There’s not a day that goes by without a cyber-related incident in the news. Although retailers, financial institutions and health care companies have been the main targets on cybercrimininals’ radar, no organisation is immune to a cyber attack or failure of technology.
The costs associated with such incidents continue to rise. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average cost of a large data breach was $3.5 million in 2014, 15 per cent more than in 2013. And this doesn’t take into account the reputational damage or other long-term ramifications, including drops in stock prices and resulting lawsuits against directors and officers.
Given the potential for cyber events to cause serious economic harm and the related increase in regulatory scrutiny, corporate boards are now expected to extend equal oversight to cyber resilience as they do to financial resilience. Boards today need to fully understand cyber risk, its impact and its mitigation – including insurance protection – and discuss it with shareholders, regulators and others.
In fulfilling those objectives, many organisations have found that gaps exist in traditional insurance coverage and that some insurers are carving out cyber risk from general liability, property and other policies. As a result, many organisations are turning to the dedicated cyber insurance market to transfer their cyber risk.
A growing threat
High-profile cyber incidents in 2014 and early 2015 have highlighted the expanding spectrum of cyber threats organisations face today – from point-of-sale breaches exposing customer accounts to targeted denial-of-service attacks intended to disable a company’s network. The details of these attacks have left little cause for optimism. In looking at Verizon’s 2014 Data Breach Investigations Report, a majority of the cyber attacks in 2013 were easy for attackers to achieve and involved little to no resources or customisation of software. Although it’s nice to believe that only highly-sophisticated hackers are capable of penetrating computer systems, the reality is that corporate America remains vulnerable to fairly simple attacks. The irony, of course, is that network technology is becoming more complex, with interconnectivity and mobility increasing efficiency and decreasing operating costs. It is this complexity that is leading to devastating consequences from surprisingly simple threats. While it’s difficult to pinpoint the next evolution of cyber risk, there are trends to be aware of in 2015.
■ Business interruption: Business interruption stemming from a cyber-incident, in particular, drew a lot of attention in 2014. While business interruption has historically been thought of as the after-effect of a critical system going down for an extended period of time, data breaches, hacking attacks and technology failures can create far-reaching outages affecting secondary systems, clients and even vendors
■ Cyber extortion: Historically, cyber extortionists threatened to disable critical corporate systems or to deface or incapacitate public websites. New threats that arose in 2014 include data ransom, where attackers encrypt confidential information and ransom the decryption key, and data blackmail, where attackers threaten to release sensitive or embarrassing corporate information stolen from corporate networks. In addition, the rise of anonymous payment networks have made it easier to abscond with a ransom, further emboldening criminals
■ Government-style attacks: More recently, criminals have shown a willingness and ability to use cyber-attack technology that was previously expected only from government or military resources. Recent incidents include physical damage to machinery and infrastructure and highly targeted attacks on executives, including directed social engineering and hacking hotel, conference and other public systems to target executives and their devices while in transit
■ Interconnectivity: Alternately cited as both the best and worst evolution in technology, the rise in interconnected systems continues unchecked. From the proliferation of cloud services to mobility solutions, such as bring your own device (BYOD) to the Internet of Things, organisations are increasingly reliant upon technology across their operations
To be sure, staying current with the ever-changing cyber risk landscape is a challenge for any corporate board. However, the US Securities and Exchange Commission made clear in its 2011 disclosure guidance that it considers cyber security on a par with other operational risks – they require boardroom oversight.
As part of its 2014 Director’s Handbook Series, the National Association of Corporate Directors cited five principles that directors should look to when it comes to cyber risk and their duties as trusted advisors to management.
- Directors need to understand and approach cybersecurity as an enterprise-wide risk-management issue, not just an IT issue
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances
- Boards should have adequate access to cybersecurity expertise and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda
- Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate budget and staffing
- Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each
Cyber insurance evolves
Risk transfer for cyber exposures is one of the most rapidly evolving areas of insurance coverage. The cyber insurance market continues to grow as underwriters of traditional insurance lines, such as property and general liability, move to explicitly exclude cyber risks from coverage. Companies that rely solely on traditional forms of insurance today to protect their balance sheets from a cyber incident are likely to find gaps in that protection.
Cyber insurance policies can fill many of the gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organisation’s day-to-day operations. For example, cyber insurance policies can, depending on policy specifics, provide reimbursement for lost revenue, including forensic costs and extra expenses, as a result of a failure of technology, a computer system outage or a cyber attack. This coverage, in many cases, can be expanded to include contingent business interruption due to the failure of a vendor, such as a cloud computing service provider. Policies can also be customised to fund public relations and crisis management services in connection with an IT failure.
Today, the dedicated cyber market consists of dozens of underwriters with up to $500 million in aggregate capacity available, depending on industry sector. Although there is not a ‘standard’ cyber policy, coverage can typically be customised to include any or all of the following coverages:
■ Privacy and computer security
■ Information asset
■ Business interruption, including extra expense
■ Cyber extortion
■ Criminal reward fund
■ Crisis management
■ Contingent business interruption
■ Cyber-induced bodily injury
■ Property damage
In addition to enhanced coverage, cyber underwriters often offer loss control services including risk assessment tools, breach counselling and event response assistance, generally at no extra charge.
Demand for cyber insurance has steadily increased over the last few years, spurred on by several high-profile cyber incidents and the move by insurers to exclude the risk from other lines of coverage. Marsh saw the number of US clients purchasing standalone cyber insurance for the first time increase 32 per cent in 2014, which followed on the heels of a 21 per cent increase in clients purchasing the coverage in 2013.
While growth was seen across all industry sectors, the hospitality and gaming industry saw the biggest jump in first-time purchasers in 2014 – a 69% increase – followed by the universities and schools sector, which saw the number of first-time purchasers increase by 58 per cent. Overall, 16% of Marsh’s financial and professional liability clients now purchase cyber insurance compared to 13% in 2013. (see Figure One).
As demand for cyber insurance grows, it’s important to remember that risk transfer is just one part of a well-planned and effective risk-management programme, which should also include policies and protocols to prevent and mitigate cyber risks. Simply applying for cyber insurance can aid in this effort as it forces companies to assess the strength of their cyber defenses. Before deploying capital, cyber underwriters will want to know whether the company has in place an incident response plan, disciplined procedures for patching software and robust protocols for monitoring its vendor network.
Moreover, once a cyber policy is purchased, insurers have the incentive to help policyholders avoid and mitigate cyber attacks. This is one reason why many insurers now offer monitoring and rapid response services as part of coverage.
Changing role of analytics
Simply presenting stakeholders with a quote for insurance coverage doesn’t cut it anymore. Fortunately, as the data underlying cyber events has evolved, boards have gained confidence that the understanding of cyber risk is grounded in analytics and not in a kind of ‘alchemy’ that presided when cyber insurance first debuted nearly two decades ago. Whether it’s reporting to boards, shareholders, regulators or others, organisations can now demonstrate that they have taken a reasoned approached to evaluating and understanding the risks.
The board wants to understand the nature and scope of the risk in addition to the financial aspects. Helping the board understand where the company is relative to a common information security standard, mapping out the key risks, modelling the financial impact of loss scenarios and finally, placing those scenarios and risks in the context of the company’s risk transfer portfolio enables the board to make an informed decision on how to move forward in addressing these risks.
But the economy is still a long way from where it should be in accurately analysing and quantifying cyber risk. While information security professionals have taken great strides in educating organisations and users on the risks, a common ‘vocabulary’ to quantify cyber risks, while desired, remains elusive. As noted in the recent World Economic Forum report, Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats (January 2015), there are numerous standards and frameworks but they lack the statistically significant data needed to effectively model and quantify the risk. This lack was further noted at the recent White House Cyber Summit at Stanford University where the idea was floated of establishing a more robust protocol for the sharing of information on cyber threats and vulnerabilities.
Despite increased outlays of time and money on technology and security, the number of cyber attacks and system outages continues to grow. And there is no apparent end in sight as attackers become more adept, organisations’ systems evolve in complexity and global interconnectivity grows.
Cyber incidents can quickly accumulate significant costs, inflict reputational damage and produce long-term ramifications for companies, including lawsuits against their directors and officers. As cyber risk evolves and permeates boards’ awareness, the issue of coverage certainty has gained urgency as more organisations come to grips with their current insurance programmes and the evolving nature of their risk.
Having an effective cyber insurance policy can provide protection not only from the high costs associated with responding to a cyber-breach, but also from the litigation and indemnity costs that often follow. It can also go a long way in giving investors and the board the knowledge and comfort they need should the firm have to disclose its cyber security risks or a specific incident.
This information is not intended to be taken as advice regarding any individual situation or as legal, tax or accounting advice and should not be relied upon as such. You should contact your legal team and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.
About The Author:
Bob Parisi is a Managing Director and National Cyber Product Leader for Marsh USA Inc. based in New York. In this role he is responsible for the development of new products and markets, advising clients on issues related to intellectual property, technology, privacy, and cyber-related risks as well as negotiating with the carriers on terms and conditions. Prior to joining Marsh, Bob was the Chief Underwriting Officer of eBusiness Risk Solutions at American International Group. Bob holds a BA in Economics from Fordham College and a JD from Fordham University School of Law.