Publication Date: July 8, 2016
In this second in a series of articles, cybersecurity expert John Reed Stark explains the necessity for stand-alone cyber policies.
The time is now for stand-alone cyber insurance. The tensions between traditional insurance policies and data breach coverage have prompted the dawning of a new era of stand-alone “cyber insurance.” And this new era has only just begun. Global insurance broker Marsh LLC recently reported
a 27% increase of stand-alone cyber insurance purchases by its U.S.-based clients in 2015, continuing a pattern of strong growth while PricewaterhouseCoopers estimates that
annual gross written premiums for cyber insurance will increase from about $2.5 billion in 2015 to about $7.5 billion by the end of the decade.
Clearly, stand-alone cyber insurance will become yet another basic element of a company’s insurance coverage, just as property insurance and health insurance are. Many companies might even find their customers demanding the carrying of cyber insurance as a matter of good business practice. Here are three important reasons why:
- Professional liability insurance, business interruption insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks. Unfortunately, companies are finding that their professional liability insurance, general liability insurance and property insurance might not cover many of the costs associated with cyber-attacks. Despite at least one recent victory for the insured, embryonic case law (with very little appellate level authority) concerning insurance and data security incidents remains all over the map and evidences the uncertainty as to exactly what cyber-related incidents are covered by traditional insurance policies. Factors depend on the nature of the breach, the relationship of the parties, the type of the information at issue (such as personal information, intellectual property, trade secrets, and emails), the precise form of the operative policy and, if related to third-party liability claims, the allegations asserted and the type of damages sought.
- Companies that maintain cyber insurance may have the best cyber security policies and practices. Before obtaining cyber insurance coverage, a company typically undergoes a fairly rigorous underwriting process. Just as the physical exam typically required by insurance companies before issuing life insurance can prompt better personal wellness practices, a cyber insurance exam can prompt better company cybersecurity wellness. Relatedly, while it has been suggested that having insurance encourages companies to slack off on security, some research suggests the opposite, i.e., that those companies with good cybersecurity practices are more likely to purchase insurance.
- Companies falling victim to a cyber-attack should not expect any assistance or even compassion from the government. In fact, companies should expect quite the opposite for several reasons:
- First, the U.S. government is overwhelmed with protecting the nation’s own infrastructure and does not have a SWAT or other rescue team standing by to assist U.S. companies after a cyber-attack;
- Second, while it may seem counterintuitive, state and federal agencies often pursue cyber-attack victims not with a helping hand, but instead with subpoenas, enforcement actions and an onslaught of lawsuits. Furthermore, state privacy statutory regimes and a growing range of federal agencies each wield their own unique set of rules, regulations, statutes and enforcement tools; and
- Third, the public’s (and Congress’) perception of cyber-attack victims has sadly become not one of understanding or empathy, but rather one of suspicion, skepticism and even vilification.
The Increasing Cost of Data Breaches. Given the rising costs of data breaches, the growth of the cyber insurance market is not surprising. Two separate recent studies by the Ponemon Institute and Deloitte Advisory found traditional data breach costs are on the rise; at the same time the hidden costs of data breaches also are proving to be far more expensive than anyone has predicted.
The annual Ponemon Cost of Data Breach 2016 report established whose early benchmark statistics show significant cost increases. Specifically, the comprehensive study found that the average cost of breaches at organizations have jumped past $4 million per incident, a 29% increase since 2013 and 5% increase since 2015.
Meanwhile, Deloitte Advisory services recently found that damages sustained from a cyber-attack could be much higher than those outlined by Ponemon and present themselves many years after the breach. Deloitte's report, “Beneath the Surface of a Cyber-attack,” showed that in addition to the well-known costs like breach notification, post-breach protection and technical investigations, hidden costs also present themselves (such as insurance premium increases, increased cost to raise debt and devaluation of trade name).
Deloitte estimates that known costs may account for less than 5% of total business impact. In one composite model, Deloitte found that cyber-attack costs to a health care company amounted to $1.6 billion due to a significant breach of patient records, with only 3.5% of those costs coming in the form of “above the surface” costs. The costs under the surface can ripple outward, including temporary or even permanent brand reputation and damage; loss of productivity; extended management drag (especially due to class action lawsuits); and a negative impact on employee morale and overall business performance.
The Wild, Wild West. Though Jimmy Durante could insure his nose ($50,000); Julia Roberts can insure her smile ($30 million); and Bruce Springsteen can insure his vocal chords ($6 million), it can be far more challenging for public and private companies hoping to insure themselves against the considerable and far-reaching breadth of a cyber-attacks. In short, given the litany of uncertainties and what some insurance professionals have referred to as the “actuarially immeasurable” results of cyber-attacks, the market for insuring against cyber-attacks is the Wild, Wild West, replete with high premiums, low coverage, broad exclusions and scant legal precedent.
For starters, though the market for cyber insurance continues to evolve and grow dramatically, no form of standardized cyber insurance policy language has yet materialized. The cyber insurance market is flying completely blind. There is no proven road map for analysis; no archive of empirical statistically significant data; and no quantification algorithm for calculating cyber-attack risk. Thus, the actuarial challenges of predicting/gauging both the probability and the impact of a cyber-attack make it difficult to match a cyber insurance policy with the unique risk profiles of today’s global and technologically erudite companies. Not only do insurance analysts face difficulties, but so do the most experienced companies.
Meanwhile, the complexity, sophistication and variety of a new wave of cyber-attacks continue to swell. So-called “hacking” is dying from the cyber lexicon along with the historically simplistic and naïve image of mischievous teenagers wreaking havoc from a server in their parents’ basement. What has appropriated these now-antiquated notions are a litany of new-fangled cyber-attack root causes with dramatically expanding attack vectors, including: denial of service assaults; malware intrusions; advanced persistent threat (or “APT”) terrorist acts; rogue employee and “bad leaver” episodes; social media exploits; mobile device attacks; ransomware demands; cloud computing infiltrations; and human error events.
How can an insurance company possibly organize and mitigate such a dynamic and ever-changing array of risks into a cohesive, logical and effective cyber insurance policy? Gauging a company’s security posture has turned out to be a much more manifold endeavor than anything the insurance industry has mastered before, such as assessing human life expectancy or driving records. Even the U.S. Department of Homeland Security officially has acknowledged that the cyber insurance market remains confusing for most companies and can be overlooked for all of the wrong reasons, stating in a recent report:
“Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber-attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack.”
Convinced your company needs cyber insurance? In our next article in the series, John will offer tips for navigating the complex cyber insurance marketplace.
Read the first article in this series: Cyber Defense in the Boardroom: Leveraging the Financial Oversight Paradigm >>
John Reed Stark is President of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, "The Cybersecurity Due Diligence Handbook," available as an eBook on Amazon, iBooks and other booksellers.