Case 1: Sony Corporation Of America
2011: Criminals hacked into Sony Corporation of America’s (“Sony”) PlayStation Network.
77 million user accounts were hacked and personal & financial details were stolen.
By 2015, Sony’s losses had mounted to 2 billion USD (over and above the 15 million USD that Sony agreed to pay in a class action lawsuit over the breach).
Sony’s insurer Zurich American Insurance Co. refused to defend or indemnify Sony for any ‘data breach’ claims as third-party hacking incidents such as this one were not covered in Sony’s insurance policy.
Case 2: Yahoo Inc.
In 2013, Yahoo became the victim of one of the biggest data breaches in history.
3 billion user accounts were compromised and personal details, passwords and security questions and answers were stolen.
In 2014, a second cyber attack compromised 500 million user accounts.
These breaches knocked off about 350 million USD off Yahoo’s sale price.
Verizon eventually paid only 4.48 billion USD for its purchase, a massive fall of 96 billion USD in Yahoo’s value from just 2 decades ago.
In November 2016, Yahoo revealed that it did not have cybersecurity insurance at the time of the breach.
Case 3: Target Stores
In 2013, American retail giant, Target Stores, became a victim of a data breach
Between 70 million and 110 million customers were compromised and credit and debit card numbers were stolen
Investigations showed that vulnerabilities in Target’s point-of-sale (POS) payment card readers were to blame for the breach.
18 million USD was paid in settlements by the firm, mainly for state investigations into the attack.
162 million USD: estimated cost of the breach
Only 36% of the cost was covered by the firm’s cyber insurance policy as limits were not high enough to bear the rest.
What Is Cyber Insurance? Why Is It Needed?
As businesses become more reliant on the Internet, social media and smart technologies, organisations are becoming more vulnerable to cyber attacks. Breaches may cause moderate to severe losses for businesses and have long-term repercussions on their future. They may be launched by individual ‘black hat’ hackers, hardened criminals, company insiders or even rogue nation states. Irrespective of the source, organisations and business leaders increasingly believe that in today’s business environment, cyber crimes are not just likely but inevitable.
In simple terms, cyber insurance is a means to help organisations hedge against possible losses due to cyber crimes. It enables businesses to remain on a sound financial footing even if they are victims of potentially devastating security events that can compromise their network and lead to loss of sensitive data. These issues may be caused by ransomware, malware or distributed denial-of-service (DDoS) attacks or due to unauthorised hacking and theft of critical Personally Identifiable Information (PII) data.
Companies may not always be able to prevent or even control the risk of cyber attacks. However, they may be able to transfer it. This is where cyber insurance plays an important role in organisations of all sizes. Also known as cybersecurity insurance, cyber risk insurance or Cyber Liability Insurance Coverage (CLIC), cyber insurance can help a company mitigate the negative financial and business implications of cyber-related risks.
In the case studies above, if the companies had purchased cyber insurance, it could have protected them against such eventualities and helped offset the huge financial losses they ultimately faced. Yahoo and Sony didn’t have cyber insurance at all. In addition, Sony made the mistake of buying a policy that covered only ‘physical property damage’ but not ‘cyber damages’. Target did have cyber insurance but it was not enough to counteract its huge losses.
The Costs Of Cyber Crime: Does My Firm Need Cyber Insurance?
Cybercriminals are getting smarter by the day and launching ever more sophisticated cyber attacks on financial platforms. So the short answer to the above question is: Yes.
A 2016 study by Deloitte, Beneath the Surface of a Cyberattack: A Deeper Look at Business Impacts, identified 14 business impacts of a cyber attack. These impacts are categorised as either ‘above the surface’ (well-known tangible or direct costs due to a breach of PII data) or ‘below the surface’ (less visible or hidden costs due to corporate espionage, theft of Intellectual Property or attempts to disable critical infrastructure). The report also found that these hidden costs can account for a whopping 90% of the total business impact on an organisation, not all of which is easily quantifiable or even well-understood.
Companies with a weak cybersecurity strategy are often poorly prepared for cyber attacks and their effects. In many cases, they rack up business interruption costs (as in the case of Sony) that far exceed extortionate ransom payments demanded by cybercriminals. This is where cyber security can help the firm alleviate its risk exposure and offset its recovery costs after a cyber-related security breach. In addition, cyber insurance can also cover the costs of investigating the security event and also pay the ransom in case of ransomware attacks.
Some anecdotal evidence suggests that 9 out of 10 cyber insurance policies are bought in the US, indicating that American firms are aware of their vulnerability and are willing to take steps to address it by buying cyber insurance. In mid-2017, the cyber insurance premium market was valued between 2.5 and 3 billion USD (annual).
In a 2015 report Insurance 2020 & Beyond, PwC estimated that cybercrime costs the global economy more than 400 billion USD annually. However, American firms are not the only ones grappling with the high costs associated with cybercrime. Companies in Europe, Asia and the rest of the world are also vulnerable to the financial and other effects of cybercrime.
A 2017 report by Accenture found that there is close to a 30% year-on-year increase in the average number of security breaches in organisations worldwide. According to research by IBM’s X-Force, FinTech start-ups, in particular, are 65% more vulnerable to such malicious security threats than the average organisation across all industries.
The Accenture report also found that in order to cope with cyber attacks and their effects, firms have to bear a 23% year-on-year increase in the cost of cybersecurity and crime prevention. In the same report, PwC also forecast that to deal with the increasing costs of cybercrime, the total annual value of premiums will rise (indicating greater adoption of cyber insurance), touching a massive 7.5 billion USD by 2020.
Contrary to popular belief, small businesses are not safe from cyber threats. In 2015, Symantec found that over 30% of phishing attacks were launched against firms with fewer than 250 employees. Even worse, small firms were the target of 43% of all cyber attacks in the same year.
If a costly security breach occurs in your company and you don’t have the resources to combat such attacks, you may not be able to recover the losses and still continue in business. The financial impact may be long-term or worse, permanent. Even if you have general liability insurance, it may cover only property damage, leaving you to pick up the pieces in other damaged areas. Cyber insurance solves this problem. In addition, it often covers both first-party losses and third-party claims and can thus, provide a firm with the wherewithal to deal with such attacks so that their business is not permanently crippled.
What Kind of Expenses Are Covered Under A Cyber Insurance Policy?
Most cyber insurance plans are personalised to help an organisation mitigate specific cybersecurity risks. They usually cover for a range of losses that may arise in the aftermath of a cyber attack, including income loss due to business interruption, network downtime or time lost during data recovery or reputation reparation operations. They also protect companies against ransomware attacks by paying the ransom demanded by the attacker. Some plans may also offer coverage for physical damage to hardware infrastructure. Often, cyber insurance plans cover the costs of investigating a breach by a law enforcement agency or a third-party security firm.
A cyber insurance policy may also cover the costs of notifying users whose data has been breached or stolen, arranging credit monitoring for these affected users and hiring a specialist agency such as a PR firm to mitigate damage to the company’s reputation. In some case, a policy may also include coverage for potential legal suits (regulatory fines, lawsuits, legal settlements) brought by affected users against the company.
The amount of coverage provided depends on a number of factors, including the cyber insurance provider and the company itself. The premium amount may vary depending on the type and extent of the breach covered. For example, in 2017, Sciemus (rebranded Occam Underwriting in 2018) a London-based cyber insurer said that it charges around 100,000 USD for a coverage of 10 million USD in case of data breaches, but as much as seven times this amount to cover attacks that cause physical damage.
A Useful Checklist For Potential Cyber Insurance Buyers
The cyber insurance industry is still evolving, mainly because cybercriminals and cybercrime are also evolving. However, in many countries, a number of insurers offer cyber insurance policies. This breadth and depth in the industry give buyers the opportunity to compare different available options and then choose the policy that suits them best.
Asking the questions below will provide a systematic way of finding out what’s available and what’s suitable.
Before doing so, however, a good starting point is to first create a ‘cyber risk profile’ for your firm and also create a list of possible expenses and estimated third-party costs you want coverage for in case a security incident occurs.
Then you can begin researching insurance providers and products by using the below checklist:
- Is the policy customisable to my firm’s specific security needs? Does it cover specific attacks targeted against my firm or any non-specific attack to which my firm may fall victim?
- Is the coverage an extension to an existing policy or is it stand-alone? Which one is more comprehensive and therefore better for my firm?
- Does it cover both first-party and third-party claims? What is the coverage amount? What are the limits?
- What are the deductibles?
- What is the time frame during which the coverage will be applicable? Only immediately after a security breach or even a few months or years after?
- What kind of cyber attacks does it cover apart from data breaches? Network attacks? Social engineering threats such as phishing or advanced persistent threats? Non-malicious actions taken by one or more employees?
Cyber insurance cannot protect an organisation from cybercrime or even prevent it. However, it can complement its cybersecurity strategy and provide the means to design a more holistic cyber risk management plan. It can mitigate the damage caused by security breaches and keep a company going in spite of business interruption and financial losses.
Before issuing any policy, cyber risk insurers analyse the strength of a company’s cybersecurity posture. An organisation that has done a self-assessment of its vulnerability to cyber attacks (threat assessment plus an assessment of security weaknesses) can not only improve its security but also get better coverage and cheaper insurance premiums.
Therefore, it is in the organisation’s best interests to invest in appropriate cybersecurity solutions and stay updated on the evolving nature of cybercrime. Self-awareness (“what are our security weaknesses?”), self-protection (“what can we do to address these weaknesses and stay safe?”) plus cyber insurance (“are we still protected if our safety precautions are not enough?”) must be the three main pillars of a firm’s security stratagem.