Cyber risk landscape quickly evolving, need to prepare with appropriate coverage

The cyber risk landscape is evolving rapidly in many areas and those looking to address the risk through insurance should understand that certain policies generally do not provide coverage following an attack, cautions a new white paper released Monday by the Insurance Information Institute (III).

“The potential economic fallout from the cyber threat cannot be underestimated. Economic thought leaders have warned of a digital disintegration, a scenario in which cyberspace could be completely undermined due to strengthening attacks where the Internet is no longer a trusted medium for communication or commerce, at a huge cost to economies and society,” notes the 27-page white paper, citing Global Risks 2014, Ninth Edition, by the World Economic Forum.

The paper, Cyber Risks: The Growing Threat, was co-written by III president Robert Hartwig and Claire Wilkinson, author of the institute’s award-winning blog.

The total number of data breaches and the number of records exposed fluctuates from year to year and over time, the authors write. That said, numbers soared in 2013, with the Identity Theft Resource Center reporting that 614 organizations across the business, financial, educational, government and healthcare sectors publicly disclosed breaches that exposed almost 92 million records. Most of the 614 data breaches affected business and medical/healthcare organizations.

By sector, notes a chart in the report, 43.8% of the aforementioned breaches were in medical/health, 34.4% in business, 9.1% in government/military, 9% in educational, and 3.7% in banking/credit/financial.

With regard to number of records exposed, another chart shows that 84% of those were in business, 9.6% in medical/healthcare, 3.5% in educational, 2% in government/military and 0.9% in banking/credit/financial.

The 614 publicly disclosed data breaches compares to 449 during 2012, 419 during 2011 and 662 in 2010. As of May 27, 2014, the paper notes that 311 data breach events have been publicly disclosed, with 8.5 million records exposed.

“Yet despite the large number of reported breaches, the actual number of breaches and exposed records is without a doubt much higher as many, if not most, attacks go unreported,” the authors write.

There are also important questions around “whether and how adequately businesses are protected by insurance coverage in the event they suffer a loss due to a cyber attack,” the paper states.

Citing statistics from the Ponemon Institute, external cyber crime costs for fiscal 2013 relate to the following: information loss, 43%; business disruption, 36%; revenue loss, 17%; equipment damages, 4%; and other costs (includes direct and indirect costs not allocated to a main external cost category), 0%.

The Ponemon study indicates the average time to resolve a cyber attack in 2013 was 32 days, with an average cost to participating companies of a little more than US$1 million over that timeframe. This represents a 55% increase from the estimated average cost of US$591,780, based on a 24-day resolution period, the previous year. “Results show that malicious insider attacks can take more than 65 days on average to contain,” the paper notes.

III cautions that a commercial general liability (CGL) or a standard business owner’s policy (BOP) generally does not offer coverage following a cyber attack.

“While traditional insurance policies typically have not handled these emerging risks, limited coverage under traditional policies may be available,” the authors write. “For example, in general, there would be coverage under a traditional property insurance policy if a cyber incident resulted in a covered cause of loss, such as fire that caused property damage.”

Specialized cyber risk coverage is available primarily as a stand-alone policy, the paper notes. “Each policy is tailored to the specific needs of a company, depending on the technology being used and the level of risk involved. Both first- and third-party coverages are available.”

The III statement notes that stand-alone cyber risk policies cover many of the expenses that emerge from the cyber theft of personal information, or trade secrets. Among others, the coverages include the following:

• Business interruption – covers loss of business income resulting from a cyber attack on a company’s network that limits its ability to conduct business;
• Crisis management – covers the cost of retaining public relations assistance, or advertising, to rebuild a company’s reputation after a cyber attack;
• Loss/corruption of data – covers damage to, or destruction of, valuable information assets as a result of viruses, malicious code and Trojan horses;
• Data breach – covers the expenses and legal liability resulting from a data breach, such as the costs needed to comply with regulatory requirements or to address customer concerns; and
• Liability – covers defence costs, settlements, judgments and/or punitive damages incurred by a company as a result of a data theft, transmission of a computer virus and failure of its computer security system, as well as allegations of copyright or trademark infringement, libel, slander and defamation.

“Despite the fact that cyber risks and cyber security are widely acknowledged to be a serious threat, many companies today still do not purchase cyber risk insurance,” the paper notes. “However, this is changing. Recent legal developments underscore the fact that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.”