It has been said that one thing that is constant in this world, and particularly in today’s society, is change. This is definitely true for the insurance industry, especially in regards to cyber risk insurance. This evolving category of risk continues to receive increased awareness each year, as more and more incidents of varying types and degrees continue to surface. In addition to the already well-known incidents at Target and Anthem, the year 2014 alone brought us two highly publicized massive data breaches at Sony Pictures Entertainment and JPMorgan Chase & Co.
One thing is certain: across all industry segments, the number of cyber attacks and security breaches, and the costs associated with them, are increasing. Two recent studies in particular support this viewpoint: the 2015 Verizon Data Breach Investigations Report and the 2015 Ponemon Institute Research Report.
First, the bad news
The Verizon Report identifies the top three industries affected by data breaches as Public, Information and Financial Services; while the Ponemon Report indicates that Health, Education and Pharmaceuticals are the industries with the highest per capita data breach costs. And according to Christopher Liu, Head of Cyber Risk at AIG, the Healthcare and Education industries are at the most risk for cyber attacks. However, the overriding message from the information in both reports is that no industry is immune to cyber attacks.
A broad view of the numbers tells us that there were 79,790 known security incidents globally in 2014 with 2,122 confirmed data breaches producing loss, according to the Verizon Report. Similarly, according to the Ponemon Report, there has been a 23% increase in the total cost of data breaches since 2013, as well as a 12% increase in the per capita cost. What the data clearly shows is that not just huge corporations are susceptible to cyber attacks. In fact, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records. Additionally, recent data shows that 43% of cyber attacks are targeted at small businesses.
Reasons underlying higher costs
The Ponemon Report identifies three main reasons contributing to higher costs of data breaches in 2015. First, cyber attacks have increased in frequency with increased cost for remediation. Second, data breach costs are impacted by the consequences of lost business. And finally, costs associated with detection and escalation of data breaches are increasing.
In regards to the causes of data breaches or cyber attacks, the Verizon Report identifies the top four as miscellaneous errors, crimeware, insider misuse and physical theft. “Miscellaneous errors” appears to be a broad category but can be summarized as errors made by internal staff, such as opening a phishing email or not utilizing a patch or firewall. Such errors can also be subdivided into three main categories: sensitive information reaching incorrect recipients, nonpublic data published to public web servers, and insecure disposal of personal and medical data. However, all of these incidents can be traced to one common denominator—the user.
With risk increasing, as the data above indicates, it is reasonable to assume that it is no longer a question of whether a business will be subject to some level of cyber attack, but when and how. Knowing this, what can a business do to try and mitigate the risk and the damage?
Professional consultants dealing with cyber security agree that preparation is the key. Developing a compliance work plan that includes codes of conduct, training, incident response procedures and vendor contract requirements is a good first step. In addition, according to Austin Berglas of K2 Intelligence, the quickest and easiest security measure a company should take is the identification of unpatched vulnerabilities in software, followed by installation of test patches on a regular basis.
Furthermore, certain industries are starting to mandate specific regulatory compliance criteria be met, and the insurance industry is taking note. Sera-Brynn, a global cybersecurity audit and advisory firm headquartered in southeastern Virginia, is working with numerous government and private sector markets to help incorporate and audit those standards into everyday business practices.
“Within the retail industry, PCI DSS is still the standard,” said Rob Hegedus, CEO of Sera-Brynn. “But, we’re starting to see a trend towards cybersecurity standards outlined in NIST Special Publication 800-171 as becoming the compliance baseline across numerous industries. For example, the Department of Defense has mandated it for private sector contractors and subcontractors with a 2017 compliance deadline, and an effort led by the Department of Treasury is moving the Financial Services industry to use NIST SP 800-171 as their standard.”
Creating a sounder cyber risk policy
Despite the best efforts at prevention, however, the risk of cyber attacks and breaches is still great. As Berglas points out, a company can spend thousands, if not millions, of dollars on a security system and firewalls. And yet, with one click from the right employee on a phishing email, all your defenses are compromised and the criminals are inside your system, undetected. Unfortunately, cyber criminals are getting more sophisticated and effective at staying ahead of the best defenses. This is why a robust cyber insurance policy is critical to a company being properly protected.
Unlike other coverage forms, there is no established standard cyber insurance form utilized by carriers in the standard commercial insurance market. Although most policies provide third-party liability coverages as well as first-party coverage for loss or damage to property, there is a wide variation in other needed coverages. More specifically, businesses need to know whether coverage is provided, and at what level, for:
• regulatory actions
• incident response costs
• credit and identity monitoring
• transmission of viruses
• business interruption and extra expenses
• extortion expenses
• data loss and restoration
A careful review of coverage is critical because a particular coverage that may be most important to your business could be excluded or limited in scope or amount.
A captive is an excellent vehicle for providing coverage for cyber risks, as it has the flexibility to tailor coverage to the specific needs of your business. A captive manager experienced in cyber risks and coverage can help you identify and evaluate the risks applicable to your operations so that the appropriate policy language, terms and limits can be utilized to properly protect your business and its assets. Cyber risk is certainly here and rapidly increasing, but you can reduce its risk to your business with the right combination of security and proper insurance. And for insuring cyber risk, a captive just may be your best solution.