STAYING ON THE ATTACK
By Paula Green
Companies must beef up their cybersecurity coverage as the risk of disruption continues to skyrocket.
Multinationals’ dependence on insurance to cover the risk of cyberattacks is expanding in line with their increasing reliance on technology for everything from invoicing to using contemporary interactive social media sites to engage customers. As cyberattacks become more frequent and severe and more governments around the world pass data-breach disclosures laws, the need for solid insurance coverage to plug potential financial losses is increasing.
“This risk is growing in severity faster than organizations can design interventions to manage it,” says Julia Graham, chief risk officer for global law firm DLA Piper. “This can be a risk without conventional boundaries, and it does not respect borders.”
Risk managers have to prepare for an electronic Pearl Harbor and a zero-day attack, says Emily Cummins, chairperson of the Technology Advisory Council at the Risk and Insurance Management Society. Referring to the Japanese attack on the US Naval base in the Hawaiian Islands in 1941, Cummins says a Pearl Harbor attack means preparing for the physical destruction, loss of life and technology malfunctions after a terrorism attack. A zero-day attack refers to a malicious software strike against an industry that would create financial havoc by knocking out a company’s technology platforms. She offers as an example a malware triggered by an employee’s click of the mouse when opening a PDF file.
While financial institutions, especially those of US origin, have been the target of more, and increasingly severe, attacks by hackers in China—and, allegedly, government-sponsored attacks from Iran and North Korea—security experts unsurprisingly advocate ample security measures for all industries.
“Denial of service, theft of personal data and industrial espionage [that] steals many years of expensive research can all be massively expensive losses,” says Mark Akass, chief technology officer, global banking & financial markets, at BT Global Services, London. “For the finance community the threats are material, with the added issue of accountability for protecting client data from fraudulent use. Regardless of the differing attitudes of certain nations, the default position must be to protect your business wherever you are, assuming threats will and do come from many sources, local and international.”
And as employees increasingly use their own cell phones, laptops and other mobile devices to carry out company tasks onsite or from home offices, multinationals need adequate security—and insurance cover—for the advent of so-called BYOD: Bring Your Own Devices. Greater efficiencies can mean greater vulnerabilities. “The security officer must consider corporate and personal devices accessing corporate data,” says Akass, adding that the data has to be secured independent of the specific device. “This is not trivial, and many corporations are still grappling to get the balance right. Add on the regulatory obligations to protect client data and ensure business continuity, and this has naturally become a major focus all the way up to board level.”
Kalinich, Aon Risk Solutions: Stronger data disclosure laws will undoubtedly push more multinationals to make use of cyberliability cover
While most states in the US already have data breach disclosure laws in place, the European Union is still ironing out legislation that would force a company to tell its customers or clients about any breach of data within a relatively short time frame.
“Europe has been stronger on the front-end regulations,” notes Erica Constance, division director of the cyber risk practice, London, at insurance broker Willis, referring to European laws that protect the privacy of an individual’s data and regulate how technology companies and others can use the data.
Right now the European legislation, which isn’t expected to kick in until 2016, would force a company to disclose any data breach within 72 hours, Constance says. That time frame could be expanded—the legislation originally called for a 24-hour notification deadline.
The trend toward stronger data disclosure laws, such as the pending legislation in Europe and Australia’s mandatory data disclosure laws that will take effect next year, will undoubtedly push more multinationals to make use of cyberliability cover, according to Kevin Kalinich, global practice leader for cyberliability at Aon Risk Solutions.
MANAGING THE RISK
This prospect is even prompting risk officers to sharpen their directors’ and officers’ liability coverage as corporate reputations and those of its executive officers are on the line, says Kalinich. But traditional commercial insurance policies that were developed years ago do not typically cover these newer exposures, and an endorsement to the traditional cover is crucial.
Ken Goldstein, vice president and worldwide cybersecurity liability manager of Chubb Group, says cyberliability insurance—whether labeled cybersecurity or network security and privacy—has to address the third-party liability claims as well as the first-party expenses stemming from a cyberloss.
Another useful tool in the arsenal of the corporate risk officers is an incident response plan—a blueprint to guide them through a data breach. They may develop it themselves or tap into the plans devised by insurers to help clients and minimize their own risks. Chubb, for example, offers all of its cyberliability insureds access to Chubb’s eRisk Hub, a Web portal to help prevent and respond to cyberlosses. Companies can use an online template provided by Chubb to help them build a plan.
In addition to being armed with sophisticated security systems, more companies of all sectors and sizes are tapping into insurance coverage. Industry observers agree its use has moved beyond the longtime customers found among financial institutions and healthcare companies, which harbor huge amounts of confidential data. Now retailers, service providers and hotels are on board, as they depend upon technology to carry out their business functions and transactions with customers.
The price tag accompanying a policy depends upon the size of the insured company, the industry and other variables. For small and middle-market businesses with average limits of $5 million or less and average retentions of $15,000 or more, the price of a cyberliability policy could be $2,500 to $15,000, Goldstein says. For a large business with $5 million to $10 million in primary limits and average retentions of $50,000, a policy could run from $20,000 to $25,000 for each million in coverage. A large company’s retention can vary from $50,000 to $5 million, says Constance, and can hinge on various factors, such as its size, the type of business and its appetite for risk.
The insurance industry has had no trouble keeping up with increasing demand. Two years ago, notes Constance, there were about eight insurers in the market: Now there are about 30.