In November and December 2013, the Target Company of the USA came under attack. Over a number of weeks, Russian hackers succeeded in stealing information, credit card numbers and secret codes and the personal data of tens of millions of customers by attacking the points of sale of this American retail chain. Investigative efforts lasted several months, in conjunction with law suits asserted against the company on the scale of tens of millions of US Dollars. Last July, the chain announced that the losses to the shareholders as a result of the attack amounted to US$ 148 million. “Luckily” for Target, it had cyber insurance made out with a premium of US$ 100 million.
Every organization is exposed to risks, be they weather-related risks, economic risks or physical risks. If those risks materialize, they will have numerous implications on the organization, including economic implications that in some cases could be fairly substantial. With the evolution of cyberspace and the dependence of organizations on its uninterrupted performance, new types of risks evolved. As these new risks pertain to information systems and computer-controlled infrastructures, they compelled the organizations to prepare differently and address these potential risks as a major and important element of their risk management process. Whereas the risks in question are numerous and diversified and the rate at which they develop and at which weaknesses are detected is very high, the risk management process has become very complex and risks are being appraised frequently and periodically through an extensive range of tools and consultants. What happens when an organization has identified the risks but lacks the resources required in order to minimize the severity of the risk, or in the event that the realization of the risk will exact a heavy economic toll that the organization estimates it would not be able to bear? This is where a new insurance product developed over the last few years comes into the picture – cyber insurance.
Insurance is a way for corporations to minimize the economic risk of the realization of a threat by assigning the risk to an external element. When things go wrong, the cost could be high, so insurance “assumes” the financial risk on behalf of the organization. An insurance policy will provide the business with cover for an extensive range of costs the organization would have to incur if the risk materialized, thereby providing the insured party with some degree of security in the event that a serious risk materializes. The same principles apply to cyber incidents, where insurance can offer a significant added value. Cyber insurance was created in order to indemnify businesses for their commitment to secure the private or confidential information of a third party, mainly in connection with two types of incidents: disruption of business operations as a result of an attack on computer systems, or incidents associated with information security and privacy. Cyber insurance is different from insurance for technological errors and omissions (Tech E&O), which is intended primarily for companies that develop software products.
Cyber insurance policies are aimed at the losses incurred by a third party or a first party (the company attacked) owing to an incident normally regarded as “unauthorized intrusion into the insured party’s information systems”. Insurance for third-party losses covers the losses of parties other than the insured party, which the insured party is obliged to take out by law – similar to third-party car insurance. This type of insurance is also known as a liability policy. Insurance for first-party losses covers incidents where the insured party incurs a loss and the insurance company will indemnify it for that financial loss. This type of insurance is also known as an indemnity policy.
It is important to stress that Technological Error & Omission insurance is third-party insurance. Cyber insurance has also been third-party insurance until recently. With the realization that when a company is attacked it incurs direct losses, that insurance category is gradually shifting toward first-party insurance, which is the most significant change in this field right now. A good cyber insurance policy should cover third-party damage (loss of credit cards, exposure of third-party intellectual property, etc.) as well as direct losses incurred as a result of the attack (response and investigation teams, legal fees, etc.).
Cyber insurance is not a new product. Insurance companies like Betterley started selling cyber insurance policies as far back as in the year 2000. The new thing is the fact that cyber insurance has become a primary element of commercial insurance portfolios, mainly in the USA.
Today, the cyber insurance policies on offer include cover in the event of a cyber warfare attack (for example, a denial-of-service attack), for the crisis management and recovery costs (forensics, public relations, advertising and rehabilitation of the company’s reputation), for the loss or corruption of data (information integrity), cover against unauthorized accessing of information systems and the expenses associated with it and with the legal liability stemming from the exposure of data from compromised databases, as well as cover for the legal fees and compensations payable to customers as a result of a cyber warfare attack or exposure of information.
New Risks for Insurance Companies
The insurance market is a growing market. Today, more than 50 US corporations offer cyber insurance. The market is expected to reach a scope of US$ 2 billion in insurance premiums by the end of 2014. Why are the insurance companies apprehensive about entering this field? There are many reasons for it. For the insurance companies and their reinsurers (the companies that insure the insurance companies), it is a relatively new risk. For more insurance companies to become interested in entering the field and develop a healthier appetite for the risk, the underwriters need to overcome a number of hindrances.
Insurance cover for a cyber warfare attack could cost the insurance company millions of dollars in the event of a significant attack, like the attack against the Target Company, which has thus far cost more than US$ 148 million (not including the dismissal of the CEO and the drop in the Company’s share value).
Other potential hindrances:
Inverse selection – it is reasonable to assume that potential insured parties will possess more knowledge about their own methods of operation and the weaknesses of the information systems they use than the insuring party. This is a market failure that stems from a state of information asymmetry between the insuring party and the insured party.
Ethical risk – insurance companies are concerned about the fact that some of the insured parties that acquired cyber insurance may not take sufficient or even essential measures to minimize the probability of the actual occurrence of cyber incidents simply because they have insurance cover.
Lack of data – insurance companies invest a lot of money in risk analysis models in order to determine the price of their insurance premiums. In the field of cyber, the information available is not sufficient in order to properly evaluate the risks and determine the premium prices so that the insurance companies do not assume an excessive risk. The insurance companies know very well how to cope with Force majeure risks, but they are not so good at coping with cyber risks that are the product of the strength of a foreign country.
Additionally, the insurance companies expect to see some government support and encouragement. In this regard, the British government was among the first to identify the importance of insurance to cyber defense. Last November, the British cabinet issued a memorandum in which it stated that the British government “believes cyber insurance has a strong role to play in helping firms outside of the critical national infrastructure to manage their cyber risks efficiently.” Along with the industry and insurance companies, several work groups were established to review, over the course of 2015, how insurance may be used as a catalyst to improve cyber protection for small and medium enterprises, to develop insurance response models for cyber warfare attack incidents and to review the role of insurance in minimizing the implications in the event of an attack against national infrastructures.
Who Needs Cyber Insurance and is it really Beneficial?
The prevailing skepticism notwithstanding, cyber insurance is a good product that can help the organization once it has encountered a crisis situation pursuant to a cyber warfare attack, and such crisis situations are likely to occur. Cyber insurance policies are essential to any organization that keeps massive amounts of third-party information, including economic, private or medical information. Good cyber insurance should help the organization not only with money, but also with the extensive knowledge some insurance companies possess as they had developed specialized know-how for dealing with cyber incidents. At this time, companies that acquire cyber insurance may be divided into two primary categories: those who are economically solid enough to purchase a cyber insurance policy and those compelled to purchase a cyber insurance policy by a third party. It is expected that the cyber insurance market will expand, mainly toward the small and medium enterprises which currently cannot afford costly technologies, highly-skilled personnel and the services of leading consulting firms. These enterprises will probably seek insurance in order to assign to it a part of the risk with which they have to cope. This move will improve their cyber defense, and the sooner they make it – the better.
Ram Levi is the founder and CEO of the Konfidas consulting firm and a co-founder and partner of London Cyber Security. He serves as the cyber consultant to the National Council for R&D at the Ministry of Science & Technology and as a senior research fellow at the Yuval Ne’eman Workshop for Science, Technology & Security.
Contributing writer: Malcolm Randles, co-founder and partner of London Cyber Security, an insurance underwriter and international expert on cyber insurance