De-risking Cyber Threats with Insurance
Management of risks is an integral part of the insurance industry. Companies have succeeded in identifying and managing risks; however, the nature of risks has changed. Today, cyber risks can destroy the business and its reputation because of rapid growth in the number of cyber attacks. Organizations need ways to manage cyber risks outside of their risk appetite. Beyond providing insurance, insurance companies are using best practices and following regulations to strengthen insurer defenses against cyber attacks.
Cyber Crime Rears its Head
Along with development comes attached threats and while cyber risks have been around since the early 1990s, the solutions to deal with them have also seen steady growth. During the early days, cyber insurance coverage primarily addressed defacement and liability arising from domain name infringement. However, there has been a rapid growth in the number of cyber attacks especially in the recent years. The number of zero-day vulnerabilities discovered has doubled since 2015. Industry reports suggest that cybercrime is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015.
As the cyber threat landscape continues to evolve, certain types of attacks are becoming increasingly common. Digital data breach, loss, and theft continue to be the leading types of cyber events; phishing attacks, too, have gained momentum, especially between 2013 and 2015.
Network-disruption events (such as denial of service attacks) have also seen an increase in recent years. The more the people are inclined to electronic communication, the more the opportunity for bad actors to cause diiculties for business and public. According to the Herjavec Group, cybercriminals pocketed over $1billion from ransomware attacks, during 2016 alone, with the total number of ransomware incidents increasing by a whopping 748%.
Based on the comprehensive analysis, researchers concluded that cyber security majorly hit these three industries:
- Finance and Insurance
- Healthcare and Social Assistance
- Public Administration
Cyber criminals targeted these industries because of easy availability of sensitive financial and personal identifiable information. Now, with the digitalization wave, the risks are continuously expanding.
Save for LaterDownload White Paper
Need for Cyber Insurance
In today’s world, no one is safe from cyber attack—whether it is an individual, small business, or large companies. The existing business and standard insurance policies are not enough to cope with the impact caused by the cybercrimes. In most cases, a regular business interruption policy is not enough to compensate the insured if the systems fail because of a malicious employee, computer virus, or a hack attack. Identity theft, telephone hacking, and phishing frauds are real possibilities that are not covered by traditional business interruption policies. When it comes to loss of customer data due to a cyber attack, the penalties might be rigorous. For instance, there are severe penalties for losing credit card data. Merchant service agreements mean that you will be responsible for the expense of forensic investigations, credit card reissuance costs, and the fraud conducted on the stolen cards.
Social media sites too are exposed to cyber risk due to their interactive nature. All this leads to defamatory statements, leaked information, and copyright infringement, which can lead to huge impact running into hundreds of thousands of dollars, if not covered.
Managing Cyber Risk
All new technologies come with a certain risk. Once these risks are identified, understood, and quantified, they can be avoided, controlled, combined, retained, or transferred using insurance or other risk-management techniques.
For example, if you own a computer, you are at risk. If you have a computer connected to the Internet, you are at greater risk. If you use a computer to send and receive email, you are at risk. If you store anything on the computer, you are at risk. If you let employees place sensitive information on a laptop, your risk increases. If you allow employees to use memory sticks or thumb drives, you are at risk. Nearly, anything you do with a computer creates risk for you. The cyber risks for a business are almost endless. As data breaches occur more frequently, there are additional pressures for businesses to step up efforts to protect the personal information in their possession. In fact, there is legislation requiring the protection of personal financial information and personal health information. Some of the key risks associated with the use of computers are:
- Identity theft involving security breaches, where a hacker steals sensitive information
- Business interruption from a hacker shutting down a network
- Damage to a firm's reputation
- Theft of valuable digital assets, including customer lists, business trade secrets, and other similar electronic business assets
- Introduction of malware and other malicious computer code
- Human error leading to inadvertent disclosure of sensitive information, such as an email from an employee to unintended recipients containing sensitive business information or personal identifying information
- Cost of credit monitoring services for people impacted by a security breach
- Lawsuits alleging trademark or copyright infringement
Applying avoidance by selling all of your computers is probably tempting on some days, but is not generally the risk management technique of choice. Hence, the best way to manage these risks is by seeking insurance for cyber risks
Has Insurance Penetrated the World of Cyber Risk?
The answer is yes! Cyber liability insurance has been around in the market for several years, but is rarely purchased. With an increase in the kind of exposure and impact of cybercrimes, its importance is being felt more. Having cyber insurance mitigates the risk exposure of individuals and businesses by offsetting costs involved with recovery after a cyber-related security breach or similar event. Cyber insurance protects networks, computers, programs, and data from attack, damage, or unauthorized access. This also includes coverage from loss of profits because of a system outage caused by a non-physical peril such as a virus attack. Additionally, it also provides coverage to the public relations firm to repair any damage done to the insured’s brand.
Risks Covered by Insurance Carriers
Cyber Insurance Demand by Industries
There has been an increase in such demand from the healthcare industry. Retail and financial services follow closely behind healthcare but score high in cyber insurance demand. However, Information Technology features somewhere in the middle of things.
Cyber Insurance Demand by Coverage
Coverage for business interruption is the first choice along with increase in demand for expense to Regulatory Defence. Although ‘Internet Media Liability’ is the least in demand, it has good percentage.
Top Risks for which Insurer Carriers are Least Prepared
Key Cyber Risks Causing Economic Loss
Strengthening the Role of Insurers via Regulation
The recent growth in the number of data breach related cases have alarmed the regulators to work toward strengthening insurer defences against attacks. NAIC (National Association of Insurance Commissioners) and State insurance regulator are working collaboratively with other Financial Regulators, Congress, and the President's Administration to identify specific threats and develop strategies to protect the financial infrastructure of the US insurance commissioners. The NAIC and State Insurance regulators are tackling cybersecurity issues through the following means to protect the customers:
- Insurance data model law to establish standards for data security
- Roadmap for cybersecurity consumer protections
- Principles for effective cybersecurity; Insurance regulation guidance
- Reporting requirements for insurers to track cyber insurance policies issued in the market place
Trends in Cyber Insurance
All new technologies come with a certain risk. Once these risks are identified, understood, and quantified, they can be avoided, controlled, combined, retained, or transferred using insurance or other risk-management techniques
Cyber risk is complex and forever changing. Attacks and incidents are increasing with costs climbing into multi-million dollars. There are certain risks around data breaches with potential for significant business interruption that have caused much concern. The top five trends in cyber risk domain are listed below:
- Increasing interconnectivity and “commercializa- tion” of cyber-crime driving greater frequency and severity of incidents, including data breaches
- With the possibility of data protection legislation toughening globally, more notifications and significant fines for data breaches in future can be expected
- Growing risk potential of business interruption, intellectual property theft, and cyber-extortion
- Significant threat from vulnerability of industrial control systems
- Absence of a sure-shot solution for cyber security
The NIIT Technologies Thought Board:
De-risking Cyber Threats with Insurance
Cyber Insurance: Next 10 Years
Globally, the cyber insurance market is estimated to be worth around $2 billion in premiums, with the US accounting for approximately 90%. The cyber market is growing by double-digit figures year-on-year, and could reach $20 billion or more in the next 10 years.
Growth in the US is already underway as data protection regulations help focus minds, while legislative developments and increasing levels of liability will see growth accelerate in the rest of the world. Growth in the cyber insurance market will also be driven by increasing demand for business interruption (BI) coverage. Awareness of BI risks and insurance related to cyber and technology is growing. Within the next five to 10 years, BI will be seen as a key risk and a major part of the cyber insurance landscape.
- Cyber Security, Risk Barometer surveys, Allianz.
- 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute
- The Global State of Information Security Survey, PricewaterhouseCoopers
- Novarica Report, Sites like Forbes, Reuters, Guardian, Money.cnn, Telegraph for information on cyber security
About the Author
Vikram Singh works as Practice Lead for insurance. He is a Business SME, bringing over 20 years of rich exposure in success- fully executing and designing insurance solutions for various clients across the globe. His vast insurance domain expertise along with in-depth experience of variety of insurance products has been instrumental in bringing quality, innovation, and earning client confidence in the project deliveries. Vikram has done Masters in Commerce and is a Fellow from III (Ailiated to CII UK) and a Certificate in General Insurance from Insurance Institute of America