Cyber threats are dramatically expanding—both in methodology and targets. Organizations of all sizes and types now face varied and rapidly evolving cyber threats. In the past, cybercriminals targeted large companies possessing extensive personal information and health records. Criminals have expanded their reach far beyond these companies, however, making cyber risk mitigation a significant priority for all organizations.
Due to these increasing threats, companies are devoting more time and resources to cybersecurity. Nevertheless, even the best cybersecurity cannot prevent all cyber attacks. Because risk remains, many organizations are supplementing their cybersecurity measures with cyber insurance. Cybersecurity professionals can provide valuable input in their companies’ procurement of cyber insurance, and should be involved in all phases of cyber insurance procurement and management.
Today’s Key Cyber Risks
Organizations today face more diverse cyber threats than ever before. Attacks are becoming increasingly sophisticated and hard to detect. While the potential range of cyber threats facing companies is almost endlessly diverse, cybercriminals increasingly utilize the following six methods to harm their targets:
- Business Email Compromise (BEC) scams
- Distributed Denial of Service (DDoS)
- Data Breach
- Theft of Intellectual Property
- Destruction of Damage to Computer Systems
Each of these threats have caused significant losses to target companies.
BEC scams are simple: A cyber thief uses fraudulent emails and other forms of communication to convince employees to transfer funds to the thief. These scams can take multiple forms. In some attacks, the thief “spoofs” an email address of a senior company official and requests a payment. (Email spoofing is simply tricking an email program to make an email appear like it came from someone else.) In other attacks, the thief accesses a client or vendor email system and sends an email from a legitimate account changing payment instructions for an existing account payable. In a similar attack, cybercriminals at a medical service provider defrauded a health insurer by creating a fraudulent account and submitting invoices for phantom medical services. These scams can impact any type of company, but are particularly troubling for companies that handle funds and make payments on behalf of clients or customers.
News and awareness of ransomware attacks have increased significantly following the 2017 “Wannacry” attacks. Ransomware is malicious software that prevents access to computer systems or data (often by encryption) unless the attacker receives the requested ransom. These attacks often require rapid payment (sometimes within minutes or hours) and usually in bitcoin or another cryptocurrency. Ransomware attacks can cause significant issues for companies that do not maintain extensive data backups. Companies electing to pay the ransom must also trust that their attackers will actually return access to the data or system after the payment is made.
DDoS attacks prevent access to websites by flooding them with simple requests, creating a virtual traffic jam. For organizations that require constant web access (such as online retailers, content providers, high volume traders, and banking institutions) loss of access can disrupt business with resulting losses that increase by the minute. According to the Information Technology Intelligence Consulting Research, the average loss per hour of downtime is $100,000 USD, with 81 percent of firms surveyed indicating that losses for an hour of downtime could exceed $300,000 USD. DDoS attacks can be, but are usually not, targeted at a specific company; however, even untargeted attacks can cause losses. The DYN DDoS attack, for example, affected web access to many sites across North America and Europe.
Data breaches are theft or loss of personally identifiable information (PII) and personal health information (PHI). The manner of theft or loss can vary significantly (lost USB drive, security breach, stolen paper records), but the impact is the same: $225 per stolen or lost record, according to the Ponemon Institute. This risk is not limited to companies that process online transactions—even companies that are entirely B2B may have access to client consumer data and will have, at a minimum, employee records.
Theft of IP
Loss of intellectual property (IP) is, for some companies, the hardest potential threat to measure. For companies that trade or profit on a competitive advantage gleaned from proprietary systems or programs, publication of that protected IP is devastating. For creative IP, the pirating or early release of the product can significantly reduce profitability.
Destruction or Damage to Computer Systems and Physical Property
Finally, with sufficient access to company computer systems, attackers can purposefully or inadvertently damage or destroy computer systems and other physical property. The loss of computer systems and other physical property can lead to business interruption and lost profits in addition to physical loss or damage.
Procuring Coverage for Cyber Risks
Cybersecurity professionals are responsible for designing and implementing cybersecurity programs that prevent cyber attacks and reduce company losses. Because of the dynamic nature of cyber threats, however, even the most robust cybersecurity programs cannot avert all cyber attacks. Cyber insurance provides an additional layer of protection both through cyber breach response tools and financial protections for losses arising from cyber attacks. Because of the important role of existing cybersecurity programs and the need to understand each organization’s cyber risks, cybersecurity professionals can provide valuable input in the following stages of cyber insurance procurement and management.
Cyber Insurance Application
During the application process, insurers will evaluate companies’ cybersecurity protocols, including data breach response plans. Insurers may require companies to make certain representations regarding their cybersecurity protocols; these representations typically require input from cybersecurity professionals. Cybersecurity professionals should review the application forms and provide any technical responses required.
Proof of PCI Compliance
Cybersecurity professionals can confirm their companies’ compliance with payment card industry (PCI) standards; insurance companies require proof of PCI compliance before paying losses arising out of the unauthorized disclosure of credit information.
Insurers offer various breach response services as part of cyber insurance. Cybersecurity professionals can compare the breach response services offered by various insurers and advise on the scope of services offered and the quality of the vendors. This assessment is particularly important to companies that rely more on the vendors provided by insurers rather than their own outside vendors.
Tailoring Coverage Grants to Cyber Risks
Companies that have surveyed the threat landscape and identified key risk exposures are best positioned to purchase cyber insurance responsive to those exposures. Cybersecurity professionals can advise their organizations on the potential responsiveness of cyber insurance policies to cybersecurity threats. To better assist with cyber insurance procurement, cybersecurity professionals should understand the basic coverage grants incorporated into cyber insurance policies.
Coverage grants vary across cyber insurance policies and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.
Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).
Cybersecurity professionals should pay particular attention to the definition of “computer systems” in cyber insurance policies. Those definitions vary significantly across insurers, and because a significant portion of cyber coverage is tied to “computer systems,” these variances can dramatically impact coverage.
Finally, coordination between cybersecurity professionals and their counterparts responsible for cyber insurance procurement is not a one-time event. Policies typically renew annually; cybersecurity professionals should be engaged every step of the way during the renewal process to ensure accurate responses on applications, compliance with policy conditions, selection of cyber policies with preferred vendors, and procurement of cyber insurance policies responsive to risks facing their organizations. Because of the complexity of these coverages, cybersecurity professionals and risk management professionals should work closely with their organizations’ legal departments or outside counsel to maximize their cyber insurance premium dollar.
Katherine J. Henry is a partner in the Washington, D.C., office of Bradley Arant Boult Cummings LLP and chair of the firm’s Policyholder Insurance Coverage team. She regularly advises Fortune 10 and other companies on complex insurance programs involving manuscript and specialty policies, including cyber insurance programs, and advises on coverage and liability issues involving emerging technologies. Katherine also is a member of Bradley’s Cybersecurity and Privacy team.
Brendan W. Hogan is an associate in Bradley’s D.C. office and focuses his practice in the areas of policyholder insurance coverage, emerging technologies, and construction.