The age-old line states that “Beauty is in the eye of the beholder.” For example: Businesses see cyber attacks and data breaches as crises that result in significant losses (including consumer trust). Consumers see the constant possibility of their identity being stolen. And the insurance industry is seeing a vast, untapped market.
Each week seems to bring news of a data breach at a major corporation. Widely publicized hacks at Sony, Anthem, Home Depot, eBay, Target, T.J. Maxx, Adobe and Living Social – to name a few – compromised private data. Then there are the multiple revelations that our personal devices are not as secure as we might have hoped.
To date, the majority of breaches have targeted businesses and medical/healthcare organizations, according to the Identity Theft Resource Center. The number of data breaches has grown almost every year since 2005, with steep jumps over the past couple of years.
These attacks involved data from hundreds of millions of people, and led to the humiliating distribution of internal company documents and emails. And yet, only about 6 percent of companies said they purchased insurance to cover cyber risks, according to the Insurance Information Institute (III). Industry experts don’t think that number has wavered substantially over the past several years.
But it’s about to change now.
The National Association of Insurance Commissioners (NAIC) – an industry group and a FleishmanHillard client – expects the cyber-liability market “to grow dramatically.” The key factor? Fear. A fear of lawsuits. Of lost reputation. Of government regulations. The SEC in 2011 started asking companies to voluntarily disclose data breaches, including their insurance coverage for such events. As the attacks continue, government intervention in the form of “substantive cybersecurity measures” looks inevitable, said Robert Hartwig, president of the III.
Currently, most standard commercial policies don’t cover cyber risks such as:
- hacked or accidentally disclosed personal data
- losses due to hackers shutting down a network
- theft of digital assets such as customer lists or trade secrets
- the more nebulous, “damage to your business reputation”
- or the lawsuits related to any of the above
Insurance protection against cyber risks is highly customized, hard to quantify and very expensive. The NAIC established a task force this year “to monitor emerging cyber risks, their impact on the industry and whether regulatory action will be required.” The NAIC also is crafting risk management standards for the cyber-liability industry.
Despite the seeming lack of clarity, most retailers who accept credit cards – from online outlets to anyone selling veggies at the farmers market – already have accepted liability for data breaches, many times unwittingly. “It’s pretty standard that the contracts retailers sign with merchant banks for processing (payments) make them directly liable,” says Carrie Cope, head of regulatory and management liability insurance at Schuyler, Roche & Crisham in Chicago. “Most companies don’t even realize it’s in there.”
Assessing cyber threats is more than just a job for underwriters, though, as companies should complement any insurance coverage with their own efforts. Peter Bennett, director of business development at Alchemy Communications, which provides Type 2 Internet data centers, suggests organizations should pay more attention to what their employees can see. “Many firms don’t limit unauthorized access to their data,” he said. “Most companies have sensitive data, like employee records, or financials, but there’s a lack of human intervention to control who can see that data.” Bennett recommended compartmentalized access to data, which can be implemented with firewalls, password requirements and basic encryption, to protect a company’s private information.
Of course, all computers connected to the Web are vulnerable. “If anyone tells you that they are totally secure, they are deluded,” said Tim Plona, an information security, IT governance, risk and compliance expert. “Systems and processes have vulnerabilities and threats – thus have risks.”
“If anyone tells you that they are totally secure, they are deluded.” – Tim Plona
Bennett said one of the most common threats is a DDOS – distributed denial of service attack – where a company’s servers or other IT infrastructure is rendered unusable for some undefined amount of time. In fact, Alchemy tracks in real time the DDOS attacks coming in to its servers from around the world.
Third-party IT firms may help mitigate risk, or at least shield a company from some liability. But it’s important “to dig down beneath the sales pitch to see what steps they are taking to protect your data,” Bennett said. “If a company is not backed by an audit, their security doesn’t mean anything.” Since 2011, standard financial audits have included “determinations on whether companies have the proper controls in place to provide an appropriate level of security, processing integrity, confidentiality and privacy to their digital information.”
Despite best efforts – and insurance coverage – no company is immune from an attack and its effects. In fact, admitting its own vulnerability, NAIC’s 2015 cyber task force also has been instructed to gather intel on how to protect consumer information collected – and stored – by insurers.
Photo credit: Norse Corp Live Attack Map (norse-corp.com)