Cyber risks are considered as a top global risk for the financial sector and the economy as a whole. The type of ICT risks to which the undertakings are exposed have not changed in the past years, however the frequency of incidents and the magnitude of their impact on financial entities has increased. The frequency and severity of cyberattacks are ever increasing.
Data breaches to steal personal information occur daily, but only the largest make the news. One that that was deemed newsworthy was the data breach affecting 11 million people when hackers gained access to Premera Blue Cross’s systems on May 5, 2014. The breach was not discovered until January 29, 2015.
- FBI received reports of more than $209 million in losses from ransomware attacks
- Hollywood Presbyterian Hospital’s computers were shut down by ransomware and administrators paid hackers approximately $17,000
- The average cost paid for each lost or stolen personal information record increased to $154
- The current cyber insurance market premium is $10 billion
In addition to theft of personal information, cybercrime includes the theft of intellectual property. It is difficult to determine the cost of intellectual property theft, but it may have the most significant economic implications.
Theft of intellectual property reduces competition and slows technological improvement. Companies are slow to notice theft of intellectual property and unlikely to publicly acknowledge the theft.
Hackers stole passwords from top Nortel executives, including the chief executive, and downloaded technical papers, research-and-development reports, business plans, employee emails and other documents for nearly 10 years.
Ransomware, another form of cyberattack, is also increasing. With ransomware, malware locks the victim’s computers and the victim must pay a ransom, generally in bitcoins, to regain control of its computers. Hollywood Presbyterian Hospital’s computers were shut down by ransomware and administrators paid hackers approximately $17,000 to regain control of them. In the first quarter of 2016, the FBI received reports of more than $209 million in losses from ransomware attacks.
The 2015 Cost of Data Breach Study: Global Analysis Data Breaches divides theft of personal informationcosts into three categories:
Direct Costs – the cost of the activity:
- Credit monitoring
According to an IBM-Ponemon study, the average cost paid for each lost or stolen personal information record increased from $145 to $154. Cyber liability insurance products can help companies cover the costs of data breaches and ransomware.
The current cyber insurance market premium is $2.5 billion and is expected to grow substantially by 2020. Projections for 2020 are $5 billion (David Bradford, Advisen), $7.5 billion (PWC) and $10 billion (ABI) (see Cybersecurity Insurance Market Size).
This growth is evidenced by the number of recent rate, rule and form filings containing cyber coverages. A review of several rate filings (effective May 2016 or later) provides commercial cyber coverage for the direct data breach costs mentioned above. Some of the companies offer additional coverage for cyberattack costs, including extortion. Coverages do not appear to be available for theft of intellectual property.
Pricing varies, with some companies having a rate per $1,000 of gross sales and others a flat base rate. The premium calculations are fairly simple, with adjustments for limit, deductible, retroactive period coverage and type of risk (see How Cyber Insurance Market Adapt to the Changing Threat Landscape?).
Two of the companies reviewed break down their hazard risks by website use:
- Low – provide only information on their website
- Medium – partially conduct business over their website and/or store credit card numbers
- High – conduct all business over their website and/ or store highly sensitive information such as Social Security numbers9, 10
Other companies divide their risks into tier classes based on business type:
- Businesses where primary personal information is relative to employees only (manufacturing, wholesaling)
- Businesses that keep financial or account number information on customers but not Social Security numbers (retail, churches)
- Businesses with Social Security numbers (apartments, health care, professional services)
- Educational institutions
- Hospitals and nursing homes
All industries are affected by cyberattacks, but their frequency and severity vary. In 2015, health care, financial services, retail and education were the most frequently affected sectors, while the restaurant/ hospitality industry experienced the highest levels of severity.
Cyberattacks are a real threat in today’s ever-evolving cyber risk landscape. Furthermore, the COVID-19 pandemic has forced almost all organizations to speed up their digital transformation priorities. It changed the way organizations learn from and deal with cyber risks.
During the pandemic e-commerce is booming, brick-and-mortar retailers shifted to digital platforms, while schools and offices adopted and embraced online classes and remote working.
For organizations this meant re-thinking digitalization strategies and investing in information technology (IT), cloud capacity, and network infrastructure, to remain competitive and ensure business continuity. This rapid transformation, much of which will have a lasting effect, will inevitably increase systemic vulnerabilities to cyberattacks, meaning that the next decade will be the most important period of growth for the cyber insurance market thus far. Insurance coverage for cyber risk provides a means for businesses and individuals to transfer a portion of their financial exposure to insurance markets, reducing the costs associated with a cyber breach.
Cybercriminals have moved from supermarkets and big box stores to restaurants, hotels and casinos.
Using industry type to classify risks is a good way to start pricing cyber risk, but insurers also need to consider a company’s data volume, data value, number of endpoints to protect and vendors (see Global Cyber Insurance Claims).
Companies providing cyber coverage show little differentiation in pricing, which may be due to the lack of historical insurance data available to determine base rates and factors. One filing relied on publicly available data from the U.S. Government Accountability Office, Ponemon Group, Gartner and the Federal Trade Commission.
Insurance companies should look to external data to better price cyber risk.
In addition to the sources listed above, data are available from the Identity Theft Resource Center, Department of Homeland Security, Center for Strategic and International Studies and United Nations Office on Drugs and Crime.
Although the commercial cyber liability market is growing, there is limited coverage available in the personal insurance market. Homeowners insurers are adding exclusions for liability arising out of social media and cyberbullying. Coverage is generally limited to identity theft coverage, which could be a result of cybercrime. One exception is Chubb, which recently announced cyberbullying coverage as part of its homeowner’s Family Protection policy. It covers psychological counseling, lost salary and public relations (see Ransomware Attacks & Cyber Insurance).
Insurance companies could also assist their policyholders with loss control. Insurers should be aware of who is responsible for data breaches and how those breaches occur in order to assist their policyholders.
They also need to be educated on recent threats to proactively inform their policyholders. Insurers can evaluate the commercial policyholder’s preparation for proper underwriting and pricing, and as part of loss control.
As part of Chubb’s individual risk-sensitive rating plan, it reviews the company’s preventive measures and assesses the following:
- Firewalls and intrusion detection systems
- Passwords and authentication protocols
- Use of cryptography and encryption methodologies
- Maintenance of system logs
- Patch management program
- Planned elasticity of computing resources
- Mobile phone and mobile computing devices
- Written protocols when privileged access (administrator level) is granted
- Training program for employees and authorized users covering network security and privacy issues, including legal liabilities and threats such as social engineering (e.g., phishing), spam and dumpster diving
- Annual reports by IT security to senior management
- Incident response plan addressing data breaches, lost laptops or mobile devices
- Procedures for immediate revocation of all computer rights and retrieval of all computing equipment
- Daily backup
- Business continuity and disaster recovery plans that incorporate consideration of cyber threats
Companies that do not score well on these questions can be provided assistance to improve their defenses. A strong defense cannot eliminate all claims, but it may substantially reduce costs and time associated with a breach.
The Catholic Charities of Santa Clara County was saved from ransomware by a device that scans the network for unusual behavior.
The computer that was contacting a server in Ukraine was disconnected from the network before significant damage was done. Catching ransomware early can save a company money.
Providing training to policyholders is another element of loss control. Human error is a significant cause of incidents. Phishing and hacking were responsible for 31 percent of cyber incidents in the BakerHostetler study. Underlying issues of phishing and hacking can often be attributed to human error. Other causes include employee mistakes (24 percent), external theft (17 percent), vendors (14 percent), internal theft (8 percent) and lost or improper disposal (6 percent).
Following a cyberattack, an insurance company can provide assistance with forensic investigations. It is important for a company to quickly determine what data are at risk and to react swiftly.
Consumers are well aware that breaches occur, and denying or underestimating their impact can seriously damage a company’s reputation and retention.
Individuals may need home-security audits to verify their computer systems are safe. This is particularly important for individuals with investments and sensitive data on their home and mobile systems. Pure Insurance offers one-day audits and a monitoring service for home computer network intrusions. Pure started this program in response to individuals’ cyber-related claims.
Insurance coverage of cyber risks should continue to grow as cybercrime increases in frequency and severity. Similar to the way insurers have led the way for loss control in traditional coverages, insurers must also lead the way in preventing and reducing the impact of cybercrime.
AUTHOR: Laura A. Maxwell, FCAS, MAAA – Director & Consulting Actuary at Pinnacle Actuarial Resources