Join us for this year's MIPS Made Easy Webinar Series!

«  View All Posts

3 MIN READ.

The Rise of Cyber Insurance: A World at (Cyber) War

By: Nextech | March 30th, 2015

The Rise of Cyber Insurance: A World at (Cyber) War Blog Feature

spearphishingSome readers might remember the Anthem data breach, in which around 78.4 million people had their records compromised, that I briefly mentioned at the start of our cybersecurity blog series.  At the time, the cause of that breach had not yet been made public. By a funny (or, perhaps not so funny) coincidence, it turned out to be the result of spear-phishing (which that article covered) and was further compounded by factors such as Anthem’s lack of data encryption and their poor password security practices.  One would think that the catastrophic and very public data breach at Anthem would have served as a strong warning to other such organizations, and that they would have taken steps to prevent the same from happening to them.

Spoiler alert… They didn’t.

Just last week, Premera Blue Cross announced a massive data breach that compromised both the bank account details and clinical data of 11 million individuals.  The scariest (and, in a way, most ridiculous) thing about this incident is that the hackers used pretty much the exact same method that was used to breach Anthem—spear-phishing.  In fact, this has led some to speculate that the same hacker group is responsible.  Some have pointed the finger at the China-based cybercrime group Deep Panda who are known to use similar methods, though their involvement has yet to be concretely proven.  We now know that, in the Anthem breach, the hackers used spear-phishing emails that contained a spoof domain—We11Point.com, which looked very similar to Anthem’s former name, “WellPoint”—and managed to trick a number of employees into logging in on the bogus website with their credentials.  This gave the infiltrators all the keys they needed to lay siege to Anthem’s kingdom.  And boy did they siege it, at an estimated cost in excess of $100 million for the health insurance giant.

It pains me to tell you this, but it gets worse… So unbelievably worse.

Back in 2013, you see, Anthem actually refused to allow a federal watchdog agency to perform a security audit on their systems (and, just recently, they refused to give them permission yet again).  And the situation with Premera was no better.  As a matter of fact, back in April 2014 (well before the data breach), a federal audit revealed a number of serious network security vulnerabilities to the company.  And just what, do you think, Premera did with this important knowledge?  Nothing… Absolutely nothing.

I’ve stated this many times, and I’ll state it again—

Even the most advanced cybersecurity technology in existence is powerless to stop the single most prevalent and serious threat to any system… human behavior.

The same thing occurs with automobiles, if you think about it.  So many safety features and new technologies have been created to prevent auto accidents—antilock brakes, backup cameras, proximity sensors, intelligent parking assist systems, and even auto-braking collision prevention systems. And yet, in 2013 alone, 32,719 people were killed and 2.3 million injured in automobile accidents in the United States (not to mention there were over 4 million property-damage-only crashes).  This is because, as with cybersecurity tools, none of the available technology can totally counteract the sometimes shocking capacity that certain humans have for making terrible decisions (until we all finally get self-driving cars, that’s unlikely to change).

This is why everyone is supposed to have car insurance.  Because statistics have proven that we all need it, and that we also all need other people to have it (because other people are usually the problem, right?).  The average driver (no matter how safely he/she drives) is involved in a vehicle collision at least once every 17.9 years, whether or not he/she does anything to cause it.  Once again… human error is a tough thing to deal with, because we have no control over the actions of other people.

The statistics when it comes to cyberattacks are even worse than those for automobiles.  A recent study found that 20% (1 in 5) of all small businesses are now victimized by cybercriminals every year.  They also found that 60% of those who are attacked will be out of business in six months or less.

Therefore, perhaps it should come as no surprise that a new service has arisen in recent years to address the financial risks of cyberattacks and data breaches—cyber insurance.

The Rise of Cyber Insurance

Businesses spent roughly $2 billion on cybersecurity insurance (other names it’s sometimes called by) in 2014, which is almost double what they spent on it the previous year.  Beazley, one of the biggest players in the cyber insurance market, reported that the number of cyber insurance policies they held increased 150% between 2012 and 2013.  From 2013 to 2014, Beazley reported that their cyber insurance policy numbers grew another 100%.

cyberinsurance

In the early days of cyber insurance, however, there were some who considered it an unnecessary overreaction or a wasted financial investment.  The events of the last two years, however, have silenced nearly all doubters and cyber insurance firms are now having trouble keeping up with the near exponential growth in demand for coverage.  Why the big spike?  Cyberattacks are nothing new, after all.  Hackers have been hitting various industries for decades.  Why has there been such a drastic increase in demand for cyber insurance over just the past few years?

Well… as is often the case with such things, it’s all about the money.

To put it simply, the financial impacts of today’s cyberattacks continue to reach unprecedented proportions.  Many big corporations have already been “caught with their cyber-pants down” by the monetary losses they’ve sustained in such incidents.  Take, for example, the data breach of the Target network.  Before the breach, the retail chain had already invested $1.6 million dollars in an advanced malware detection software.  However, cybercriminals got around this by just stealing the network login credentials of a careless private contractor working for Target (yet again… we see how human error trumps technology).  This allowed the intruders to breeze right through any of their network security without being detected.  When all was said and done, they’d made off with 40 million credit/debit card details and the personal information for 70 million Target shoppers.  The incident cost a total of $248 million.  Target, by the way, had cyber insurance.  However, since they did not view it as a priority, they got a rather inexpensive policy with a high deductible and low payout.  They also failed to maintain the security standards set down by their policy, especially in password management, which meant they only qualified for a partial payout.  Target’s cyber insurance provider only paid out $90 million, forcing the retail giant to foot the bill for the remaining $158 million.

The same thing happened with the Sony Pictures hack (remember that?).  The film studio continues to retain $60 million in cyber insurance coverage with Marsh.  That proved to be far too little when, in an attempt to prevent the release of The Interview, Kim Jong-un decided to go full-on-Bond-villain and unleashed an army of hackers that tore their network to pieces.  The film alone cost Sony Pictures roughly $80 million dollars to make, and that has been a total financial loss for the company.  Then there are the costs of repairing the actual damage—to their network, devices, infrastructure, brand reputation, employee retention, etc.—caused by the incident, which most figures put at around $100 million.  Let’s do the math on that.

($80 million + $100 million) - $60 million = $120 million that Sony Pictures will likely never recover.

Even the earnings from the film’s modest box office run probably won’t recoup any of these losses, as this revenue is expected to be eaten up by a lawsuit that’s been filed against Sony Pictures by two former employees as a result of the hack.  The suit accuses Sony Pictures of willful negligence, and many expect the company will settle out of court to avoid exposing their brand reputation to further damage.  However, their losses could have been far less if Sony Pictures had only bothered to secure a more appropriate amount of cyber insurance coverage.

This bring up an interesting question: Just what is considered an “adequate” amount of coverage for a major corporation like Sony or Target?  Opinions vary.  According to the Financial Times, however, large corporations (who, time has proven, have plenty to lose in a cyberattack) should have policies with a minimum of $1 billion in coverage.  There’s only one problem with this… there are no cyber insurance firms that currently even offer that level of coverage.  Those days are likely coming, however, and hopefully they are coming soon.

The upside to all this is that, unless you are a major corporation with thousands of employees and billions in annual revenue to worry about, you definitely do not need anywhere near that much coverage.  However, cyber insurance is definitely something that any small business or private medical practice should consider, especially those of you who maintain BYOD environments.

The Department of Homeland Security (DHS) has already begun setting guidelines and hosting workshops for cyber insurance providers, in order to facilitate the growth of this quickly expanding and highly needed service, stating that “Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyberattacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection” (DHS.gov).  

When it comes to purchasing cyber insurance, as with any other form of insurance, one has to know the dos as well as the don’ts.  There are a lot of things to consider, watch out for, and/or avoid—premiums vs. deductibles, unexpected/hidden coverage exclusions, hardware requirements, policy restrictions, and more.  In the second half of this series, we will take a closer look at the details of cyber insurance policies so that, when and if you decide to invest in this new form of asset protection, you will be able to do so from an informed perspective.