Tag Archives: cyberattack

New Cyber Threat: Cryptojacking

It seems that with every advancement in technology a new threat vector is born. This theory holds true as we begin to embrace the world of cryptocurrency. Cryptocurrencies have emerged as an alternative means for financial transactions, while the value of a single Bitcoin cryptocurrency rose to $20,000 in late 2017. Hackers took notice and succeeded in stealing over $1 billion in cryptocurrency in 2018 alone.

Unfortunately, the cyber threat goes beyond the theft of the currency itself. This new platform has given birth to a cyber crime known as cryptojacking.

Cryptojacking Defined

Cryptocurrency can be earned by a process called cryptomining. Cryptominers must first solve complex mathematical problems to validate transactions. To do this, they use software to create a very complex cryptographic puzzle that requires massive amounts of computing power.

Rather than use their own resources, cyber criminals infiltrate the networks of unsuspecting victims to leverage the victim’s computers for their own mining activities. Hackers then send the results back to servers they control. This often results in slowing or crashing of computer systems, equipment replacement costs, increased energy costs and lost productivity.

See also: Cyber: Black Hole or Huge Opportunity?  

There are several attack methods, including:

  • Phishing emails: The victim clicks on a malicious link or attachment. This runs a code that injects a cryptomining script on the target computer. The script will continuously run, often undetected.
  • Drive-by mining: The hacker injects a cryptojacking script on targeted websites or pop-up ads. When a victim visits that website or receives a pop-up from the infected ad, the script will run and infiltrate the network.
  • Rogue employees: Insiders with access to IT infrastructure can set up cryptojacking systems, including physical servers, within the workplace premises.

Preventing a Cryptojacking Attack

There are several strategies that may help prevent a cryptojacking attack:

  • Web filtering tools should be used to block websites that are known to spread cryptojacking scripts.
  • A cryptojacking ad blocker can be installed to prevent infected ads from popping up.
  • Endpoint detection technology can recognize known crypto miners as soon as they penetrate the network.
  • Mobile device programs can manage vulnerable apps and malicious extensions that may be found on employee-owned devices.
  • Employees must be educated to recognize phishing emails in security awareness training programs.

Transferring Cryptojacking Risk

Many cyber security experts will agree that there is no silver bullet that will prevent all cyberattacks. As a result, the commercial cyber insurance market has evolved along with cyber threats to facilitate options for cyber risk transfer. These insurance policies can provide indemnification for both first-party direct costs and subsequent third-party liability costs in the aftermath of a cyberattack.

See also: The New Cyber Insurance Paradigm  

While policy wording can differ among insurance companies, there are common coverages that are found in many policies. These may be especially helpful in transferring financial losses specific to a cryptojacking attack, including:

  • Business Interruption – The cumulative effect of the slowing of hundreds or thousands of computers in one organization can lead to significant cost over time. Components may fail prematurely due to overuse, and critical controls may be affected. The resulting downtime and restoration process may cause financial loss, which may be recovered under a cyber insurance policy.
  • Network Security Liability – Companies may unknowingly transmit cryptomining code to other organizations, creating legal liability. Litigation costs and settlements may be covered under these policies.
  • Crisis Management – Hackers may change tactics after the initial cryptojacking attack. Once they have access to networks, they may move laterally and access sensitive information that they can monetize, such as Social Security numbers and financial records. Costs to retain external vendors to investigate and respond to the attack, including IT forensics firms, privacy attorneys, credit monitoring fees, notification and call center costs, may be covered.
  • Increased costs due to fraudulent use of a victim’s vendor services, such as a cloud provider or internet-based services, may also be a covered cost.

In light of the emerging threats posed by cryptojacking criminals, it is imperative that steps are taken to prevent, mitigate and transfer the risk. Technology-based controls, employee training and insurance risk transfer mechanisms should all be considered.

Questions on Massive Government Hack

True or false? There was no way the Office of Personnel Management could have prevented hackers from stealing the sensitive personal information of 4.1 million federal employees, past and present.

If you guessed “False,” you’d be wrong. If you guessed, “True,” you’d also be wrong.

The correct response is: “Ask a different question.” Serious data breaches keep happening because there is no black-and-white answer to the data breach quagmire. So what should we be doing? That’s the right question, and the answer is decidedly that we should be trying something else.

The parade of data breaches that expose information that should be untouchable continues because we’re not asking the right questions. It persists because the underlying conditions that make breaches not only possible, but inevitable, haven’t changed—and yet we somehow magically think that everything will be all right. And of course we keep getting compromised by a short list of usual suspects, and there’s a reason. We’re focused too much on the “who” and not asking simple questions, like, “How can we reliably put sensitive information out of harm’s way while we work on shoring up our cyber defenses?”

According to the New York Times, the problems were so extreme for two systems maintained by the agency that stored the pilfered data that its inspector general recommended “temporarily shutting them down because the security flaws ‘could potentially have national security implications.’”

Instead, the agency tried to patch together a solution. In a hostile environment where there are known vulnerabilities, allowing remote access to sensitive information is not only irresponsible — regardless of the reason — it’s indefensible. Yet according to the same article in the Times, the Office of Personnel Management not only allowed it, but it did so on a system that didn’t require multifactor authentication. (There are many kinds, but a typical setup uses a one-time security code needed for access, which is texted to an authorized user’s mobile phone.) When asked by the Times why such a system wasn’t in place at the OPM, Donna Seymour, the agency’s chief information officer, replied that adding more complex systems “in the government’s ‘antiquated environment’ was difficult and very time-consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.”

Somehow I doubt knowing that protecting data “wasn’t easy” will make the breach easier to accept for the more than 4 million federal employees whose information is now in harm’s way (or their partners or spouses whose sensitive personal information was collected during security clearance investigations, and may have been exposed as well).

A New Approach

The game changer — at least for the short term — may be found in game theory. In an “imperfect information game,” players are unaware of the actions chosen by their opponent. They know who the players are, and their possible strategies and actions, but no more than that. When it comes to data security and the way the “game” is set up now, our opponent knows that there are holes in our defenses and that sensitive data is often unencrypted.

Because we can’t resolve vulnerabilities on command, one way to change the “game” would be to remove personal information from systems that don’t require multifactor authentication. Another game changer would be to only store sensitive data in an encrypted, unusable form. According to Politico, the OPM stored Social Security numbers and other sensitive information without encryption.

This fixable problem is not getting the attention it demands, in part because Congress hasn’t decided it’s a priority.

The U.S. is not the only country getting hit hard in the data breach epidemic. The recent attack on the Japanese Pension Service compromised 1.3 million records, and Germany’s Bundestag was recently hacked (though the motivation there appeared to be espionage, according to a report in Security Affairs).

According to an IBM X-Force Threat Intelligence report earlier this year, cyberattacks caused the leak of more than a billion records in 2014. The average cost for each record compromised in 2014 was $145 and has increased to $195, according to Experian. The average cost to a breached organization was $3.5 million in 2014 and is now up to $3.8 million. More than 2.3 million people have become victims of medical identity theft, with a half million last year alone. Last year, $5.8 billion was stolen from the IRS, and the Treasury Inspector General for Tax Administration predicts that number could hit $26 billion by 2017.

If you look at the major hacks in recent history — a list that includes the White House, the U.S. Post Office and the nation’s second largest provider of health insurance — it would seem highly unlikely that a lax attitude is to blame. But a former senior administration adviser on cyber-issues told the New York Times about the OPM hack: “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”

During this period when our defenses are no match for the hackers targeting our information, evasive measures are necessary. I agree with White House Press Secretary Josh Earnest, who said, “We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system.”

But laws take a long time, and we’re in a cyber emergency. The question we need to ask today is whether, in the short term, the government can afford not putting our most sensitive information behind a lock that requires two key-holders — the way nukes are deployed — or storing it offline until proper encryption protocols can be put in place.

What Is the Future for Drones?

In 2013, Amazon CEO Jeff Bezos announced to the world that the online retailer would begin to develop a “drone-to-door” delivery service for its loyal customers. Dubbed Amazon Prime Air, the system would deliver packages directly to your doorstep in just 30 minutes after an order is placed, setting a new and higher bar for “fast delivery.”

However, after a variety of issues and concerns were addressed by increasing regulations added by the Federal Aviation Administration (FAA), it  appeared that Bezos’ announcement would never get off the ground. But after two years of waiting for the FAA, Amazon will finally get to test these drones on U.S. soil — or, should I say U.S. air? — bringing customers one step closer to having their Tide detergent refilled by a delivery drone.

Despite the U.S. government dragging behind on approvals, for retail and civilian use, sales for drones aren’t expected to slow any time soon. Companies like Teal Group, an aerospace research firm, estimates that sales of both military and civilian drones will total more than $89 billion by 2023.

Other big companies, such as State Farm and AIG, are also getting into the drone business. In fact, State Farm is the first insurance company in the U.S. to receive regulatory approval to test drones for commercial use. With drones popping up in so many different industries, it makes me wonder, what impact will drones have on companies’ customer experience — good and bad?

The Good

State Farm plans on changing the insurance industry for the better, using drones to aid in natural disaster relief. For instance, instead of State Farm spending the money (and time) to ship hundreds of claims adjusters out to natural disaster sites to assess damages, the company will send only a handful of agents equipped with a drone partner to more efficiently survey damaged property.

Jason Wolf, a property defense attorney and shareholder at the Florida-based firm, Koch Parafinczuck & Wolf, stated in an interview to ClaimsJournal.com: “I envision a time when, after a catastrophe, an adjuster pulls up to a neighborhood and opens the trunk of his car and presses a few buttons on his tablet device, and the drone does an immediate survey of everything and streams it all right to his tablet device, and he knows exactly where to go first and what’s most significant within minutes. Costing very little money, the insurance company has a sense of everything that needs to be done in a very short amount of time.”

Imagine all the headaches this could mitigate for customers and employees after the chaos caused by unfortunate losses created by natural disasters.

It’s interesting, too, how this type of surveying will require additional training, but training we might be familiar with. Much like a police officer who trains alongside his dog in a K-9 unit, insurance adjusters will train alongside their partner – only, in this industry, it would be a drone.

While there is debate in the insurance world about how drones will operate, one thing is for sure – they will be operated and used to speed up services and save on cost, making customers’ lives a little easier. As such, claims assessment aided by a drone will yield quick turnarounds and an even quicker payout to the insured.

Additionally, insurance companies will start offering drone insurance to owners of unmanned aircraft systems (UAS). RiskandInsurance.com noted that the general types of coverage that will be required for the use of UAS and ancillary business activities will include liability, personal injury, invasion of privacy, property and workers’ compensation. The publication also mentioned that, given the conservative nature of the insurance industry, carriers could place stricter guidelines on drone coverage than the FAA does.

Once regulated and insured, drones will be sent out into the community to collect data. For example, what if someone’s home flooded? Well, insurance companies could send their drone to the flooded house and survey the area for all damages, speeding up the process for families affected.

There is also the use of drones for the collection of data by third parties. Imagine that Ford is looking to target advertisements for a new truck to areas where the road conditions would demand the use of four-wheel drive. Ford hires an agency to send out drones to specific cities where it is looking to advertise.

This drone will collect data on road conditions and take images of cars on the road to make sure a majority of drivers are in trucks, and will then report back on economic conditions. Ford doesn’t want to be advertising where citizens can’t or won’t pay for the product.

In a world becoming more drone-centric, these types of background checks and data collections via UAS will become increasingly more frequent.

The Bad

The government review process for a drone is 120 days, but, by the end of the process, Amazon says the technology of the drone submitted for regulation is outdated. Therefore, Amazon must update its filing and submit to the FAA for regulation, starting the 120-day review process all over again.

The other concern of the FAA is air traffic. Coming down with a few regulations on drone flight, the FAA is requiring that drone controllers have sight of the drone at all times and that they must operate under 400 feet.

Exelis, a global aerospace, defense, information and services company, was featured in an article on Engadget recently, discussing its development of an air traffic control system for drones. Nearly ready for testing at the FAA approved drone-testing sites, the low-altitude monitoring system would keep tabs on compact aircrafts flying at or under the mandated 400 feet.

It’ll be interesting to see how industry giants, such as Amazon, overcome these obstacles to create a non-invasive customer experience with drone technology.

Once regulated, the next issue is invasion of civilian privacy. Private and civil liberties advocates have raised doubts about the legitimacy of facial recognition cameras, thermal imaging cameras, open Wi-Fi sniffers, license plate scanners and other sensors commonly used by drones in the civilian sphere.

Civilian uses of drones for hobby are already causing issues, most notably at the White House, but across the country, as well. The LA Times reported last June that while LA Kings hockey fans were celebrating their Stanley Cup victory, a group noticed a drone flying over their heads filming the scene. Angry at the invasion of privacy, the crowd knocked the drone out of the sky using a T-shirt and then smashed it to bits with a skateboard.

In Los Angeles, flying a drone in public is not illegal, but LAPD Cmdr. Andrew Smith commented that, “It was kind of an eye-opener for us, that this something we really need to pay attention to.” While the Kings fans reactions may seem a little over the top, the general population seems to feel the same way when they see a drone overhead.

With no official laws on the books regarding the use of domestic drones, the right to privacy becomes a large topic of concern for many citizens. The American Civil Liberties Union states on its website, “Congress has ordered the Federal Aviation Administration to change airspace rules to make it much easier for police nationwide to use domestic drones, but the law does not include badly needed privacy protections.”

It will be interesting to see how industries promote drone use to their customers, without raising fears about a threat to privacy. After all, customers may not always be right, but they are always the customers.

Drones will also need to be protected from cyber attacks.

“Cyberattacks on your PC – they can steal information, and they can steal money, but they don’t cause physical damage, whereas cyber-attacks in a UAV or a car can cause physical damage, and we really don’t want to open that can of worms,” said Kathleen Fisher, the previous program manager of the DARPA project in a statement to NextGov.com

The Pentagon is currently working on developing code that will protect a Boeing Little Bird unmanned aircraft from being hacked. Defense industry programmers are rewriting software to safeguard the computer onboard the helicopter drone and aim to have the project completed by 2017.

The Future

It’s exciting to think about what drone technology will bring to companies and their customers – and to people everywhere. Let’s face it, if we think we have seen the complete potential of what customer experience has to offer, then, well, we’re being naive. The new drone technology will reinvent customer experience once again. And the best part? We all get to see how it unfolds.

The future seems endless for drones. Whether you feel they are an invasion of privacy, or they will begin to make our lives easier and aid society in ways that haven’t even been thought of yet, drones aren’t going anywhere any time soon. If you need to put it in perspective, a white paper featured on Cognizant.com notes that 40,000 drones are expected to deploy in 2015, and this is a number that will continue to increase each year. This industry is ready for take-off.

drone 2

If you haven’t come face-to-face with a drone yet, don’t worry, you will.

What to Consider When Buying Cyber

No industry or organization, wherever situated and whatever the size, is immune to the threat of cyberattack, and the impact can be catastrophic, both financially and in terms of reputation. For example, eBay recently announced a massive cyberattack that may have exposed the personal data of 128 million customers globally.

The management of cyberrisk clearly needs to be high on the boardroom agenda. Network security alone cannot fully address the issue: Experience has shown that even top-notch, state-of-the-art cybersecurity is vulnerable.

Boards need to ensure that they identify key risks and prioritize the protection of critical information. Internal policies and procedures should be put in place to ensure that staff are aware of risky behaviors, such as disclosing passwords and opening suspicious documents in unsolicited emails. Companies need to see that network security systems and controls are regularly tested and monitored, and that response procedures are in place in case of a cyberattack or data breach.

Insurance can also play a vital role in managing cyberrisks. As part of the board’s risk assessment, it needs to understand the types of cyberrisk, and the potential losses and liabilities that follow. This is the first step in understanding the organization’s insurance requirements and the extent of coverage required for cyberrisks.

Consider the Company’s Risk Profile
An initial assessment of the company’s risk profile and areas particularly vulnerable to cyberattack is crucial.  External advice may be needed. The risk assessment should extend across the organization. The assessment needs to consider the amount and type of personally identifiable information, customer data and confidential corporate data the organization maintains and how such data is used, transmitted and stored. The company’s technology infrastructure should be evaluated, as well as potential threats to network security and the likely consequences of significant interruptions to online working or customer transactions. Also consider the risk of third-party claims arising from the company’s media content and the services provided to support e-commerce.

The company needs a complete understanding of any potential impact of a cyberattack or data breach, including the wider impact on business strategy. Performing a thorough risk assessment not only helps the organization identify and address risks and potential gaps in security but can facilitate underwriting of cyberrisks and may even result in premium reductions. Once the organization has a grasp of its risk profile and potential exposures, it can consider its insurance needs.

Examine Existing Insurance Policies
Some coverage for these potential losses and liabilities may be available under existing insurance policies already held by the business. These include general liability, directors and officers liability, professional indemnity, crime and property and business interruption policies. Careful assessment of the coverage provided by these policies is essential, however, as there are likely gaps in coverage because such policies have not historically been designed to cover non-tangible assets and network-related risks. The company will need to consider whether to fill those gaps with enhancements to existing policies or through new cyberrisk products now being offered by insurers.

Consider the Need for Cyberinsurance
There are now a number of cyberinsurance products available, and the scope of coverage varies from insurer to insurer. These policies typically cover losses and liabilities such as:

  • Data liability. This covers damages and defense costs resulting from any claim against the insured from a data breach that compromises personal information. It should also cover claims alleging that information has been lost or compromised as a result of unauthorized access to, or use of, the insured’s computer systems. It is important that the policy covers not only an individual’s personal information but also employee data and confidential corporate information. Many organizations possess third-party trade secrets, customer lists, marketing plans and other information that could be beneficial to competitors and may result in liability if compromised.
  • Media liability. This insures damages and defense costs resulting from any claim against the insured for infringement of copyright and other intellectual property rights, as well as misappropriation or theft of ideas or media content. While coverage may not extend to content published in a personal capacity, this should ideally be included, as organizations may face significant liabilities as a result of employees using Twitter, Facebook and other social media.
  • Regulatory coverage. This covers the costs of response to any administrative, government or regulatory investigation following a data breach or cyberattack, as well as any fines or penalties imposed.  However, this coverage is typically limited to civil fines and penalties, as criminal fines and penalties are not insurable in many jurisdictions. Some regulators, including the Financial Conduct Authority (FCA) and the Securities Exchange Commission (SEC), prohibit regulated firms from recovering from insurers any fines or penalties the regulators impose.
  • Remediation coverage. Most policies provide coverage for additional costs associated with a data breach, including the costs incurred to notify those affected and relevant authorities, provide credit monitoring for those affected and set up call centers to field inquiries from concerned clients. Coverage may also extend to the costs of forensic services to determine the cause and scope of a breach, as well as public relations expenses and other crisis management costs.
  • Information assets coverage. The policy may include coverage for costs of recreating, restoring or repairing the company’s own data and computer systems. This may also extend to third-party data that has not been captured by back-up systems or that has been corrupted or lost because of negligence or technical failure.
  • Network interruption coverage. The policy may cover lost revenue from network interruptions or disruptions because of a denial of service attack, malicious code or other security threats.
  • Extortion coverage. Many policies insure the costs of responding to ransom or extortion demands to prevent a threatened cyberattack.

Cyberinsurance policies vary significantly, so the specific policy terms and conditions should be analyzed carefully to ensure that the coverage meets the company’s likely loss scenarios and potential exposures. It is particularly important to consider whether the coverage extends to information in the hands of third parties where data handling, processing and storage has been outsourced to third parties, including cloud service providers. If the organization has outsourced data handling, then it should secure coverage for any loss or business interruption arising from data that is managed by third-party service providers.

Consider the “retroactive date,” as policies often limit coverage to cyberattacks or data breaches occurring after a specified date, such as policy inception. It is important to request retroactive coverage for network security breaches that may have occurred before the inception date, as it is not uncommon for cyberattacks to remain undetected for a considerable period.

Review Defense and Settlement Provisions
Cyberinsurance policies include defense provisions that typically limit coverage for defense costs to those that are reasonable and incurred with the insurer’s prior written consent. While many insurers include these types of provisions to insist on the appointment of their own choice of defense counsel, selection of defense lawyers is an important issue. Some companies prefer to appoint lawyers whom they know well and who are familiar with their business. Moreover, certain claims arising from the use of technology, such as claims for breach of confidence, breach of copyright and defamation, require specialist counsel with particular experience. The company should therefore consider requesting a specific provision reserving the right to choose its defense lawyer, although the decision will usually be subject to the insurer’s prior approval.

Check the Fine Print
The “devil is in the details,” especially with cyberinsurance. While the market has developed rapidly in recent years, there are inconsistencies in the cover provided, and minor variations can have significant impact on the availability of coverage.

There will likely be efforts by the insurer to exclude risks that should be covered under other types of policy, and this is not unreasonable. It is important, however, to avoid broadly worded exclusions that could extend beyond that concern, or attempt to undermine the initial purpose of the insurance. For example, insurers might seek to impose exclusions based on possible shortcomings in the company’s network security. These types of exclusions should be resisted.

Insurance can play a vital role as part of an overall strategy to mitigate cyberrisk, but it is necessary to look beyond the policy limits to ensure that the coverage provided — whether under traditional policy forms or specific cyberinsurance policies — is as broad as possible.

Ms. Gates wrote this article with Sarah Turpin, a partner in the dispute resolution and insurance coverage groups in K&L Gates’ London office.

A Case For Cyber Insurance

The Need Is There

There were more than 26 million new strains of malware released into circulation in 2011, the last year with solid data on malware. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records.  The Ponemon Group whose Cost of Data Breach Study is widely followed every year indicated a total cost per record of $194 in 2011, an increase of over 40% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent.  NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability” forum the results of their analysis of 153 data or privacy breach claims paid by insurance between 2006 and 2011.  On average, the study said, payouts on claims made in the first five years total $3.7 million per breach.

And, attacks simply don’t target large companies. According to Symantec’s 2010  SMB Protection report (again the last report with good data on SME), small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Seemingly, not a week goes by without a reference to cyber risk hitting the mainstream press. Recently, a cyber attack was successfully launched against ATMs in 27 countries withdrawing over $40 million in over 30,000 transactions in less than 10 hours.  The New York Times recently reported that universities are facing a rising barrage of cyberattacks, mostly from China.1   And last year saw a number of denial of service attacks against financial institutions brought by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against the U.S. infrastructure.

All This Has Prompted Insurers To Enter The Market (And Make A Nice Profit To Boot)

Cyber-insurance began in earnest in 2000 when American International Group’s AIG eBusiness Risk Solutions unit launched AIG netAdvantage. Starting from scratch, premium jumped to over $100 million by the time the unit was merged into larger subsidiaries of AIG, just four years after its creation. AIG eBusiness was extremely profitable with estimates of loss ratio in the extremely low double digits.

Fast forwarding to today, the cyber-insurance market, according to the 2012 Betterley Report is “in the $1 billion range” in terms of premium (up from $800 million in the 2011 report) with close to 40 insurance carriers providing a standalone insurance policy.  Premium continues to increase with most carriers, accordingly to Betterley, reporting increases from 25% to 100% year over year.  Hard profit figures are difficult to come by; however, strong anecdotal evidence suggests that this line of insurance continues to be highly profitable.  Third party litigation continues to be slow to develop outside the privacy arena and first party claim losses, outside of breach funds, is non-existent.

From an underwriting point of view, some attention should be paid to theft of personal identifiable information (PII), especially with respect to first party costs associated with forensics and customer notification costs.  However, there are established methods to manage this risk successfully for the underwriter.  Indeed, in a widely followed report, Verizon reports that 90% of all breaches can be prevented with proper risk management guidelines.   Of course, like any other portfolio of business, care must be taken with respect to avoidance of catastrophic exposure, adverse selection and moral hazard.  There are underwriting guidelines and processes that can be developed to manage these exposures.

Yet The Market Still Has Plenty Of Room To Grow

Despite the increased attention to cyber incidents, most reports indicate only a minority of companies currently purchase cyber-insurance.  According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy. A risk area with a high level of concern but little purchase of insurance? That’s an insurance carrier’s dream

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber is covered under their general corporate liability.

Regardless of the reason, with respect to foreign corporations whose securities are traded on U.S. exchanges, a recent “Guidance” report2 published by the U.S. Securities and Exchange Commission on October 13, 2011 is likely to increase sales.  The report begins simply enough:

For a number of years, registrants (companies who register their securities with the SEC) have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity has also increased … As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

The “guidance” report goes on to specify five “suggested” disclosures that may be “appropriate” to companies trading with securities registered with the SEC.  The fifth suggestion is the one that caught the eye of the insurance industry.  It reads simply:

Description of relevant insurance coverage.

This is the first time that I am aware that the SEC included insurance in one of their guidance reports.  The SEC tends to start investigations 18-24 months after issuing a guidance report. It is difficult to imagine how a general counsel would be able to meet this disclosure without an investigation, at least, of specific cyber insurance.  This is especially true given that over the course of the last few years, general liability underwriters have continued to tighten up any language in a general liability policy to a point where an insured would be foolish to even think the policy applies to cyber risks.3

Thus, it is then perhaps not surprising that the Betterley 2012 market report stated “we think this (cyber) market has nowhere to go but up.”  Although, they quickly qualified,  “as long as carriers can still write at a profit.”

And With A Private-Public Partnership There Is Even More Potential

Unlike many other countries, 80% or more of the critical infrastructure of the United States is in private hands.  As we have seen in the last year, cyber attacks are increasingly being brought by companies associated with hostile nation states.  Cyber-terrorism – even cyber-war – is close at hand and, in some minds, is already here.  The insurance industry can and should play a vital role in providing private sector incentives to foster increased network security in the critical infrastructure.  However, the insurance industry cannot do this alone.  The answer lies in a private-public partnership between the insurance industry and the federal government.  Productive discussions are already underway between the Department of Homeland Security and the insurance industry with specific proposals to safeguard and enhance our country’s security being reviewed.

For more details on the need for this public-private partnerships, and what is going on to bring it about, stayed turned for our next article.

1 Universities Face a Rising Barrage of Cyberattacks

2 Cybersecurity

3 While from time to time, this is tested by insureds (see Sony vs. Zurich), almost all commentators have admitted that the “die is cast.”