The NAIC’s cybersecurity task force released its third and final draft of the NAIC cybersecurity model law in August, which was hoped to be considered for approval. However, “stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft,” according to Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.
Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”
With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.
For years the insurance industry has invested in incentive programs to help reduce risk and prevent claims. For example, health insurers may lower premiums to encourage good lifestyle choices just as carriers may offer discounts when homeowners install smoke detectors and security systems. A recent Information-Management article explains that these incentives are a win-win for policyholders, who can invest their saved money on a safer home or healthier lifestyle, and for the insurance company, due to a reduction in claims. If discount incentives are proven to reduce risk, theoretically an organization with the latest cybersecurity technologies and proper cybersecurity polices will claim after a cyber-attack or data breach.
Although the cyber insurance market is beginning to gain traction, the industry is still young and many organizations are not taking cyber-threats seriously, despite brokers’ encouragement to purchase cyber insurance as a stand-alone policy. While a cybersecurity incentive policy would theoretically reduce cyber-risk, there are several reasons why carriers have been slow to adopt such policies. For one, cyber insurance is not regulated the same way auto and home insurance is – policies vary drastically and prices are not standardized. Additionally, an organization with the best cybersecurity is still susceptible to a breach due to employee negligence. How can one guarantee an organization is keeping up with best cybersecurity practices? Nonetheless, as the market matures, discount incentives could serve and a motivation to purchase a cyber policy as well as increasing an organization’s cybersecurity posture on the front-end.
Ransomware attacks are on the rise across the country, with hackers reportedly extracting $209 million in ransom payments in the first three months of 2016. Madison County fell victim to a ransomware attack on Saturday, shutting down nearly all country services. Following the attack, commissioners gathered in an emergency session to discuss their options. Although the full implications of the attack remain unknown, and no personal information appears to have been released, the commissioners issued a unanimous vote to pay the ransom, but they are still hoping to find way to fight back. “We’re following the directions of our insurance carrier,” said Madison County Commissioner, John Richwine. While he did not reveal the amount paid to the cybercriminals, Richwine explained that it was not as much as one might think, and is covered by the county’s cyber insurance policy with Travelers after a deductible is paid.
According to Symantec’s 2016 Internet Security Threat Report, 43 percent of phishing attempts targeted small businesses in 2015. Despite this figure, only five percent of small and medium-sized enterprises (SMEs) are believed to have a cyber insurance policy in place. While businesses of all sizes are aware of the potential impact cyber-risk has on the organization, decision makers choose not to purchase cyber insurance for a variety of reasons. To help small businesses make the decision to purchase cyber insurance, a PropertyCasualty360 article explains there are a number of things a broker can do to help SMEs offset that risk.
IBM’s 2016 Cost of Data Breach Study puts the average cost of a data breach at about $4 million, with the average stolen recording costing about $221. With the increasing number of cyber-threats in the United States, a cyber-attack falling on your organization is almost inevitable. Compared to the potential loss following a data breach, the decision to purchase cyber insurance may ultimately be the reason an organization is still functioning. Not to mention, cyber liability insurance is not nearly as expensive as many perceive – relative to other lines of insurance, basic cyber liability coverage is actually fairly inexpensive. Brokers must also explain to SMEs that data on the cloud does not guarantee safety. Cloud providers often have hold-harmless agreements, meaning the provider is exempt from any liability accusations if all or any data is lost from a data breach. Lastly, while data breaches making headlines usually involve large corporations or government entities, cyber-attacks are happening on SMEs every day, in every city. Small businesses owners must understand they are just, if not more likely to be the target of an attack, primarily due to inadequate cybersecurity practices. Cyber insurance can not only help mitigate the risk on the back-end, but it can also ramp up cybersecurity practices on the front-end due to employee training opportunities and mandatory cybersecurity requirements. While it is important that organizations of all sizes strive to protect their data and stop a breach before it occurs, a cyber liability policy can at the very least, help hedge the costs of a data breach if one were to occur.
Although cyber insurance is generally written via manuscript policies and thus, are unique in nature, cyber polices are becoming more robust and encompassing. However, one particular exclusion exists in the overwhelming majority of cyber insurance policies: cyber-attacks involving nation state hackers. While government-affiliated cybercriminals have been at the crux of recent cyber-talk, cyber insurance policies often “explicitly exclude acts of war and ‘warlike operations.’” Many policies “also exclude acts of broadly defined foreign enemies, government actors and terrorism,” said Robert Morgus, a policy analyst in New America’s International Security Program. This begs the question – who then, is responsible for attributing the cyber-attack following a cyber insurance claim?
A recent CyberScoop article suggests that carriers will likely avoid taking the insured to court over attribution regarding a cyber-attack. “Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature,” Morgus explained. “Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.” Nonetheless, exclusions regarding “acts of war,” from “nation state hackers” are common and in order to attribute the attack to the cybercriminal(s), the insurer will ultimately have to bear the costs of a digital forensic investigation. As a result, it is believed that carriers will continue to avoid such a potentially messy legal battle over attribution.
Insurance Attorney Scott Godes warns businesses to make sure they’re covered in the gray areas – referring to the rift between cyber policies and traditional crime coverage. However, some insurance companies, such as Willis Towers Watson, are looking to fill those gaps. Willis recently announced its CyFi plan – short for cyber insurance and fidelity. The new plan is intended to fill the gap and will serve excess over the crime policy and cyber policy, and will also be available to industries outside of the financial field. Godes notes that the new CyFi plan goes further than any other to date, and makes several recommendations of things to look for when buying policies.
In order to meet the newfound corporate demand following cyber-attacks against Target, Home Depot, and Sony, Aon last month acquired Stroz Friedberg – best known for helping the likes of Sony and Yahoo mitigate damage from breaches. Although 60 vendors offer cyber insurance of some kind, none currently account for every type of contingency associated with a cyber-attack. This acquisition intends to fill some of Aon’s own gaps. This opportunity will further add incident response and other capabilities to Aon’s portfolio of cybersecurity assessment and risk transfer services. Aon’s CIO says Stroz will help clients mitigate cyber incidents more rapidly, which has a direct correlation on reducing claims. Bruno also adds that Aon may acquire more companies as it seeks to add real-time data analytics capabilities, something that will become more critical as the Internet of Things (IoT) expands to more industries.
The insurance industry has a risk-minded approach and mindset; however, according to Chief Computer Scientist of CAST Research Labs Dr. Bill Curtis, the industry is continuing to use technology systems and practices that are “disturbingly unsecure.” Dr. Curtis is one of the lead authors of CRASH Report Insurance 2016, which evaluates the structural quality of IT applications used in various software technologies across 38 different insurance companies in eight countries. He and his team also found evidence to corroborate that North American insurance firms are among the “least secure as compared to other businesses in the financial services sector.”
He says that this trend can be a cause of many companies having “the mindset that it does what it’s supposed to do and if it ain’t broke, don’t fix it.” Insurers continue to utilize older technological practices because it’s adept at servicing older policies, and the systems’ size and complexity make it very time-consuming to replicate in an efficient manner. However, the need for insurance firms to reassess their systems’ vulnerabilities must be stressed. A thorough quality checkup of current software and implementation of a company-wide policy for identifying and addressing security problems are key.