Cyber Insurance: Many Choices Now That There Is No Choice
Every organization, of every size and operational orientation, needs cyber insurance to manage its exposures in this age of networked information.
That was one thing speakers agreed on at the recent 2017 Cyber Liability Symposium held by the Professional Liability Underwriting Society (PLUS).
No organization is off the radar for bad actors who relentlessly seek the weakest links for accessing valuable personal and financial information, threatening to shut down an operation, or seeking to do physical damage.
For example, said Robert Anderson, a managing director for Navigant, the health care sector is now under siege from “rampant” attacks by “ransomware,” malicious computer coding that essentially captures or disables an organization’s information assets until a ransom is paid.
“It’s not just payroll that’s affected,” he said. “You can’t do surgery. You can’t do dialysis. Every aspect of the institution is tied up.”
In a subsequent session, attorney Jennifer Coughlin, a partner in Mullin Coughlin LLC, commented, “Did we ever think hackers could take down an MRI? At one care facility, they took down the patients’ tracking anklets. For some time, they couldn’t find two patients. That’s a big deal.”
As cyber attacks and data breaches become more common, organizations “victimized” by an attack will find themselves under potentially harsh scrutiny for their level of security and preparedness. “If you suffer a major breach, it’s an investors’ event, it’s a board event,” said Brad Gow, global cyber product leader for Endurance.
Cyber vulnerabilities will almost certainly increase exponentially as the Internet of Things (IoT) expands. Today, there are now more equipment sensors and related devices connected to the Internet than cell phones, and Zurich estimates there will be more than six connected devices per person worldwide by 2020.
As a reflection of the spread of “smart” technology, symposium keynote speaker Pieter Zatko noted that a current fighter jet has 3,500 components that are directly or indirectly connected to the Internet. Zatko, known by the nickname “Mudge,” is a renowned hacker who has worked for the federal government and now serves as director of the Cyber Independent Testing Lab (CITL).
Adding to the pressure on organizations is the increased attention federal and state regulators are devoting to cyber security.
Symposium attendees heard several references to “OCR” and “NIST,” the federal Office of Civil Rights and the National Institute of Standards and Technology, respectively. OCR, a branch of the Department of Health and Human Services, is entrusted with promoting NIST standards with regard to the security of individuals’ health information.
Speakers expressed hope that the Trump Administration would relax OCR activity in this regard, but there was no indication of that yet.
“I’ve seen OCR step up its involvement [in recent years],” said Jennifer Coughlin. “The states are also more comfortable starting [cyber-security investigative] proceedings the past few years.”
“We were hoping for [the OCR] to step back [since President Trump’s inauguration], but unfortunately that’s not happening,” added Kimberly Horn, global focus group leader for Beazley breach response and information security claims.
As regulators consider whether to require organizations to obtain cyber insurance, a growing number of companies are requiring their business partners to do so. These requirements raise a fundamental question, according to Angela Gleason, senior counsel for the American Insurance Association: “What constitutes cyber insurance?” she asked. “Would standard data breach coverage suffice, or is something more needed?”
As organizations increasingly recognize the imperative of purchasing cyber insurance, they are still confronted with a complex variety of policy forms and coverages, and a daunting application process.
Cyber insurance is available from about 70 carriers, most of them with very different coverage features, according to Stephanie Snyder, national cyber sales leader for Aon. “When you look at coverage offers and review the triggers, definitions, and exclusions, it really runs the gamut.”
Moreover, she added, cyber risk changes from month to month, as do an organization’s exposures for digital assets, and the methods and systems for securing those assets. Given all this complexity, Snyder said even organizations that have purchased cyber insurance “may not have the appropriate coverages” when claims come in.
For example, she noted, retailers need coverage for breaches or violations of Payment Card Industry Data Security Standards, better known as “PCI DSS.” The presence or absence of a single coverage like that can be overlooked, however, when applicants are considering comprehensive packages.
Things are starting to improve for cyber insurance buyers, however. For one thing, “we’re starting to see policies come together;” i.e., become more standardized, according to Snyder.
Also, insurers recognize they can no longer compete effectively using applications with a “list of 100 questions,” said David Gilmore, director of business development for Symantec. Yet, he added, “there’s no three-question magic bullet either.”
Sales of cyber-insurance are bolstered by a slowly changing attitude toward the coverage among IT professionals.
Whereas IT professionals once considered cyber-insurance as unnecessary, or implicitly critical of their work, Snyder noted that “there’s been a change in IT professionals’ perception of cyber-insurance. They now understand how cyber-insurance is a backstop that protects them.”
“Cyber insurance is a part of cyber security,” added Gilmore from Symantec, an important acknowledgement from a leader in cyber-security.
The purchase of cyber-insurance coupled with risk control and event response services is becoming a routine part cyber-security planning, according to Kevin Kirst, director within the forensic technology practice of PricewaterhouseCoopers.
Given resource constraints, Kirst said that even highly sophisticated IT operations must choose between mission-critical cyber risks they must manage themselves and risks they can transfer. For some organizations protection of personally identifiable information of customers will be a top priority for maintain customer confidence and avoiding regulatory sanctions. For others, avoiding disruption of operations will be the top priority.
Adding to the complexity of the process is the daunting array of cyber-security programs available from IT vendors.
There are more than 600 products on the market for protecting digital assets, said Shaun Brady, executive director of the Center for Model Based Regulation. Some large organizations utilize and manage more than 100 of them.
Acquiring cyber-security software is no guarantee that one will be protected from breaches, however. Zatko’s Cyber Independent Testing Lab rigorously examines networked applications for security vulnerabilities, and has concluded that “about a third of the vulnerabilities are vulnerabilities of security software we have installed to protect our systems.”
For all organizations, therefore, the most important factors in loss control continue to be well-established and well-communicated employee data management practices, reinforced by staff training and stringent individual accountability for lapses.
“Some of our clients push down accountability to the business units,” said Kirst of PricewaterhouseCoopers. “The business unit manager should be responsible.”
Cyber-insurance may do little good for an organization, however, if the organization does not immediately recognize an attack or breach and notify the insurer. On this score, some IT departments are still slow to act, believing they can handle the problem themselves, or that reporting an incident will be seen as acknowledging an error on their part.
“There’s a real disconnect sometimes between frontline IT and the risk manager,” said Kim Horn of Beazley.
Horn shared an anecdote of a client that had contracted for credit monitoring service and engaged a forensics firm and several lawyers before notifying the cyber carrier of a breach. It turns out that the cost of most of those services fell unreimbursed to the client, as those services were not covered under the policy.
“It could have been so much better if they had come to us first,” she said. “It you work with your carrier, your whole response might be covered. At least you will be acting with an informed view when you respond.”
Horn’s observations were echoed by Brad Vatrt, assistant vice president for cyber, media, and technology for AIG. It’s common, he said, for an IT department to “sit on” a breach report, and then try to address it, before reporting it to upper management. “Now we’re not dealing with a claim a few hours old but a few days old,” he said. “[Response] work may have already begun, some of it not covered.”
“The sooner you call the carrier, the better,” said attorney Coughlin in her remarks. “The longer you wait, you’re losing evidence, perhaps over-notifying people, and perhaps giving the wrong notice information.”
While an incident must be reported immediately, the response should not start, if possible, until the principal actors under the nature and extent of their cyber coverage.
“You need to understand how those coverages [in a cyber policy] relate to each other,” Vatrt said. “You have multiple retentions and multiple waiting periods. Know the costs [of notice and remediation] but also know how those costs are allocated under the policy.”
By now, no one should feel embarrassed at being the target of a cyber attack, even a successful one, as long as their response is prompt and effective.
“Attacks keep happening, and we can’t stop them completely,” said Matt Shabat, director of performance management for the U.S. Dept. of Homeland Security. The key question, he said, is “what do I do when that breach occurs?”
By Joseph S. Harrington, CPCU, ARP | April 12, 2017