Nowadays, you can get insurance coverage for just about anything. Health insurance. Life insurance. Renter’s insurance. Pet insurance. Home and auto. Specialized coverage for disabilities, disasters, fires and floods. According to a humorous ad campaign by Farmers Insurance, you can even get coverage against Vengeful Vermin or an unexpected Cactus Calamity. Apparently, there are even policies covering alien abduction. But what about cyberspace? Now that we’re deep into the digital age, the insurance industry has mobilized to embrace the challenge of providing cyber security insurance to safeguard against the ever-increasing threat of online crime. Part of the challenge is that the economic impact of cyber crime is both astronomical and extremely difficult to quantify. A study by Cybersecurity Ventures estimates that cyber crime will cost the world $6 trillion a year by 2021.
Also complicating the cyber security insurance landscape, the nature of risk faced by companies is ever-changing as hacking strategies continue to evolve. As illustrated by countless high-profile examples of cyber attacks (Target, Uber, Anthem, Equifax, the FBI and NSA), the threat is urgent and the stakes are incredibly high. For example, Wired.com reports that the so-called NotPetya attack (The Most Devastating Cyberattack in History) cost an estimated $10 billion in damages, including $800 million in losses endured by the three companies hardest hit in the devastating 2017 incident, which is believed to have been perpetrated by Russian hackers. Though it is unclear how much coverage these companies had against this cyber nightmare, the crippling attack illustrates the phenomenally high stakes involved, especially when the targets are organizations whose operations are interconnected with our financial, energy, transportation and communications infrastructure. In this environment, fraught with previously unimaginable risk, cyber security insurance is fast becoming a necessary safeguard against the dark world of online evildoers.
What is Cyber Security Insurance?
There is something of a “Wild West” aspect to cyber crime. Virtual outlaws are constantly developing new methods to infiltrate their targets, as corporate security teams and law enforcement agencies struggle to keep up. This new reality has also placed pressure on the insurance industry to figure out how to handle this massive, relatively new category of risk and how best to protect businesses and organizations from potentially catastrophic breaches.
The fact that most general liability policies do not cover cyber-related risks has led to the emergence of standalone lines of coverage. However, the market for cyber security insurance is still in its relative infancy as entities like the Department of Homeland Security work to engage key stakeholders (academia, infrastructure owners and operators, insurers, chief information security officers, risk managers) and others to “expand the cybersecurity insurance market’s ability to address this emerging cyber risk area.” Most major carriers now offer a range of options for cyber security insurance, policies that are usually customized to the unique needs and risks of the insured.
At Travelers, visitors to the Cyber Liability Insurance page are informed that:”It’s not a question of if your organization will suffer a breach, but when.” Travelers, which offers distinct coverage for small businesses, bigger businesses across all industries, tech companies and public entities, says, “The right coverage your business or organization needs depends on your level of risk.”
According to CSOonline.com (“Insurers Working to Fill Cyberinsurance Data Gaps”), Travelers has hired technical experts, former FBI forensic investigators and former cyber crime prosecutors to better understand their customers’ security infrastructure and risks.
At Nationwide, “Cyber insurance generally covers your business’ liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver’s license numbers and health records.” The firm’s cyber insurance page also specifies coverage of the costs associated with:
- Legal fees and expenses
- Notifying customers about a data breach
- Restoring personal identities of affected customers
- Recovering compromised data
- Repairing damaged computer systems
According to Homeland Security, “Specialized cyber security insurance can provide protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from:
- Data destruction and/or theft
- Extortion demands
- Denial of service attacks
- Crisis management activity related to data breaches
- Legal claims for defamation, fraud and privacy violations”
The agency also suggests that a robust cyber security insurance market could help reduce the number of successful cyber attacks by:
- Promoting the adoption of preventative measures in return for greater coverage, and
- Encouraging implementation of best practices by basing premiums on an insured’s level of self-protection
Cyber Security Insurance Landscape Evolving to Meet Threats, Challenges
Responding to the types of risk now in play in cyberspace, many insurers now offer distinct options for first-party coverage and third-party coverage. According to DataJournalCenter.com (“Ten Things You Need to Know About Cybersecurity Insurance”), most businesses will need first-party coverage to protect against losses suffered by the insured, including reparations for:
- Damaged or lost digital assets, such as data and software
- Lost business opportunities or increased operational costs due to an interruption of the insured’s computer systems
- Cyber extortion if the hacker holds the insured’s data for ransom
- Money stolen through an electronic crime
Third-party cyber insurance coverage is typically geared toward third-party companies that manage the software, network or system that holds the compromised data; and may cover claims against the insured from outside parties, such as clients affected by the breach. Third-party plans typically cover costs associated with such issues as:
- Security breaches of employee confidentiality
- Lost customer data and information
- Customer notification after a security breach
- Public-relations efforts as well as combating defamation and intellectual-property violations
The DataJournalCenter.com report also warns that many cyber security insurance policies “do not cover theft of intellectual property and have a difficult time protecting against damaged reputations and lower sales.” The pricing of cyber security insurance remains an inexact science. The ability of underwriters to accurately assess and quantify risk continues to be a major challenge for the industry, and the cost of coverage can vary significantly. In fact, general questions around cost are often reframed to encourage company executives to consider the cost of NOT purchasing cyber security insurance. (According to Kaspersky Lab, in 2017 the average cost of a data breach for enterprises in North America was $1.3 million.)
With Billions at Stake, Cyber Security Skills Are at a Premium
The need to guard against this uniquely 21st century threat has itself become a trillion-dollar industry, as corporations and organizations around the globe ramp up their defenses by adding high-tech systems and hiring skilled cyber security professionals. In fact, the field of cyber security is expanding so quickly that there are an estimated 1 million unfilled positions worldwide (rising to 3.5 million by 2021). As academia and industry groom the next generation of cyber security professionals, one key area of need will be for cyber security experts who specialize in the complex and fast-evolving cyber insurance component. Overall, it is a time of opportunity for both:
- Cyber security professionals with expertise in insurance, and
- Insurance professionals with deep knowledge of cyber security