Cyber Security Insurance in 2016
In an era of leaked embarrassing photos, confidential emails and digitally connected employees and customers, it’s no wonder businesses are rushing to cover themselves with cyber liability insurance. Here are some alarming statistics:
- Cyber-attacks are the greatest risk of doing business in North America (World Economic Form Global Risks 2016)
- Data fraud/theft was ranked second by the WEF Global Risks Report
- In 2015, average costs related to a cyber-crime attack cost US companies $15 million a year (Fox Business)
- 43% of cyber-attacks in 2015 were against small businesses with less than 250 employees
- One in 5 small to midsize businesses reported being attacked on their computer network
However, cyber insurance is still relatively new. Many businesses wonder if they really need it, what it will cover and whether coverage will be enough to save their hides in the event of a major hack.
Isn’t a general liability policy enough? Not usually. Many plans specifically exclude coverage for cyber-attacks. If the policy is old, it might be more inclusive as the language for cyber-attacks might not have been known when it was designed. Business owners need to protect themselves by reading their policies closely and clearing up any questions with their insurance agent.
What Does Cyber Insurance Cover?
The more businesses depend on electronic data, the harder those assets are proving to protect. The insurance market has swooped in to protect businesses from internet-related risks such as hacking, viruses, data breaches and data recovery. Depending on the policy, areas of protection may include:
- Liability for website copyright infringement
- Periodic web security reviews to mitigate risks
- Reimbursement for hiring additional staff, filing fees and other costs of recovery from cyber attacks
- Business interruption protection, especially for small businesses
- Legal fees and legal aid, in case a data breach leads to legal action against a company
- Public relations help after a breach or other incident
- Customer credit monitoring services
- Criminal reward funds for ransom-ware attacks
Most major insurers now offer cyber insurance. A carrier may include cyber liability insurance in a business owner’s policy or offer it as an add-on.
While cyber insurance can mitigate the damage of cyber crime, breaches can still be costly enough to put a company out of business. The category of “cyber threats” is so broad that it’s impossible to thoroughly insure a business against them. Businesses need to prioritize their most crucial digital assets, and focus on insuring those. Companies should thoroughly understand their specific risk factors, based on industry regulations, number of online transactions, value of intellectual property and vulnerability to lawsuits.
This new type of insurance has a long way to go, and many gray areas. For example, insurers debate whether or not state-sponsored cyber crimes are covered, such as Russia’s alleged hack of the Democratic National Committee. Cyber security insurance is also weak on protecting intellectual property and self-inflicted attacks.
Who Needs Coverage?
According to a 2015 Market Watch story, the current market for cyber insurance policies is estimated at two billion dollars. And it’s growing. The frequent, well-publicized cyber-crimes on American businesses result in a surges for insurers. Businesses of all sizes are at risk.
While large businesses make for the juiciest victims, small businesses aren’t safe either. Almost a third of cyber-attacks target small businesses, according to Market Watch. Small businesses are especially vulnerable to bankruptcy following a cyber-attack. With fewer employees to handle the aftermath, and often very small margins to ride out business interruption, an attack could easily decimate a small business.
Any business that handles confidential digital property from consumers is most at risk. Hospitals and other healthcare providers face staggering HIPAA fines if an attack knocks them out of compliance. Banks and other financial institutions obviously cannot afford security breaches.
The more business a company transacts online, and the more sensitive client records stored, the more protection is needed against cyber-criminals.
Cyber Crime in Texas
Even the great state of Texas is not safe from cyber-attack. According to a 2016 Dallas Morning News survey, one-third of North Texas companies claimed to have been hacked in the past two years. Now 42 percent of North Texas companies say they have cyber insurance.
Major Dallas Retailers Breached
- Sally Beauty Supply
- Neiman Marcus
- Dave and Buster’s
- Michaels Stores Inc.
In 2013, stealthy hackers dipped into Neiman Marcus’ credit card payment system. Despite setting off thousands of alerts in their network monitoring system, the breach went undetected for a solid eight months. Finally, Neiman Marcus’ credit card processing company noticed the suspicious charges. The retail giant responded by creating a new chief information security officer position.
The North East Independent School District in San Antonio suffered ransomware attacks on twenty of its campuses. Ransomware holds data hostage and the use of these attacks are on the rise in 2016. Hackers demand a fee for its safe return. The San Antonio school district got lucky, and managed to retrieve its data without paying a fee. No sensitive student data was compromised – at least, as far as they know or are admitting.
Resolving a Claim from Cyber Insurance
Reviewing cases of cyber-attacks in Texas, demonstrates that cyber security insurance does not always pay out.
Houston-based Ameriforge Group Inc. (DBA AFGlobal Corp) was hugely disappointed when its insurer, Federal Insurance Co., denied a 2014 claim. An Ameriforge executive was bamboozled by a criminal in China posing as AFGlobal’s CEO. The fake CEO requested secret money transfers. The executive complied in the phishing scandal. Federal Insurance Co. begged off paying the claim, saying the scam didn’t involve the forgery of a financial instrument, which the policy required. Now AFGlobal is suing Federal Insurance Co. At press time, the jury is still out on this one.
So what’s the takeaway? Cyber-security insurance is starting to be seen as a necessity among many businesses. Some industry regulatory bodies will probably soon require companies to carry cyber liability insurance policies. However, while they mitigate damage from cyber-crime, these policies can only go so far to protect a business. Companies need to take responsibility for ramping up their own cyber security, rather than relying on an insurance policy. Even if the policy covers financial losses and keeps a business afloat, the reputation damage and/or business time loss may prove insurmountable.
So businesses must focus on taking security precautions. Data encryption, 24/7 network monitoring, controlling access to data and having a strong disaster recovery plan can all help to minimize risk. As actuarial data in this area improves, companies with strong cyber security protocol may eventually be able to negotiate lower premiums with insurers. See the National Association of Insurance Commissioners principles of best cybersecurity practices here.
Since cyber-attacks are a grim subject, let’s close with these grimly realistic words. As Dallas insurance broker Kara Altenbaumer-Price told the Dallas Morning News, there are two kinds of companies. “Those who have had a breach and those who don’t know they have been breached.”