This is the second part of a two-part article. To read the first part, click here.
Anatomy of a data breach
The signature exposure in the cyber sector is the data breach. Data breaches can involve protected health information; personally identifiable information such as social security numbers, credit/debit card numbers and email/user names/passwords; and trade secrets or intellectual property.
The magnitude and cost of a breach varies depending on the number of identities that have been exposed. Generally speaking, the greater the number of identities, the more serious and expensive the breach, although in some cases, a small number of records containing sensitive corporate or personal information can be equally devastating.
Data breaches can happen in many different ways. The Identity Theft Resource Center currently tracks seven categories of data loss methods: insider theft, hacking, data on the move, subcontractor/third party, employee error/negligence, accidental web/Internet exposure and physical theft. Often, Suhs says, criminals use malware to infiltrate an organization’s electronic network via email attachments. If someone on the receiving end of such an email opens the attachment, the malware penetrates the organization’s electronic network, making its contents available to the criminal, who can then sell valuable information stored in the network through underground cybercrime shops or distribute it to others.
The spectacular breaches that hit major retailers Target and Home Depot in 2013 and 2014 stemmed from BlackPOS, a malware strain designed to siphon data
from cards when they are swiped at infected point-of-sale systems. In both cases, hackers used a vendor’s stolen log-on credentials to penetrate the retailer’s computer network and install the custom-built malware.
Spear phishing is another way criminals can access an otherwise secure electronic system. “An email that appears to be from an individual or business that you know is actually from criminal hackers who are after your credit card and bank account numbers, passwords and financial information such as online banking credentials,” Barnett explains.
Innovation in the cyber sector Most of the innovation in the cyber sector today is occurring in response to cyber crime. One of the biggest evolutionary steps has to do with cyber attacks that relate to control systems that, if breached, can result in physical damage to property or harm to people.
“With all the systems automation, everything is run by software, and so many areas of an organization are open to the Internet,” Barnett says. “Even if it’s not meant to be a public website, expert criminals know how to get into a system and not just steal data, but upset functions of a manufacturing or utility company.”
A non-data breach can have ripple effects well beyond the entity that’s been hacked. If a utility company gets shut down, it can impact tens of thousands of customers who rely on electricity to run their businesses, leading to a wide ring of business interruption claims ultimately relating back to the software issue or cyber breach.
“That’s the big, scary risk,” Barnett says. “When the US Department of Commerce has a cybersecurity office, they are concerned about someone taking control of a nuclear power plant, somebody hacking into and shutting down the power grid, or somebody getting into a water supply system or drug manufacturing plant.”
Such a breach on the government level could be the result of state-sponsored cyber terrorism. “But at the same time, you can imagine the evolution of corporate
espionage, when competitor A wants to take down competitor B, what they can do to disrupt their competitor’s business,” Barnett says. “That’s an emerging risk where cyber liability insurance is now starting to fit in.”
Another new type of coverage has been developed for incidents where a cyber criminal extracts money from a corporation or organization through a phishing scheme known as a business email compromise. In a typical scenario, the cyber criminal will gain access to and monitor the organization’s email traffic stream and spoof an email account from an executive, sending an email requesting that the recipient wire funds to a fralent account.
According to a recent FBI report, there has been a 270% increase in these types of attacks since January 2015. The scam has been reported in all 50 states and in 79 countries, and total dollar losses have exceeded $740 million.
A shifting paradigm
While it’s absolutely vital for companies and organizations to take measures to protect themselves from data breaches and cyber attacks, “in the end, if a state-sponsored group or sophisticated hacker wants to get into your network, they are going to find a way to get in,” Suhs says.
Indeed, there’s a saying among security professionals that “either you have been data breached, or you just don’t know that you’ve been data breached.” But the sooner the breach is discovered, the faster it can be remediated and contained. “The primary benefit of the cyber liability product is that insurers have pre-negotiated rates with third-party service providers who are experts for loss control, forensics, identity and credit monitoring and public relations to help mitigate the breach,” Suhs says.
Risk management services remain an essential part of the cyber liability insurer’s role as well. Many insurers now offer multifaceted risk management programs; benefits range from hotlines to loss control portals to on-call chief security officers assigned to each insured’s account. For producers looking to capitalize on the
cyber sector, Barnett sums up his advice in just two words: get smarter.
“The more knowledgeable and engaged you can be about cyber risk and what to be looking for in a cyber policy, the more it’s going to help you be a much more trusted partner and advisor, not just a product salesperson,” he says.
“There is a huge need in the market to have more brokers and underwriters who specialize in this risk,” Grella adds. “It’s a dynamic environment, and it’s changing all the time. There are lots of opportunities to be creative, and lots of opportunities to really impact our clients by helping them better understand something that’s so challenging and so important.”
