Tag Archives: denial of service attacks

A Case For Cyber Insurance

The Need Is There

There were more than 26 million new strains of malware released into circulation in 2011, the last year with solid data on malware. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records.  The Ponemon Group whose Cost of Data Breach Study is widely followed every year indicated a total cost per record of $194 in 2011, an increase of over 40% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent.  NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability” forum the results of their analysis of 153 data or privacy breach claims paid by insurance between 2006 and 2011.  On average, the study said, payouts on claims made in the first five years total $3.7 million per breach.

And, attacks simply don’t target large companies. According to Symantec’s 2010  SMB Protection report (again the last report with good data on SME), small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Seemingly, not a week goes by without a reference to cyber risk hitting the mainstream press. Recently, a cyber attack was successfully launched against ATMs in 27 countries withdrawing over $40 million in over 30,000 transactions in less than 10 hours.  The New York Times recently reported that universities are facing a rising barrage of cyberattacks, mostly from China.1   And last year saw a number of denial of service attacks against financial institutions brought by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against the U.S. infrastructure.

All This Has Prompted Insurers To Enter The Market (And Make A Nice Profit To Boot)

Cyber-insurance began in earnest in 2000 when American International Group’s AIG eBusiness Risk Solutions unit launched AIG netAdvantage. Starting from scratch, premium jumped to over $100 million by the time the unit was merged into larger subsidiaries of AIG, just four years after its creation. AIG eBusiness was extremely profitable with estimates of loss ratio in the extremely low double digits.

Fast forwarding to today, the cyber-insurance market, according to the 2012 Betterley Report is “in the $1 billion range” in terms of premium (up from $800 million in the 2011 report) with close to 40 insurance carriers providing a standalone insurance policy.  Premium continues to increase with most carriers, accordingly to Betterley, reporting increases from 25% to 100% year over year.  Hard profit figures are difficult to come by; however, strong anecdotal evidence suggests that this line of insurance continues to be highly profitable.  Third party litigation continues to be slow to develop outside the privacy arena and first party claim losses, outside of breach funds, is non-existent.

From an underwriting point of view, some attention should be paid to theft of personal identifiable information (PII), especially with respect to first party costs associated with forensics and customer notification costs.  However, there are established methods to manage this risk successfully for the underwriter.  Indeed, in a widely followed report, Verizon reports that 90% of all breaches can be prevented with proper risk management guidelines.   Of course, like any other portfolio of business, care must be taken with respect to avoidance of catastrophic exposure, adverse selection and moral hazard.  There are underwriting guidelines and processes that can be developed to manage these exposures.

Yet The Market Still Has Plenty Of Room To Grow

Despite the increased attention to cyber incidents, most reports indicate only a minority of companies currently purchase cyber-insurance.  According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy. A risk area with a high level of concern but little purchase of insurance? That’s an insurance carrier’s dream

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber is covered under their general corporate liability.

Regardless of the reason, with respect to foreign corporations whose securities are traded on U.S. exchanges, a recent “Guidance” report2 published by the U.S. Securities and Exchange Commission on October 13, 2011 is likely to increase sales.  The report begins simply enough:

For a number of years, registrants (companies who register their securities with the SEC) have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity has also increased … As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

The “guidance” report goes on to specify five “suggested” disclosures that may be “appropriate” to companies trading with securities registered with the SEC.  The fifth suggestion is the one that caught the eye of the insurance industry.  It reads simply:

Description of relevant insurance coverage.

This is the first time that I am aware that the SEC included insurance in one of their guidance reports.  The SEC tends to start investigations 18-24 months after issuing a guidance report. It is difficult to imagine how a general counsel would be able to meet this disclosure without an investigation, at least, of specific cyber insurance.  This is especially true given that over the course of the last few years, general liability underwriters have continued to tighten up any language in a general liability policy to a point where an insured would be foolish to even think the policy applies to cyber risks.3

Thus, it is then perhaps not surprising that the Betterley 2012 market report stated “we think this (cyber) market has nowhere to go but up.”  Although, they quickly qualified,  “as long as carriers can still write at a profit.”

And With A Private-Public Partnership There Is Even More Potential

Unlike many other countries, 80% or more of the critical infrastructure of the United States is in private hands.  As we have seen in the last year, cyber attacks are increasingly being brought by companies associated with hostile nation states.  Cyber-terrorism – even cyber-war – is close at hand and, in some minds, is already here.  The insurance industry can and should play a vital role in providing private sector incentives to foster increased network security in the critical infrastructure.  However, the insurance industry cannot do this alone.  The answer lies in a private-public partnership between the insurance industry and the federal government.  Productive discussions are already underway between the Department of Homeland Security and the insurance industry with specific proposals to safeguard and enhance our country’s security being reviewed.

For more details on the need for this public-private partnerships, and what is going on to bring it about, stayed turned for our next article.

1 Universities Face a Rising Barrage of Cyberattacks

2 Cybersecurity

3 While from time to time, this is tested by insureds (see Sony vs. Zurich), almost all commentators have admitted that the “die is cast.”

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.