The biggest retail hack in history wasn’t particularly inventive – but it certainly was effective. In the days prior to Thanksgiving 2013, a cybercriminal installed a basic malware virus onto the security and payments system of American retail giant Target. Consequently, each time a customer’s credit card was swiped in one of the chain’s 1,800 stores, the virus would step in and store those secure numbers onto a commandeered server. By the time Target had caught on to the scheme, the damage had already been done.
Within weeks, more than 90 lawsuits had been filed against the retailer for compensation. Just two months after the holidays, Target had already been forced to shell out some $61m in order to settle those suits. However, analysts estimate it will ultimately cost the chain hundreds of millions before they are able to regain lost ground. That may take quite some time.
The cyber-attack unsurprisingly crippled consumer confidence in Target. After issuing a public warning about the breach, Christmas shoppers avoided Target like the plague. Quarterly profits plummeted by 46 percent year-on-year. Almost a year later, the firm has yet to come even remotely close towards making up the difference; however, Target is by no means the only firm to run afoul of cybercriminals in recent years.
Expect the unexpected
Cybercrime is without doubt evolving into the globe’s easiest and most lucrative method of delinquency. From phishing and cyber extortion to software piracy and the theft of intellectual property, an ever-shifting technological topography makes it nigh impossible to keep up with criminals’ intent on hacking corporate infrastructures.
According to one PwC survey, almost a quarter of companies reported falling victim to some form of cybercrime in 2013. Yet the UK government reckons that figure is substantially higher, as a vast majority of security breaches among smaller firms tend to go unreported. Regardless of whether said crimes are being made public, they’re certainly costing firms a pretty penny. The average price tag of those crimes currently sits at some $4m per company. Every year, the global cost of cybercrime comes in at some $388bn – with an annual direct cash cost of $114bn.
Every year, the global cost of cybercrime comes in at some $388bn – with an annual direct cash cost of $114bn
In the UK alone, cybercrimes are estimated to cost approximately £27bn per year. Yet when taking into consideration the price of lost intellectual property and necessary expenditures to resolve cyber-attacks, experts say the annual price tag for cybercrime has already hit well over $1trn. With that in mind, it only makes sense that firms are desperately scrambling to try and mitigate those costs. One of the simplest ways to do that is to invest in corporate cybercrime insurance.
Defining the undefinable
It would be foolish for a firm to disregard investment in IT security technologies for everyday protection. Yet the very nature of cybercrime is ever-changing, and there has yet to emerge a cyber-security firm able to churn out protective software as swiftly as criminals can produce new viruses.
Corporate entities, therefore, have two realistic options with which to prepare for imminent cyber-attacks: they can assume the risk internally by self-insuring, or they can transfer that risk externally by purchasing cybercrime insurance (see Fig. 1). While the latter may certainly appear to be more costly in the long term, the cybercrime insurance market is slowly but surely proving its worth by transforming the way analysts look at corporate risk. In particular, emerging cybercrime products have recently exposed gaps in the market that insurers appear to have been ignoring for far too long.
Traditional property and business interruption policies, for example, tend not to cover damages resulting in a loss of power supply or software corruption. Likewise, most corporate theft policies are limited to the coverage of tangible assets. On the other hand, digitally stored data is classed by most insurers as intangible, even if it is instrumental to a firm’s success – such as a digital version of Coca-Cola’s coveted secret recipe.
With so many gaps to fill, global insurers have been forced to develop a number of all-encompassing plans with which to offer corporations some relative peace of mind. Firms like Chubb Group and Marsh have already found early success in the market by consolidating various coverage gaps so that firms have access to affordable options that address emerging cyber threats.
New first party plans, for example, protect against losses occurring directly to the insurance holder by mitigating asset damage pertaining to data, software and loss from business due to interruption from cyber-attack. Meanwhile, third party policies tend to include downstream network security liability that sees victims and customers receive an automatic pay out in the wake of an attack. Most products are also designed to incorporate media liability coverage and protect against IT negligence.
More important still, Chubbs’ CyberSecurity features in-built protection against lawsuits alleging unauthorised access of private information. Every month, more and more insurers are wading into the cybercrime market in a bid to provide companies with wide-ranging products they can take on to mitigate new online threats. Yet it’s worth noting that many of said insurers are already finding it exceedingly difficult to analyse incoming claims that stem from these new products.
Cybercrime is a relatively new type of commercial risk; therefore, insurers are currently faced with a whole range of dynamic challenges that may prevent the widespread availability of cybercrime insurance. First and foremost, the inherent nature of cybercrime risk means that predicting the probability of occurrence and the impact it may have on a business is flimsy at best. Because security breaches often instigate a proverbial domino effect on long-winding business chains, it’s not easy for analysts to quantify those impacts.
Despite an up-and-coming plethora of product options, firms in search of cybercrime coverage may also find themselves hard-pressed to locate an insurer that issues concrete definitions of what constitutes such a crime. Various domestic regulations on cybercrime may be inherently hindered by geographical limitations that criminals can avoid relatively easily – muddying waters further still. Additionally, the possibility of substantial losses means there is little room for reinsurance within the market.
Yet with cautionary tales of firms run aground by cybercrime becoming increasingly more commonplace, these challenges should hardly put off a company from investing in a cybercrime insurance package. First, though, there are plenty of preventative measures firms should take that will not only help to defend against the probability of cyber-attack, but will also subsequently allow insurers more confident towards extending coverage.
Prepare for the worst
When developing any IT security plan, companies should start by identifying the specific risks to their particular business. An inventory of critical electronic data such as supplier information, product specifications and employee records should be created so that adequate blanket controls can be implemented to prevent leakage.
A similar process should be followed in respect of a company’s online content. Websites, intranets and apps are easy prey for many hackers; therefore, safeguards need to be implemented so that the process for adding or removing content is tightly monitored.
Another consideration many young companies may be neglecting is whether they have plans in place for manual workarounds to mitigate the impacts of an IT crash on critical systems, such as payroll and finance. Once a company is able to come to terms with the extent of potential exposure to cybercrime, a lot of relatively simple mechanisms can mean the difference between life and death. As always, it’s worth starting with the basics. Improved physical security at operating locations can drastically improve access controls for online systems.
Meanwhile, IT departments would do well to install segregated networks that isolate critical business information and prevent cross-contamination, should a virus strike. Clear-cut legal controls also make it far easier for insurers to mitigate the risks of losing what a firm perceives to be its intellectual property. Patents and copyrights must be stringently protected where possible, and confidentiality clauses should be included in all business contracts.
With cybercrime on the rise, there are very few corporations that could ever hope to fully mitigate the risk of attack by way of self-insurance. Yet by actively pursuing viable lines of defence and prevention, firms of all shape and size are able to make it simpler than ever for insurers to be able to extend cyber coverage.
In PwC’s latest crime survey, almost half of companies said their perception of cybercrime risk had increased substantially over the past year. As concerns among those companies continue to fester, analysts are expecting a major uptake in cybercrime coverage. Only time will tell how the market will be forced to respond to those new products, and whether traditional corporate polices follow suit.
After all, cybercrime insurance is a developing market that comes hand-in-hand with many challenges. The break-neck speed of evolutionary digital crime methods means that insurers are already being forced to regularly reassess the definitions they use in order to analyse claims. Yet growing concern among fledgling firms suggest the benefits of investing in such a policy heavily outweigh the risks. One thing is for certain, something needs to change, and soon.