 10 Global Business Risks for 2015. It had ranked at number eight in 2014, the same year 783 data breaches were reported by U.S. businesses, most of them medical/healthcare organizations, according to the Identity Theft Resource Center.
Because computing and data storage and retrieval technologies changes rapidly, there is no sure-fire way to protect digital data and computer systems. Technologies once seen as highly secure have subsequently been penetrated by hackers.
For instance, websites worldwide used an encryption technology called OpenSSL for many years before OpenSSL was discovered to be vulnerable to cyberattack. Nonetheless, businesses may be able to limit their cyber liability risk by:
•Installing, maintaining and updating security software and hardware.
•Contracting with an IT security services vendor.
•Using cloud computing services.
•Regularly backing up data at a secure offsite location.
At the same time, however, businesses ought to talk with their insurance professional about purchasing the right type, and amount, of cyber insurance coverage.