IT SEEMS hardly a day goes by without some sort of cyber-related crime or incident grabbing the headlines. The sheer scale of high-profile hacks has piqued the public interest and is starting to raise awareness around an issue that has the potential to cause catastrophic damage to governments, corporations and individual consumers.
Whether it’s the Yahoo breach that resulted in the theft of 500 million email addresses, the leak of then-candidate Emmanuel Macron’s emails days before the French presidential election, or the wide-ranging and multitargeted WannaCry and Petya attacks, there is a growing realization that a cyberattack really does have the potential to significantly impact our lives. The infrastructure and systems that underpin our societies are becoming increasingly vulnerable as cybercriminals hone their
methods and sharpen their tools.
The most worrying reality is that highly publicized cyberattacks like WannaCry and Petya only represent a tiny percentage of the attacks that occur every day. Companies of all sizes in every industry are being targeted, and insurers in the cyber space have been forced to rethink their approach in order to keep up.
Responding to today’s threats
Ransomware – when a computer or network’s systems and data are encrypted until a ‘ransom’ is paid – remains a favored technique of hackers. As with other hacking strategies, ransomware attacks are growing in severity, and modern variants are now able to not just encrypt data, but also access and exfiltrate it.
“That is resulting in the need for more breach notifications – when an organization is mandated to report a breach that could cause significant harm to affected parties and regulators – than before,” explains Kari Stern, senior claims manager at
NAS Insurance Services. “With older variants of ransomware, once a system was unencrypted, everyone would be back up and running. But now we have to determine whether or not information was accessed or exfiltrated and if there is the obligation to notify the consumer.”
Whether an organization actually has to pay the ransom depends on a combination of factors, including the computer system affected, the company’s backup capabilities and the variant of ransomware virus. Typically, a claims department will put the organization in touch with a vendor who specializes in ransomware and maintains a Bitcoin balance just in case a ransom has to be paid promptly. The vendor will also delve a little deeper into how damaging and how restrictive the breach has the potential to be. In some cases, a company has no other choice than to pay the ransom.
A ransomware virus usually enters a computer or network when the user clicks on a link on a website or in an email. Ransomware attacks don’t always involve extortionate sums. In the recent Petya event, hackers only demanded $300 for stolen data. Although $300 is nothing to huge organizations, the costs of an incapacitated system can easily climb into the millions. As a result, business interruption coverage has become a common feature of cyber policies; the payout is usually based on net profit loss suffered during the outage, although most policies have different provisions on how those losses are calculated.
The emergence of high-profile business interruption induced by ransomware attacks has been a new development in 2017, notes Pascal Millaire, vice president and general manager of cyber insurance for Symantec Corporation. Although Symantec has observed the creation of eight or nine new ‘ransomware families’ each month, the company has identified financial threats as being far more prevalent, although they tend to get less news coverage than ransomware, possibly because they have a less visible impact.
“With over 1.2 million annual detections in Symantec’s footprint,” Millaire says, “the financial threat space is 2.5 times bigger than that of ransomware, and some of these attacks can result in substantial insurance claims.”
Coverage for notification and breach response costs is a key component of the modern cyber policy. This feature covers the legal fees of attorneys who will be brought in to assess whether the organization is obliged to notify clients of the incident. If so, the attorney will draft a breach notification that is compliant with the laws and regulations of the state or province where each consumer lives – not where the company is based.
It’s likely that a broad cyber policy will provide coverage for a range of costly vendors and services, including credit monitoring, IT forensics and PR services. Regulations in certain states stipulate that the targeted organization must send out a media release if the data breach or hack surpasses a certain threshold.
“Another common type of coverage is related to regulatory defense, which provides coverage in the case of a government investigation into the cause of the breach,” Stern says. “The investigation will determine whether or not an insured was compliant with security protocols, which can also get expensive.”
Getting the word out Historically, buyers of cyber insurance were predominantly large organizations in high-profile sectors, such as healthcare and financial services, which understood the risk of their data being breached. Regulations on electronic health records forced the healthcare sector, in particular, to become an early adopter of cyber insurance. But awareness of cyber risks has spread rapidly in recent years, and organizations in all types of industries are now seeing the value of cyber insurance. Millaire believes that two main factors are driving the boom in cyber insurance adoption.
“First, adversaries are increasingly targeting small businesses, which make up over 43% of all spear-phishing attacks, up from 18% in 2011,” he says. “Second, there is a growing awareness from high-profile outbreaks like WannaCry and Petya that no organization is immune to an attack, and carriers are looking at ways to meet that demand with insurance.”
The surge in cyber claims and the increasingly sophisticated nature of data exfiltrating ransomware variants are, together, pushing up the cost of claims. More notification and credit monitoring expenses are being incurred as the occurrence and severity of incidents escalates. However, the rise in claims costs has been offset somewhat by the specialist vendors and service providers who are flocking to the cybersecurity industry. There are more companies than ever doing credit monitoring and attorneys specializing in breaches. Vendor pricing has become more competitive as a result, which has helped to contain the cost of cyber insurance to a certain extent.
However, demand for cyber insurance shows no signs of abating, and market premiums are growing by around 35% per year in the US, Millaire says. In international markets, where cyber insurance policies are being introduced for the first time, growth rates are even higher. Predictably, more carriers are entering the space, hoping to cash in on the cyber boom and relatively low attritional loss ratios. As a result, it’s an increasingly competitive space, with more than 100 insurance organizations selling cyber insurance and more carriers entering the space each year.
“The concern is that many carriers are not quantifying aggregation risk with probabilistic cyber catastrophe models,” Millaire says, “and therefore there may be hidden financial risk to the balance sheets of insurers.”
.jpg)
