This article is part one of a four-part series on cyberinsurance. Part one addresses the need for cyberinsurance. Part two will discuss how to assess your company’s cyber exposure and select the right coverage. Part three will cover the complex cyberinsurance application process. Part four will complete the series with advice on how to manage a cyberinsurance claim to maximize your company’s insurance recovery.
Yahoo. Target. Home Depot. LinkedIn. Verizon. Wendy’s. Premera. Bethesda Game Studios. Cottage Health System. 21st Century Oncology. Natural Grocers. Drupal. Kirkwood Community College.
What do these companies have in common? They have all suffered a data breach or cyber-related security incident in recent years. Some of these companies are household names with global brand recognition. At this point, with an increased media focus on data breaches over the past several years, most know that large, public-facing companies face substantial cyber risks and need some form of cyberinsurance.
But there are other companies on this list that are not household names. Small and medium‑sized companies have been affected, too.
The 2016 Internet Security Threat Report identified increased targeting of small and medium‑sized businesses over the past five years. In 2011 and 2012, small- and medium‑sized businesses accounted for 50 percent of targeted phishing attacks. In 2013, 61 percent; 2014, 59 percent. In 2015 (the last year included in the report), 65 percent of targeted phishing attacks were directed at small- and medium-sized businesses. A broader view reveals the motivation behind this increase: The 2016 Verizon Data Breach Investigation Report found, unsurprisingly, that hackers are primarily motived by money, and as larger companies devote more resources to cybersecurity, smaller companies may present a better ROI comparatively.
Despite this fact, a recent Advisen report on Cyber Market Trends noted, “most clients do not feel they would be subject to a cyber-attack” and that there “is still a need to educate agents and customers regarding need, especially in small businesses.”
How is my company at risk?
Brian Krebs, noted cybersecurity journalist, recently offered a theory in “Cybercriminal Code of Ethics” that perhaps best answers this question (read in your best bad guy voice): “If you hook it up to the internet, we’re gonna hack at it.” While this "if you build it, they will come” approach may sound alarmist, privacy and security professionals know that hackers are persistent, clever, and determined. They will eventually find a way through most defenses. A nuanced understanding of cyber and privacy risk must include the recognition that even a robust risk-management program cannot ensure that there will never be an incident.
Quite simply, your company is at risk because it employs people.
Good risk management is about identifying and understanding risks, reducing exposure, and effectively managing the incidents that manage to slip through the cracks. The exact risk varies case by case, but every company has employee data that can be stolen or compromised. Most companies have devices with sensitive data that could be lost or stolen, even well-trained employees are at risk of social engineering and sophisticated phishing attacks, disgruntled employees can wreak havoc at a moment’s notice, and poor password hygiene by users can lead to aftershock exposures from past breaches of other systems. These risks can only be reduced to a certain point, because they all stem, at least in part, from an unavoidable risk: human error. A 2014 study of cyber incidents by the U.K. Information Commissioner’s Office found that only seven percent of cyber incidents were the result of a technical exploit. The other 93 percent resulted from exploiting human error.
Quite simply, your company is at risk because it employs people.
It is axiomatic that you cannot prevent all risks, so a good cyberinsurance policy is the first step towards effectively managing the risks you cannot prevent.
An effective cyber-incident response — whether the incident is a potential network intrusion, a lost smartphone, or an accidental disclosure of user information —requires a plan and the resources to implement that plan. Ideally, your company has a cyber-incident response plan in place already (and if it does not, educate yourself on incident response and implement a plan now), but your company, especially if you work for a small or medium-sized company, may not have cash on-hand to fund the implementation of your carefully designed response plan. Response plans cost money. You may need data and forensic specialists, IT professionals, crisis-management experts, attorneys, and other incident-specific hard costs. The 2016 Ponemon Cost of a Data Breach Study determined the average consolidated total cost of a data breach is $4 million, and the average cost per lost or stolen record is $158.
Data breaches, while the most heavily reported potential incidents, are far from the only potential exposures. Regulatory investigations and fines can easily reach millions of dollars. For example, in August 2016, Advocate Health Care Network paid a $5.5 million fine for HIPAA violations, and in February 2017, Vizio paid a $2.2 million FTC fine for spying on U.S. customers. Additionally, the reported fines do not include the cost of responding to investigations, legal fees associated with the response, and the cost of complying with the consent decree accompanying the fine.
Further still, if the cyber incident runs your company afoul of Payment Card Industry (PCI) Data Security Standards, your company could face substantial penalties as well. Finally, any cyber incident could result in brand damage, sales reductions and outages, and other soft costs that reduce revenue over the short to medium term.
In short, responding to a cyber incident — regardless of the cause — costs money. The right cyber policy can provide your company with the resources it needs to respond to those losses.
The typical cyber policy includes coverage for both first-party losses (i.e., costs your company incurs directly as a result of a covered event) and third-party liability (i.e., the defense and payment of claims against your company as a result of a covered event). Available first-party coverages include remediation of a cyber incident, regulatory fines and penalties (including associated defense costs), PCI fines and penalties, and business interruption caused by a covered cyber event. Available third-party coverage includes claims by a third-party for breach of privacy, misuse of personal data, defamation, or transmission of malicious content related to a covered cyber event.
Not all insurers offer all coverages, however, so selecting the proper carrier and purchasing the correct coverage is essential. Part two of this series will address how to conduct a cyber-security coverage review and select the coverage appropriate for your company.
Republished with permission. This article, "Why your company needs cyberinsurance" first appeared in The Privacy Advisor on February 28, 2017.