Insuring Data Loss
Historically, one of the most catastrophic risks to cities was fire. Prior to the modern concept of fire departments, most businesses and residents relied on private departments that they funded to come put out the blaze, should the need arise.
In 1751, Benjamin Franklin created the first fire company in the U.S. colonies to sell fire insurance: the Philadelphia Contributionship.
Participants in Philadelphia paid fees that were then used to cover other participants’ fire-related losses, according to Allstate. The first year of the contributionship, 143 policies were purchased to cover a seven-year period. None of the insured properties caught fire during that time.
As time went on, society made greater strides in fire prevention, and insurance carriers gathered data on these measures to assess how they reduced or increased the risk of fire, adjusting premiums accordingly.
However, one of the newest forms of insurance on the market has forged a different path. Cyber insurers are still in the process of amassing data to price risks for a cyber incident that results in data theft—and no company has data to price risk for destructive attacks, according to Robert Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations (CFR).
“Moreover, insurers do not typically offer premium reductions in exchange for improving cybersecurity practices,” Knake wrote in a cyber brief for CFR’s Digital and Cyberspace Policy Program. “This market decision reflects a sad reality for the cybersecurity industry: there is no clear consensus on which cybersecurity practices work and which do not, though some insurers are developing closer relationships with cybersecurity providers in order to access information necessary to accurately price risk.”
Despite being unable to accurately price risks associated with cyberattacks, the cyber insurance market is projected to grow from approximately $2.75 billion to $7.5 billion by 2020, according to PricewaterhouseCoopers’ (PwC) Insurance 2020 & Beyond: Reaping the Dividends of Cyber Resilience.
“Businesses across all sectors are beginning to recognize the importance of cyber insurance in today’s increasingly complex and high risk digital landscape,” the report explained. But this awareness has been coupled with skepticism about the true value of cyber insurance.
“Given the high costs of coverage, the limits imposed, the tight terms and conditions, and the restrictions on whether policyholders can claim, many policyholders are questioning whether their policies are delivering real value,” said Paul Delbridge, an insurance partner at PwC, in a statement on the report.
Cyber insurance is a relatively new concept in the insurance world that got its start in the 1990s. Businesses started to look to the insurance market to cover risks associated with e-commerce, but found that none of the existing insurance models were relevant, says Graeme Newman, chief innovation officer at CFC Underwriting.
“The worry wasn’t that the building would burn down, or that they wouldn’t be able to trade on their physical premises, it was that their systems would go down and they wouldn’t be able to trade,” he explains. “Their biggest asset was their data…. They wanted a product they could use to insure that data—and that’s where cyber insurance was born.”
Cyber liability policies were created to cover identity theft, business interruptions when hackers shut down a network, damage to a business’s reputation, and costs associated with damage to data records caused by a hacker. Policies can also cover the theft of digital assets, malicious attacks via computer code, human errors that disclose sensitive information, credit monitoring services, and lawsuits, according to the National Association of Insurance Commissioners.
In the late 2000s, society began to see a major shift in crime with physical crime morphing into cybercrime—phishing scams, business email compromise, ransomware, and more. This helped push cyber insurance as more of a mainstream line of insurance, Newman says, and health institutions are leading the way.
Hospitals generally have “lots of sensitive patient data on generally old, legacy IT systems with good risk management departments but little idea about IT security and really high penalties from regulators,” Newman adds, especially in the United States under the Health Insurance Portability and Accountability Act (HIPAA).
Retailers were the next major vertical to begin purchasing cyber insurance following the string of mega breaches at Target, Home Depot, and Neiman Marcus in 2013 and 2014 when hackers targeted retailers to acquire customer payment card information.
“That got the retailers to purchase cyber insurance, and we saw financial institutions buying cyber insurance,” Newman says.
This activity has created a cyber insurance market worth roughly $3 billion today, with 90 percent of all cyber insurance purchased in the United States. This is for a variety of reasons, including the aggressive class action lawsuit culture in the United States, state attorneys general who have taken a tough stance against businesses that compromise consumer data, and regulators who can levy fines under the law.
“When a business loses data, you’ve got a whole load of ambulance chasers trying to make a buck out of it,” Newman says. “They’ll bring lawsuits against businesses that lose data.”
Despite these motivators, however, only 25 percent of U.S. businesses and 2 percent of U.K. businesses have purchased cyber insurance policies. This could be because of the price of premiums due to the limited data on the scale and financial impact of attacks, according to the PwC report.
“Insurers and reinsurers are charging high prices for cyber insurance relative to other types of liability coverage to cushion some of the uncertainty,” the report explained.
PwC’s former U.S. Cybercrime and Breach Response Senior Managing Director Don Ulsch saw this in action just two years ago. One of his clients, a global manufacturing firm, attempted to buy cyber insurance and found that the carrier would only provide $1 of coverage for each $1 in premiums. The client ultimately purchased the policy because it felt it was necessary to meet U.S. Securities and Exchange Commission (SEC) guidelines, Ulsch says.
“As you start looking at what your requirements are as an SEC registrant, you will likely start looking at cyber insurance,” he explains. This is because in 2011, the SEC released guidance on cyber insurance and has since adopted a prebreach‑centric approach to managing cyber risks—meaning that boards have informed investors and shareholders how they will manage a cyber risk in the event of a cyber breach.
And for those carriers that do issue cyber insurance policies, PwC found that they are putting a ceiling on potential losses through restrictive limits, exclusions, and conditions. For instance, common conditions include state-of-the-art data encryption or 100 percent updated security patch clauses, which are difficult for businesses to maintain.
Another area that may be stalling actual growth is confusion over how to cover new risks associated with cybersecurity. One area that Ulsch says carriers are still assessing is how to cover a physical event that stems from a cyber incident.
For instance, Internet of Things devices at a restaurant could be compromised, allowing a hacker to leverage them in an attack that causes a gas line in the restaurant to malfunction, resulting in an explosion.
Since an incident like this would cause bodily injury and property damage, “should that be an extension of cyber insurance?” Ulsch asks. “Or should it be part of your commercial general liability insurance? How does it get covered?”
This is one of the big questions that insurers have today in response to new kinds of cyberattacks that are emerging on an almost daily basis. “This is something that is relatively new, but it’s growing in significance,” he adds.
One development that might help spur the adoption of cyber insurance policies, however, came in December 2016 when the U.S. Department of the Treasury issued guidance in the Federal Register that included these policies in the Terrorism Risk Insurance Program (TRIP).
TRIP was initially created in the aftermath of 9/11 as part of the Terrorism Risk Insurance Act (TRIA) as a federal stopgap to allow private companies to purchase terrorism insurance. Under the program, the U.S. treasury secretary and the attorney general can certify an event as an act of terrorism. If damages from the act exceed $200 million, TRIP is triggered to cover the remaining losses.
Before 2016, there was confusion as to whether TRIP would be triggered for cyber incidents. To clarify, Treasury issued the new guidance confirming that “stand-alone cyber insurance policies” reported as “Cyber Liability” are included in the “property and casualty insurance” under TRIP.
Security Management reached out to Treasury for further explanation about the guidance, but it did not return requests for comment.
Adding cyber insurance to TRIP is a step that Knake recommended in his cyber brief, published prior to Treasury’s guidance. He advocated for the creation of a federally sponsored cyber insurance program.
“The federal cyber insurance program should be developed under TRIP…given that much like terrorist attacks, catastrophic cyber incidents affecting the United States will be rare,” Knake wrote. “TRIP should be expanded to cover cyber events and renamed to allow for coverage of all catastrophic cyberattacks—whether they are carried out by terrorists, state actors, or criminals—including cases in which attribution cannot be determined.”
One way that TRIP falls short, Knake tells Security Management, is that it doesn’t place requirements on insurance policies and on companies themselves to improve their own security. Knake, who is the former U.S. National Security Council director for cybersecurity policy, says this was discussed at the time that TRIP was created but ultimately decided against.
When it comes to cybersecurity, where the threat and the fundamental responsibility is on companies to protect themselves, a “model that is like TRIA but creates a situation in which the insurance is being used to promote cyber hygiene, better practices, and information sharing makes a lot of sense,” he says.
For instance, Knake recommends that regulators set minimum requirements for cyber insurance for companies that want to take advantage of TRIP’s protections. One example of this is the approach that U.S. financial regulators have taken to cybersecurity to address the potential of systemic risk throughout the entire system should a major financial institution be hit with a cyberattack.
“Being able to quantify that risk and then say, ‘You need to have insurance up to that amount,’” Knake says. “It’s like car insurance. You need to have car insurance, as the minimum standard.”
Ultimately, a federally sponsored cyber insurance program should be used to limit financial liability and promote participation in “initiatives that benefit the security of the Internet as a whole and reduce systemic risk,” Knake wrote.
“Initially, the government’s goal should be to use the program to promote the sharing of data on incidents so that insurers can accurately price risk and set premiums. Doing so could provide the data necessary to judge the effectiveness of existing best practices and identify new practices that should be widely adopted.”
Whether that happens remains to be seen, but insurance carriers are already projecting that the international market for cyber insurance will grow by 400 percent. Most forms of insurance typically only see 1 to 2 percent growth year over year, Newman says.
“Cyber insurance is exciting,” Newman adds. “Cyber is the class of insurance that is growing in the world.”