The cyber attacks carried out against Sony, Target, Home Depot, and J.P. Morgan Chase garnered a great deal of press coverage in 2014, but data breaches, denial-of-service attacks, and other acts of electronic malfeasance are hardly limited to large, multinational corporations. However, it is the high-profile nature of these breachesas well as the staggering monetary costs associated with several of the attacksthat are driving businesses of all types and sizes to seriously look at purchasing cybersecurity insurance.
Currently, the global market for cybersecurity insurance policies is estimated at around $1.5 billion in gross written premiums, according to reinsurance giant Aon Benfield. Approximately 50 carriers worldwide write specific cyber insurance policies, and many other carriers write endorsements to existing liability policies. The U.S. accounts for the lion's share of the marketabout $1 billion in premiums spread out across about 35 carriers, according to broker Marsh & McLennan, with Europe accounting for just $150 million or so in premiums, and the rest of the world accounting for the balance of the policy value.
Due to strong privacy laws that have been enacted over the past decade, it is no surprise the U.S. is the leading market for cyber policies.
"The United States is many years ahead, due to 47 state privacy laws that require companies to disclose data breach incidents," says Christine Marciano, president of Cyber Data-Risk Managers LLC, a Princeton, NJ-based cyber-insurance broker. While notification may only cost a few cents per customer, large companies with millions of customers likely will be looking at outlays of millions of dollars each time a breach occurs, a cost that could be covered by a cyber insurance policy.
The market for cyber insurance is projected to grow strongly, largely due to regulatory changes being enacted in jurisdictions around the globe. The Data Protection Directive (Directive 95/46/EC), which is being debated by the European Union and is expected to be ratified by 2017, spells out customer privacy and data-breach notification requirements. This type of regulation likely will bolster the cyber insurance market in Europe, which currently accounts for less than 10% of the global cyber insurance premiums written, according to Nigel Pearson, global head of Fidelity at Allianz Global Corporate & Specialty (AGCS), one of the world's largest insurance firms.
Pearson notes that in the U.K., the Information Commissioner (a government-level post established to uphold information rights in the public interest) can fine companies up to about 500,000 pounds (about $750,000) for failure to prevent a data breach, but with the EU reforms currently being discussed, the potential fines for data breaches are likely to be significantly higher, portending a greater need for insurance coverage. "Where those fines and penalties are insurable, we'll pay them," Pearson notes.
Marciano agrees, noting that "once the EU Data Protection reform reaches an agreement and is passed, the European cyber insurance market will see many new insurers offering cyber insurance policies, and many companies seeking coverage."
Pearson says the market continues to evolve in Asia as well, as jurisdictions such as Hong Kong and Australia introduce tougher privacy laws. The market for cyber insurance is "certainly evolving in Asia," Pearson says, noting that "last year Hong Kong, Singapore, [and] Australia all had new data protection legislation. The big question is whether there is a requirement for mandatory notification."
General Policies Fall Short
One of the key reasons businesses need to consider a cyber insurance policy or endorsement is that general liability coverage only covers losses related to a physical act, such as a person breaking in to an office and stealing files or computers. Cyber policies focus on so-called "intangible losses," which are often not covered under general business liability policies, Marciano says.
"Many business liability policies that are coming up for renewal now contain clearly defined data breach exclusions, whilst most of the older policies did not clearly define such losses, and in some instances in which a claim arose, such policies were challenged," Marciano says. "For those companies wanting to ensure they're covered for cyber and data risk, a standalone cyber insurance policy should be explored and purchased."
Damage caused by intrusions, attacks, or other losses must be covered by a specific cyber policy that generally covers three main activities or issues related to a cyber attack: liability, business interruption, and the cost of IT notification and forensics, according to Pearson. Furthermore, cyber policies typically offer both first-party coverage (covering the policyholder's losses) and third-party coverage (covering defense costs and damages and liabilities to customers, partners, and regulatory agencies.)
First-party coverage includes the cost of forensic investigations, which include determining whether a data breach has occurred, containing the breach, and then investigating the cause and scope of the breach. Other coverage elements include the cost of computer and data-loss replacement or restoration costs, and the costs associated with interruption to the business (such as paying for alternative network services, employee overtime, and covering profits lost due to the data breach).
Other first-party costs often covered include the cost of public relations efforts to communicate appropriately to customers, business partners, and the press and general public, to try to prevent and limit lost business. Notification costs, call center costs, and credit monitoring services for victims of the breach are also items that can be covered by cyber policies, and often represent a major portion of the overall cost of the breach, given that many companies have hundreds of thousands, if not millions, of individual customers to contact.
General liability insurance covers losses related to a physical act, such as a person breaking into an office and stealing files or computers. Cyber policies focus on "intangible losses."
Finally, the cost of financial losses caused directly by electronic theft and fraud can be covered, as can the cost of cyber-extortion, in which criminals take control of a company's Website or network, and refuse to relinquish control until a ransom is paid.
Third-party coverage will generally cover the cost to hire attorneys, consultants, and expert witnesses to defend a company from civil lawsuits by customers, business partners, and vendors harmed as a result of malware delivered via a compromised network, and shareholders (who may claim the value of their investment has been damaged as a result of the company's failure to protect itself). Insurance may also be purchased to cover any settlements or judgments entered against the company. Additional third-party coverage can be purchased to cover the costs of regulatory or administrative agency investigations, prosecutions, and fines or penalties, though certain state or country laws may prohibit the coverage of such fines by insurance.
However, identifying the proper coverage levels, as well as securing a fair quote can be extremely challenging, due to a relatively smaller pool of actuarial data, the evolving nature of cyber attacks or breaches, and the unwillingness of many carriers to share claims data, collectively make it challenging to craft standard cyber policies.
"Within cyber, it's not unusual to have quotes that vary by multiplessometimes 100%, 200%, 300% different," Pearson says. "Companies are seeing the risks in very different ways, and are assessing the risk in very different ways."
Nevertheless, according to January 2015 testimony before the U.S. Senate Committee on Homeland Security & Government Affairs by Peter J. Beshar, executive vice president and general counsel for the Marsh & McLennan Companies, the average cost for $1 million of coverage is between $12,500 and $15,000 across industry sectors including healthcare; transportation; retail/wholesale; financial institutions; communications, media, and technology; education; and power and utilities.
According to news reports, the attack on Target cost that company $148 million, along with an investment of $61 million to implement anti-breach technology in the months after the attack. Meanwhile, Home Depot was expected to pay $62 million to cover the cost of its attack, including legal fees and overtime for staff.
Before the breach occurred, Target carried at least $100 million in cyber insurance. Home Depot had $105 million in cyber insurance at the time of the attack, and Sony, hacked in December, carried a $60-million policy. These policies helped offset some of the costs of the breaches, but not all, underscoring the need to ensure cyber policies' coverage levels match the potential losses.
Limitations and Exclusions
However, there are limits to coverage. Cyber insurance does not cover losses due to terrorist acts or acts of war, and according to Marciano, few cyber policies cover physical injuries or damage caused by an attack that started online, but then caused actual physical damage in the real world, important issues businesses must consider when deciding on coverage levels.
"New threats and vulnerabilities are discovered daily, and it is hard to cover every cyber incident, especially evolving risks we don't yet understand," Marciano says. "Insurers tend to be conservative on evolving risks until they have a better understanding of how to quantify and cover them." As such, individual company limits are determined based on factors such as company size, industry, revenues, services offered, types of data (such as whether personal identifiable information or personal health information is stored by the company), and, ultimately, how much the company can afford to purchase.
Still, understanding how much insurance to carry has been a struggle for many companies, says John Farley, Cyber-Risk Practice Leader for North American insurance brokerage HUB International. "You want to understand what type of data you hold, and what could cause you heartache if it's compromised," he says, noting that certain types of businesses are likely to be deemed to be a higher risk for insurers, and therefore likely will require higher coverage limits. Unsurprisingly, the companies and industries that likely face the largest cyber security threats are those that hold and use sensitive consumer information, including IT companies, financial services companies, retailers, higher education organizations, and healthcare firms, according to Farley.
"Healthcare and retail would be considered higher risk than manufacturing," Farley says, noting that companies that hold personal information, financial data, or health information are more likely to be targets for attackers than those companies that do not have data than can easily be re-sold or used by cyber criminals.
However, carriers and brokers note that practicing good "cyber hygiene" can help lower the cost of purchasing insurance, particularly if a company and its policies, systems, and practices can demonstrate a reduction in cyber risk.
Marciano defines cyber hygiene as "implementing and enforcing data security and privacy policies, procedures, and controls to help minimize potential damages and reduce the chances of a data security breach."
Marciano says processes should be put in place to protect against, monitor, and detect both internal and external threats, as well as to respond and recover from incidents. "Establishing and enforcing policies and procedures, encrypting sensitive data at rest and in transit, being PCI compliant, adopting a security framework such as the NIST Cybersecurity Framework, and practicing good cyber hygiene can help companies obtain the most favorable cyber insurance premium."
Undergoing a network vulnerability assessment to determine strengths and weaknesses of a firm's IT infrastructure can help companies spot weaknesses before they can be exploited, allowing them to be corrected and then the firms can get coverage based on their tightened defenses.
The most important step a company can take is to ensure specific cyber coverage is already in place, and if not, to speak with a broker or carrier to obtain coverage, even if they believe their industry or business probably is not a target for hackers.
"The response we often get [from clients] is that 'I'm not Home Depot, I'm not Target, I'm not Chase, so the hackers aren't going to be after me,'" says Shawn Bernabeu, a business development manager with HUB International. "The hackers are continually going after smaller, not-so-well-known clients, and the fact of the matter is those smaller clients may not have the financial wherewithal to withstand and emerge from that hack and actually function."
"Code Spaces forced to close its doors after security incident," CSO, June 18, 2014, http://bit.ly/1KdGMg3
Cyber Claims Examples, London Australia Underwriting, http://bit.ly/1HxObZv
Cybersecurity Framework, National Institute of Standards and Technology, http://www.nist.gov/cyberframework/
Cybersecurity In Demand, Nightly Business Report, March 17, 2015, https://www.youtube.com/watch?v=GS_HPiwhJWQ
Testimony of Peter J. Beshar, executive vice president and general counsel, Marsh & McLennan Companies, before the United States Senate Committee on Homeland Security & Governmental Affairs, Jan. 28, 2015 http://1.usa.gov/1HcQSKX
©2015 ACM 0001-0782/15/10
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2015 ACM, Inc.