A Blog by Jonathan Low

 

Sep 20, 2017

Insurance Coverage Options Grow For Cyberattacks

New risks require new solutions. And reflecting the nature of the increasingly digital economy, policies cover intangibles like reputation, as well as more tangible threats. JL


Adam Janofsky reports in the Wall Street Journal:

Once largely limited to tech firms, cyberinsurance has emerged as the fastest-growing type of coverage among U.S. companies. The policies cover financial losses from different kinds of attacks—from theft of data to extortion using ransomware—as well as recouping damages from a tainted reputation and stolen money. The benefits of insurance go beyond the coverage itself. Going through the process of purchasing cyberinsurance can make a company more secure, because the audits may alert a business to a risk or technology of which it wasn’t aware
As the threat from hackers grows, businesses are hoping that cyberinsurance will provide a new line of defense.
Once largely limited to technology firms, cyberinsurance has emerged as the fastest-growing type of coverage among U.S. companies. The policies are designed to cover financial losses from different kinds of attacks—from theft of data to extortion using ransomware—as well as recouping damages from a tainted reputation and stolen money. Many carriers are also trying to distinguish themselves by offering tools and services to help firms respond quickly to cyberattacks or prevent them.
Security experts, of course, caution that insurance shouldn’t be seen as a replacement for good cybersecurity measures, because data breaches and cyberattacks can cause lasting damage that is difficult to recoup. And it isn’t even clear what kind of claims will be allowed or not allowed.“There’s so much new coverage out there that hasn’t been tested,” says Tim Francis, a vice president and enterprise lead for cyberinsurance at Travelers Co s. “One day there will be certain claims and we’ll figure out if the words we used to convey coverage actually say what we thought they meant, which is often up to a lot of lawyers.”
A growing market
The market for cyberinsurance has soared in the past several years. In June, Fitch Ratings said the industry grew by 35% in 2016, with total premiums of $1.35 billion. The ratings firm added that it “likely underestimates” the industry’s size, because it is difficult to break out cyberinsurance coverage from multifaceted policies. Researchers from Allied Market Research predicted that demand for cyberinsurance will continue to boom in coming years, and forecast that the global market may reach $14 billion by 2022.Headline-grabbing breaches at organizations like Yahoo Inc., the Democratic National Committee and Equifax Inc. account for part of that growth, insurance experts say, but many companies are also purchasing cyberinsurance in response to new laws such as the European Union’s General Data Protection Regulation that takes effect in May 2018. “There has been a legal imperative, and along with that, company awareness of the issue has grown,” says Claire Wilkinson, a consultant to the Insurance Information Institute Inc., a New York-based trade group, and an author of several white papers on cyberinsurance.
Twenty years ago, insurers offered only policies that covered things like coding errors and other software accidents that could bring down a company’s networks, according to Ms. Wilkinson. Now, cyberinsurance can cover a vast array of computer-related risks, and insurers have introduced policy riders designed for small firms.
New breaches and attacks “accelerate the need for cyberinsurance, and carriers have innovated in response,” says Ms. Wilkinson.
One recent example is the influx of ransomware attacks, in which a computer is locked until the victim pays a demand. In May, hundreds of thousands of computers running outdated operating systems were infected with the “WannaCry” ransomware, and in June several major organizations were infected with a variant of the “Petya” ransomware that security researchers say was particularly destructive.
One victim of the June attack, shipping conglomerate A.P. Moller-Maersk A/S, says it will cost the company between $200 million and $300 million because system shutdowns halted a large part of the firm’s operations.
Insurers say the evolution of ransomware has been a wake-up call that would likely change how carriers structure their policies. “Our policies covered cyberextortion for years, but if you asked me five or 10 years ago what that would look like, it would be a disgruntled ex-employee who had a back door to the system,” says Mr. Francis, adding that there were relatively few victims. “Now we have ransomware, and we have to figure out how that [affects] how we price policies. That wasn’t something we worried about, because it just didn’t happen.”
Ransomware is only one of many new threats that have led to the creation of new policies. For instance, insurers offer coverage for property damage and bodily injury coverage due to cyberattacks on critical infrastructure operators, transportation companies and oil and gas firms.
Some of these risks may be covered under other kinds of insurance policies—businesses with kidnap and ransom insurance occasionally use it to recoup losses from ransomware, for example. But insurance experts say such policies weren’t designed with cyberrisks in mind, and will likely be disputed as stand-alone cyberinsurance products emerge.
A wide effect
Some insurance providers and industry experts argue that the benefits of insurance go beyond the coverage itself. Going through the process of purchasing cyberinsurance, they say, can make a company more secure, because the audits and questionnaires may alert a business to a risk or technology of which it wasn’t aware. And getting a policy can be an incentive for companies to commit to security measures such as firewalls, encryption and regular software updates, to keep their premiums low.
“It is the same as lowering your homeowners insurance by having an alarm system in your house,” says John Jacobus, partner at the law firm Steptoe & Johnson LLP and an expert on cyberinsurance disputes.
But experts caution that cyberinsurance shouldn’t be seen as a replacement for rigorous security precautions. Data breaches and cyberattacks can often cause lasting damage in the form of lost customers or a destroyed reputation, and cyberinsurance in some situations will cover only a fraction of the costs.
In June 2014, for example, the restaurant chain P.F. Chang’s China Bistro Inc., which paid a $134,000 annual premium for cyberinsurance, learned that hackers had stolen the credit-card numbers of 60,000 customers. According to court documents, the restaurant was reimbursed more than $1.7 million by the insurer for costs such as a forensic investigation and litigation, but had to pay $1.9 million in fines levied against it by its credit-card processing vendor.

0 comments:

Post a Comment