De-risking Cyber Threats with Insurance

Abstract

Management of risks is an integral part of the insurance industry. Though companies have succeeded in identifying and managing risks, the nature of risks has changed and they can destroy businesses and damage reputation. Organizations need ways to manage cyber-risks outside of their risk appetite. Beyond providing insurance, companies are using best practices and following regulations to strengthen insurer defenses against cyber-attacks.

Cyber Crime Raises its Head

Increase in development has also seen an increase in threats. While cyber-risks have been around since the early 1990s, the solutions to deal with them have also seen a steady growth. During early days, cyber insurance coverage primarily addressed defacement and liability arising from domain name infringement. However, there has been a rapid growth in the number of cyber-attacks especially in the recent years. The number of zero-day vulnerabilities discovered has doubled since 2015. Industry reports suggest that cybercrime is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015.

As the cyber threat landscape continues to evolve, certain types of attacks are becoming increasingly common. Digital data breach, loss, and theft continue to be the leading types of cyber events; phishing attacks, too, have gained momentum, especially between 2013 and 2015.

Network-disruption events (such as denial of service attacks) have also seen an increase in recent years. As more and more people are inclined towards electronic communication, the opportunity for bad actors to cause difficulties for business and public has also grown. According to the Herjavec Group, cybercriminals pocketed over $1 billion from ransomware attacks during 2016 alone, with the total number of ransomware incidents increasing by a whopping 748%.

Based on a comprehensive analysis, researchers have concluded that CyberSecurity issues have majorly hit the following three industries:

  • Finance and Insurance
  • Healthcare and Social Assistance
  • Public Administration

Cybercriminals have been targeting these industries because of easy availability of sensitive financial and personal identifiable information. With the current digitalization wave, the risks are continuously mounting.

Save for Later Download White Papers

Need for Cyber Insurance

In today’s world, no one is safe from cyber-attacks, whether individuals, small businesses, or large companies. The existing business and standard insurance policies are not enough to cope with the impact caused by cybercrime. In most cases, a regular business interruption policy is not enough to compensate the insured if the systems fails because of a malicious employee, computer virus, or a hack attack. Identity theft, telephone hacking, and phishing frauds are real possibilities that are not covered by traditional business interruption policies. When it comes to loss of customer data due to cyber-attacks, the penalties might be severe. For instance, there are heavy penalties for companies that lose credit card data. Merchant service agreements mean that you will be responsible for the expense of forensic investigation, credit card reissuance costs, and the fraud conducted through stolen cards.

Due to its interactive nature, social media is also exposed to cyber-risks. All this leads to defamatory statements, leaked information, and copyright infringement, which can lead to huge impact running into hundreds of thousands of dollars, if not covered.

Managing Cyber-Risk

All new technologies come with a certain amount of risk. Once these risks are identified, understood, and quantified, they can be avoided, controlled, combined, retained, or transferred using insurance or other risk-management techniques.

For example, if you own a computer, you are at risk. If you have a computer connected to the Internet, you are at a greater risk. If you use a computer to send and receive e-mails, you are at risk. If you store anything on the computer, you are at risk. If you let employees place sensitive information on a laptop, your risk increases. If you allow employees to use memory sticks or thumb drives, you are at risk. Nearly, anything you do with a computer creates risk for you. The cyber-risks for a business are almost endless. As data breaches occur more frequently, there are additional pressures for businesses to step up efforts to protect the personal information in their possession. In fact, there is legislation requiring the protection of personal financial information and personal health information. Some of the key risks associated with the use of computers are:

  • Identity theft involving security breaches, where a hacker steals sensitive information
  • Business interruption from a hacker shutting down a network
  • Damage to a firm's reputation
  • Theft of valuable digital assets, including customer lists, business trade secrets, and other similar electronic business assets
  • Introduction of malware and other malicious computer code
  • Human error leading to inadvertent disclosure of sensitive information, such as an e-mail from an employee to unintended recipients containing sensitive business information or personal identifiable information
  • Cost of credit monitoring services for people impacted by a security breach
  • Lawsuits alleging trademark or copyright infringement

Selling all computers might be tempting for some, but it is not exactly a risk management technique. Therefore, the best way is to seek proper insurance from cyber-risks.

Has Insurance Penetrated the World of Cyber-Risks?

The answer is yes! Cyber liability insurance has been around in the market for several years, but is rarely purchased. With an increase in the exposure and impact of cybercrime, the importance of Cyber liability insurance is also increasing. Having cyber insurance mitigates the risk exposure of individuals and businesses by offsetting costs involved with recovery after a cyber-related security breach or similar event. Cyber insurance protects networks, computers, programs, and data from attack, damage, or unauthorized access. This also includes coverage from loss of profits because of a system outage caused by a non-physical peril, such as a virus attack. Additionally, it also provides coverage to the public relations firm to repair any damage done to the insured’s brand.

Risks Covered by Insurance Carriers

cyber threat

Cyber Insurance Demand by Industries

There has been a surge in such demand from the healthcare industry. Retail and financial services follow closely behind healthcare but score high in cyber insurance demand. However, Information Technology features somewhere in the middle of things.

cyber threat

Cyber Insurance Demand by Coverage

Coverage for business interruption is the first choice along with an increase in demand for expense to Regulatory Defense. Although ‘Internet Media Liability’ is the least in demand, it still has a good percentage.

diagram_2

Top Risks for which Insurer Carriers are Least Prepared

diagram_3

Key Cyber-Risks Causing Economic Loss

cyber threat

Strengthening the Role of Insurers via Regulation

Recent growth in the number of data-breach-related cases has alarmed regulators to work towards strengthening insurer defenses against attacks. National Association of Insurance Commissioners (NAIC) and State insurance regulator are working collaboratively with other Financial Regulators, Congress, and the President's Administration to identify specific threats and develop strategies to protect the financial infrastructure of the US insurance commissioners. The NAIC and State Insurance regulators are tackling CyberSecurity issues through the following means to protect customers:

  • Insurance data model law to establish standards for data security
  • Roadmap for CyberSecurity consumer protection
  • Principles for effective CyberSecurity; insurance regulation guidance
  • Reporting requirements for insurers to track cyber-insurance policies issued in the market place

Trends in Cyber Insurance

Cyber-risks are complex and they keep evolving. Attacks and incidents are increasing with costs climbing into multi-million dollars. There are certain risks around data breaches with a potential for significant business interruption that have caused much concern. Top five trends in the cyber-risk domain are listed below:

  1. Increasing interconnectivity and “commercialization” of cyber-crime driving greater frequency and severity of incidents, including data breaches
  2. With the possibility of data protection legislation firming up globally, more notifications and significant fines for data breaches can be expected in future
  3. Growing risk potential of business interruption, intellectual property theft, and cyber-extortion
  4. Significant threat from vulnerability of industrial control systems
  5. Absence of a sure-shot solution for CyberSecurity
     
cyber threat
Coforge

The Coforge Thought Board:

 

Cyber Insurance: Next 10 Years

The global cyber-insurance market is estimated to be worth around $2 billion in premiums, with the US alone accounting for approximately 90% of it. The cyber market is growing by double-digit figures year-on-year and could reach $20 billion or more in the next 10 years.

Growth in cyber insurance in the US is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world. Growth in the cyber insurance market will also be driven by increasing demand for business interruption (BI) coverage. Awareness of BI risks and insurance related to CyberSecurity and technology is growing. Within the next 5 to 10 years, BI will be seen as a key risk and a major part of the cyber-insurance landscape.

References

  • Cyber Security, Risk Barometer surveys, Allianz.
  • 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute
  • The Global State of Information Security Survey, PricewaterhouseCoopers
  • Novarica Report, Sites like Forbes, Reuters, Guardian, Money.cnn, Telegraph for information on CyberSecurity

About the Author

Vikram Singh is an AVP, P&C Business Advisory Specialist, in our Insurance vertical. He is a Business SME, bringing over 20 years of rich exposure in successfully executing and designing insurance solutions for various clients across the globe. His vast insurance domain expertise along with in-depth experience of a variety of insurance products has been instrumental in bringing quality, innovation, and earning client confidence in project deliveries. Vikram has done Masters in Commerce and is a Fellow from III (Affiliated to CII UK). He has a Certificate in General Insurance from the Insurance Institute of America.