In October 2015, UK telecommunications company TalkTalk reported a cyber-attack on its website. Nearly 157,000 customers were affected. The data accessed included bank account numbers, sort codes and even some credit card details. While the compromised information was not substantial enough to allow serious fraud to be committed, the costs to TalkTalk were significant. Figures released by the company in February 2016 indicated the incident had cost it £60m ($76.5m) and prompted the departure of 95,000 customers. To add insult to injury, the heist had been pulled off by a teenager.
By the very nature of online systems, there will always be the potential for similar attacks to occur in the future. While companies have a number of defensive tools at their disposal, no security measure will ever be bulletproof. In fear of suffering a similar attack, businesses have done what they always do in the face of an unavoidable risk: they have taken out insurance. Established insurers have subsequently developed products to cover this risk, mitigating the potential costs of a hack or breach.
The benefits insurance typically provides to motorists and property owners are yet to fully translate to cyber-policies
While fundamentally a sound idea, there are a number of questions surrounding cyber-insurance; principally how insurers treat it, its effectiveness in reducing cyber-attacks, and its breadth of coverage. These are questions that need to be answered. For a risk that is evolving as quickly as cybercrime is, a company’s requirements of their cyber-infrastructure are shifting faster than their insurers are. Additionally, insurers are currently underutilising data that could entirely change the face of cybersecurity. As digital infrastructure becomes ever more important, these changes
cannot happen fast enough.
The large-scale attacks on companies like TalkTalk and Sony have fuelled CEOs’ fears that their businesses could be next; making cyber-insurance seem like the next logical step when protecting their investments. Generally, cyber-insurance policies cover a mixture of first and third-party losses that stem from a cyber-attack. First-party coverage accounts for the direct cost to the business: cleaning up in the immediate aftermath of a cyber-attack by replacing damaged systems and compensating for the loss of productivity while the breach is examined in greater detail. Third-party coverage then deals with the claims of those individuals who have suffered at the hands of the cyber-attack – through the leak of personal information, for example. Defining a cyber-attack can be a little less straightforward, however. These events can range from an employee losing a USB stick containing critical data, to a full-scale breach on an international level.
Although the market has recently slowed, the cyber-insurance sector has proven to be one of the biggest growth areas for insurers in recent years. A report compiled by PwC in September 2015 estimated the global cyber-insurance industry could grow to $7.5bn in premiums by the year 2020 – suggesting companies will continue to attribute greater value to both their data and digital infrastructure. Traditionally, security measures were thought to be enough to protect against intrusions, but, with the seeming inevitability of a breach, insurance has become a necessary supplement. However, the benefits insurance typically provides to motorists and property owners are yet to fully translate to cyber-policies.
In 2014, PF Chang’s – a casual dining restaurant chain with over 200 locations in the US – fell victim to a data breach. The breach affected 33 branches and compromised the credit card information of 60,000 customers. The company was covered by a Chubb cyber-insurance policy taken out with the Federal Insurance Company. The policy covered the costs associated with investigating the breach, legal advice and the management of its obligation to notify both customers and the authorities.
Predicted value of cyber insurance premiums by 2020
of cybersecurity professionals think their coverage is adequate
Despite this, in May 2016, an Arizona court rejected PF Chang’s efforts to recover the additional $2m it required to reimburse the issuing companies whose credit cards had been used to make fraudulent transactions. The policy stated it was designed “to address the full breadth of risks associated with doing business in today’s technology-dependent world”, and, as a result, PF Chang’s believed this cost would be covered. Chubb, however, successfully argued the policy was not liable for any external contract or agreement the company held. By extension, PF Chang’s dispute with the company was its own to manage.
The case of PF Chang’s is one that should have any business pouring over the wording in its own cyber-policy, ensuring it has a comprehensive understanding of exactly what it is, and what it isn’t, covered for. However, the complexity of these policies, and the number of parties involved in a cyber-breach, make cases like this inevitable.
Sasha Romanosky, a policy researcher at the RAND Corporation, is investigating the way cyber-insurers assess risk and calculate their policy fees. Speaking to World Finance, Romanosky said policies often include or exclude certain events based upon the insurer’s past experience of a product – cyber-insurance has inherited a lot of these conditions. “Say we’re talking about kinetic warfare and a government or country is bombing a whole city, the insurance company isn’t going to be able to pay out all of those losses on all of those claims”, Romanosky said.
Cyber-insurance – now almost 15 years old – is far younger than the majority of insurance markets, meaning laws and coverage are still being tested. Romanosky believes that as more cases emerge, policies will evolve. Unfortunately for PF Chang’s, the company acted as the proverbial canary in the coalmine of cybersecurity litigation.
Romanosky said: “I suspect this will reach an equilibrium, where people will kind of understand what the playing field is. The early companies that try to file these claims under the policies and were denied, that will change. There’s a self-correcting mechanism going on where companies should be informed, either by their brokers, insurance companies or their peers, to clarify these rules and help them figure out what’s covered and what’s not.”
But this lack of clarity isn’t exclusive to companies; insurers are still coming to grips with their cyber-policies, too. A recent survey conducted by PivotPoint Risk Analytics, SANS Institute and Advisen found a number of major gaps exist between the cyber-insurance market and cybersecurity professionals. One problem is the terminology different professionals use, particularly when discussing the concept of ‘risk’. Security experts see the term as meaning vulnerabilities to a security system, while insurers interpret it as the monetary cost of a breach. Another problem is the varying standards attributed to the most important cybersecurity measures, and the amount of money that should be invested in cybersecurity in comparison to cyber-insurance. All these issues have culminated in a lack of confidence. According to the study, only 48 percent of chief information security officers and other security professionals find cyber-insurance ‘adequate’ when recovering from a breach.
With the figures cyber-insurance companies have access to, they have the potential to provide unrivalled insight into cyber-attacks and why they happen
Given most companies are now highly dependent on their cyber-infrastructure, its easy to wonder why cyber-insurance is a separate product to general liability insurance. Romanosky said that, while he did not know for certain, there was a chance this was because policy limits on cyber-products are much lower. Romanosky said: “So they have an interest in creating a separate book of business that is cyber-policies, where the limits are a lot lower, to manage their costs. I’m guessing because of uncertainty in any kind of claims that might be filed. That’s a speculation of strategy, I don’t know if that’s actually true, but it’s an interesting story that I heard.”
Many will be hoping the research conducted by Romanosky will provide more clarity and transparency within the industry.
It’s unfortunate cyber-insurance is deficient in all these areas. With the figures cyber-insurance companies have access to, they have the potential to provide unrivalled insight into cyber-attacks and why they happen. By analysing this information, they should be able to determine the biggest risk factors and ultimately encourage better general cybersecurity as a result. Despite this, Romanosky says insurers are yet to address this issue: “I don’t know why they don’t do it. It seems crazy to me because you’d think they have floors of actuaries who would do this kind of thing, but in my conversations no one has really gotten there.”
While still offering clear benefits to organisations around the world, the cyber-insurance market is still relatively immature. Substantial redevelopment is required before companies can be confident in their decisions and feel fully protected by their policies. Insurers have already achieved this feat in the automotive and property sectors, so there seems little reason the same can’t be accomplished in the cyber domain. Cyber-attacks don’t just harm companies, but individuals as well, so the sooner insurers make the effort the better. Enforcing greater protection standards through well-formulated policies could greatly reduce the exposure of personal details, breeding confidence and providing clarity in a sector riddled with uncertainty.