As the world has become more interconnected by the “internet of things,” businesses and households regularly rely on technology to conduct daily activities. While in recent years the reliance on technology has increased exponentially, cyber exposures are nothing new. Companies have been exposed to cyber risks for the last several decades dating back to the dotcom era of internet growth, followed by the Y2K scare, and HIPAA compliance rules.
Not just a large company problem
Recently, there have been headline grabbing stories of data breaches at large retail companies, financial institutions, and private websites exposed millions of personal records. Publicity of such attacks has become more and more frequent, from the 2014 Home Depot and Target data breaches, to the early 2015 attack on Sony, to the most recent attack on the Ashley Madison website. In a precedent setting case, a July ruling by a U.S. Court of Appeals decided that retailer Neiman Marcus must now defend a class action suit claiming that it failed to protect customers, after having the case originally thrown out by a Chicago district court. Rulings like this make it even more difficult for hacked companies to avoid costly and reputation-damaging law suits.
In addition to these large corporations, there are countless cyber-attacks targeting less sophisticated, more vulnerable security systems, not covered by the media. According to a report by First Data, small businesses account for 90% of data breaches. The New York Times reports that last year alone over half of American adults had their information exposed. These breaches are comprised of not only faceless hackers at home and abroad, but also thieves who steal laptops, documents, and the now ubiquitous smartphone. The costs of these data breaches are higher than one may think. Any company that stores or uses data is exposed to risks associated with data / breaches, including:
• Business Interruption,
• Network / Hardware,
• Credit Monitoring,
• Reputational Risk,
• Personal / Business Data Theft,
• Breach Response
According to the National Small Business Association, a focus group reported that 44% of respondents had been victims of at least one cyber-attack in 2013, at an average cost of nearly $8,700 per breach. In many states, private and governmental organizations are required to notify potential victims of a breach. To protect their reputations, firms need to be proactive by replacing credit/debit cards, deployment of credit monitoring services, and upgrading point-of-sale systems.
In response to the increasing threat to businesses, companies are implementing cyber risk controls as part of their Enterprise Risk Management initiatives. Boards and senior leadership are placing cyber risks at the top of the list of corporate concerns, and are seeking a cyber-insurance solution. A May 2015 Lloyd’s report, Business Blackout; The insurance implications of a cyber-attack on the US power grid stated that “Cyber risk is already an embedded feature of the global risk landscape, and insurance has the potential to greatly enhance cyber risk management and resilience for a wide range of organizations and individuals who are exposed to its impacts.” In fact, one of the largest growth areas in the insurance industry is Cyber Security Liability.
According to a new report from Allianz Global Corporate Security Specialty (AGCS), the cyber insurance market is expected to grow to more than $20B in gross written premiums over the next decade. AGCS estimates that cyber crime costs the global economy $445B annually, yet the current global cyber insurance market only stands at about $2B in premiums.
Cyber Liability: The New Frontier
Cyber exposure and insurance coverage continues to evolve as fast as technology advances, hackers innovate and adapt, and legal precedents and case laws are set. Insurance coverages must adapt as well. While coverages by carrier vary, cyber-specific policies and endorsements generally cover:
• Loss of digital assets
• Non-physical business interruption and extra expense
• Cyber extortion threat
• Security event costs
• Network security and privacy liability coverage
• Employee privacy liability coverage
• Electronic media liability coverage
• Cyber terrorism coverage
Cyber exposures and the corresponding insurance coverages have grown significantly over the last several years. Despite this, many businesses and organizations remain uncertain of the value and/or protections provided by cyber coverage. Some risk managers argue that internal controls, not only technology based, but also managerial and personnel, eschew much of the need for an insurance solution. One senior technology consultant in the insurance industry argued, “The largest risk for a cyber-attack comes from one source, us – people.” Mishandling of e-mail, misplacing a USB drive, or the unintentional downloading of a virus can cause damage to a firm. A strong culture of safety, awareness, and protection, from all employees, can be the strongest defense against cyber loss. In addition, state-of-art firewall protection and consistently updated technology may be seen as an adequate measure for controlling cyber risk loss exposures. But is it enough?