Cyberattacks –– criminal activity conducted over the internet –– have become major problems for businesses and governments around the world. The bad news is that the problem is only going to get worse. Cyber insurance is one tool that businesses are using to mitigate the risk.
U.S. data breaches are at all-time highs and climbing. In June, data breaches for 2017 hit just under 800, a more than 30 percent jump from 2016. And the same report by the Identity Theft Resource Center predicts that total breaches for 2017 could reach 1,500, a nearly 40 percent increase since 2016, which was a record with almost 1,100. Additionally, attacks are almost certainly underreported.
Lloyd’s, the London-based insurance underwriter, reports that cyberattacks cost businesses worldwide an estimated $450 billion in 2016. But the Hiscox Cyber Readiness Report 2017 –– a survey of 3,000 companies in the United States, Germany, and the United Kingdom –– found that 53 percent of the companies were not prepared to deal with an attack. The report points to an epidemic of cybercrime, Steve Langan, chief executive of Hiscox Insurance, told CNBC during an interview earlier this year.
As a slice of the insurance industry, the global cybermarket is growing. Lloyd’s estimates that the global cybermarket is worth between $3 and $3.5 billion. Insurers wrote $1.3 billion in direct written premiums for cyber insurance in 2016, a 35 percent jump from 2016, according to reports by Fitch Ratings and A.M. Best.
“Cyber insurance almost advertises itself,” says Robert Hartwig, co-director of the Risk and Uncertainty Management Center in the Darla Moore School of Business at the University of South Carolina. “Barely a week goes by when we do not hear about a major corporation, a government agency, or entire industries around the globe potentially being impacted by a malicious cyber intrusion,” continues the economist and former president of the Insurance Information Institute in New York. He is also the co-author of “Cyber Risk: Threat and Opportunity,” an October 2016 white paper for the Insurance Information Institute.
Cyberattacks use malicious code, sometimes called malware, to alter computer code, logic, or data, causing disruptions that can compromise data and lead to cybercrimes such as information and identity theft. Cyberattacks are generally broken into four categories:
Data Breaches –– A Trojan horse computer program is used to gather sensitive company and customer information, such as Social Security numbers, driver’s licenses, or medical records.
Computer Fraud –– A former or current employee gains access to a computer system and steals information or inflicts damage.
Funds Transfer Fraud –– In one growing form of this type of attack known as business email compromise fraud, or CEO fraud, cybercriminals send fake emails from the CEO or other top executives asking company accountants to transfer company funds to a seemingly legitimate account, but instead the money winds up in the criminal’s account.
E-commerce Extortion –– Ransomware, a computer virus, is introduced, and data is held hostage or other demands made until the user pays. Two recent ransomware attacks have been Wannacry and Petya, both of which were global attacks that disrupted systems.
Robert also says businesses need to consider insuring themselves against cyberattacks just like they would against fire, flood, hurricane, or any other kind of threat that might disrupt business.
FedEx did not have cyber insurance in place when it suffered the Petya cyberattack in June that wreaked havoc on operations at its Netherlands-based TNT Express unit. The unit was still experiencing delays in August, and FedEx officials have reported that its fiscal 2018 results will be hurt in part because of the attack.
“And that is something that is preventable,” Robert says. “They would have had insurance if one of their airplanes had crashed. But when their computer systems crashed, they had no coverage.”
Cyber insurance as a separate insurance product is relatively new; the first policy was written in 1997 by AIG and is still evolving. Each policy is tailored to a company’s individual needs, but coverage, as outlined by Robert, can include:
Loss/Corruption of Data –– Damage to or destruction of valuable information as a result of viruses, malicious code, and Trojan horses.
Business Interruption –– Loss of business income as a result of an attack on the company’s network.
Liability –– Defense costs, settlements, judgments, and sometimes punitive damages resulting from a breach of privacy such as theft of credit card information or transmission of a computer virus resulting from the attack, as well as other forms of damage to third parties.
Cyber Extortion –– The settlement of an extortion threat against a company’s network.
Crisis Management –– Costs to retain public relations assistance or advertising to rebuild a company’s reputation after an attack.
Criminal Rewards –– Costs of posting a reward fund for information leading to arrest and conviction of the cyber attacker.
Data Breach –– The expenses and legal liability, resulting from a data breach.
Identity Theft –– Access to an identity theft call center in the event of stolen customer or employee personal information.
Protection against any physical damage that may result due to a cyberattack, such as some sort of explosion, is also covered, although generally that may be covered under some other property policy, Robert says.
One new area for cyber insurance is directors and officers (D&O) and management liability coverage. Malicious cyberattacks are an issue that not only affect the company’s bottom line and top line, but also potentially affect the board of directors and certainly the senior management of the company, which can become potentially liable, asserts Robert. “You can be sued both personally and at the corporate level as a business owner as the result of a cyberattack.”
A knowledgeable agent can make sure that a company has coverage for not only the traditional risks that officers and directors of a company face, but also for this new issue of cyber risk, Robert says. “Because this is clearly a board issue nowadays.”
Insurers especially emphasize prevention. Cyber coverage typically provides a front-end assessment of a company’s cyber vulnerability. “An insurer in assessing your risk and determining how much you should be charged will also help you prevent or reduce the likelihood of a cyberattack occurring,” Robert says.
An agent will go down a checklist with a potential customer and determine if there are holes in their security. “You may feel it is a little bit of an uncomfortable exercise to go through and see how exposed you actually are, but if you work with your agent on this, you can actually make your business more resilient in the long run,” Robert says.
He compares it to the same process for an older building being converted into a restaurant. “The insurer will often want to come in and do an inspection. They’ll come in and say, ‘This is great; we’d love to insure you. But we need more sprinklers over here, or we need another drainage pipe in the bathroom in case a pipe breaks.’ That might cost something, but it makes you more resilient as a business. It’s the same in taking care of cyber vulnerabilities up front.”
Originally only for very large corporations, cyber insurance is now increasingly accessible to medium and small-sized companies as it becomes standard for businesses like fire or theft.
The Hiscox Cyber Readiness Report 2017 states, “Cyberattacks often hurt smaller firms far worse than larger firms, although the big firms incur the highest costs in nominal terms.” However, “Smaller firms are also more reluctant to adopt key cybersecurity measures,” cites the report.
Many businesses today may not know they have been breached, or, when discovered, they are more likely to conceal the breach, Robert says. “There are thousands of breaches reported every year, but they are clearly grossly underreported, mostly for small and mid-sized businesses.”
If there is not a loss of confidential consumer information, businesses may not be required to report the breach. This fact does not mean that economic repercussions are avoided. Robert urges every small and mid-sized business to conduct a risk assessment of its cyber vulnerability. “If they do that and they are honest with themselves, they will find out that they are extremely vulnerable, because they have had experience with a cyberattack or malicious cyber event, because they know competitors that have, or because they read the paper every day.”
Businesses know as they become increasingly dependent on their computer systems and online commerce, that it is not a matter of if, but a matter of when they will suffer a cyberattack. “There is no opportunity to unplug from the Internet,” Robert says.
One major issue for insurers is the dynamic nature of cyber risk. Unlike natural disasters which can be better predicted and understood over time, cyberattacks are constantly evolving and changing tactics, which causes the nature of the risk to continue to change. Ultimately, Robert sees the need for cyber insurance spreading far beyond businesses and governments because of the growth of the “Internet of Things,” which is the digitally connected nature of our lives that includes our homes, automobiles, and even our bodies.
The automobile is one of the newest additions to the Internet of Things. Cars are increasingly computers on wheels, and a computer on wheels is not any more secure than a computer sitting on a desk or tucked in a pocket. “What we are likely to see is claims in the future potentially being the result of malicious attacks on the software in automobiles. Imagine a ransomware attack on your vehicle that says, ‘Pay now or I will accelerate this car, and you will have no opportunity to stop it. You have 90 seconds to do that.’” How will insurers handle such an event?
The human body also is increasingly becoming part of the Internet of Things. A Wisconsin company is already offering employees a microchip implant to allow them to make in-house purchases, open doors, and unlock office equipment.
“Within a generation, and this has already begun, we are going to be walking around with devices that connect us to the internet, and they will control everything from our pacemakers to devices, for example, that control the flow of insulin, brain-wave activity associated with mental illness, hearing implants, visual implants, artificial limbs, you name it. All of this is going to become part of the Internet of Things,” Robert says. “You can imagine the vulnerability of this. So will health insurance then cover a cyber attack on your body? This is not science fiction anymore. These are real questions that we are going to be dealing with in the next few years.”