It has taken years for corporates and insurers to grasp the complexity of cyber risk, but progress is undeniable. Melodie Michel looks at how cyber insurance really works.

In our May/June 2015 cover story, GTR explored the threat of cyber-attacks on financial institutions, particularly in the trade finance sphere. At the time, cyber insurance products were already in existence, but few people believed in their efficiency in the case of a breach.

But a year on, it appears that the insurance sector has grasped the complexity of the cyber threat, and fine-tuned its products to match it.

This is reflected in the significant growth experienced by the industry in the last two years: standalone cyber insurance purchases among US-based Marsh clients increased by 27% from 2014 to 2015, after a 32% year-on-year uptick in 2014 and a 21% increase in 2013.

Perhaps surprisingly, the largest growth in demand was observed in the manufacturing sector (63%), which may have something to do with the way Marsh breaks down cyber risks for its clients. “When we talk about cyber risk we talk about two things: the risk associated with handling or collecting confidential information, and the risk associated with a company’s dependence upon technology, [not only] for their security and handling the data, but also for their simple ability to function on a day-to-day basis. Every company is now incredibly dependent upon different levels of technology, whether it’s their own, a third-party provider’s or the cloud,” Bob Parisi, Marsh’s US cyber risk product leader, explains to GTR.

Indeed, while most of the breaches that have made headlines to date have been data-related, insurers have observed a spike in ransomware attacks, which block access to a computer and therefore interrupt operations until a sum of money is paid – a method previously targeting mostly individuals, but which is growing in the corporate space.

Demand for cyber insurance also reflects jurisdictional differences: while in the US, companies are more concerned about privacy breaches – Marsh reports that sub-limits for privacy notification costs and regulatory costs are trending upwards, with many exploring renewal options with full limits for these covers – in the UK it is protection against ransomware that is growing.

“The awareness on the data breach side is higher in the US, and the potential ancillary costs are higher because of the regulatory environment. You’ve got a variety of state breach privacy notification laws, you’ve got federal laws regarding the handling or disclosure of information, all of which require a certain amount of disclosure activity. The minute you make those disclosures, you then typically have litigation filed on the back of that,” says Parisi.

The European Union (EU) recently approved a reform of its personal data directive, making it mandatory for companies to disclose breaches and therefore bringing its legislation closer to the US’, but Parisi believes that this measure – due to be implemented in May 2018 – won’t lead to the same amount of court cases as in litigation-hungry America.


Comprehensive coverage

So what exactly can cyber insurance do for companies? Coverage ranges from the costs directly incurred by the insured as a result of the incident – loss of revenue due to business interruption, cost of restoring data or systems after the attack, as well as legal and public relation expenses; to third-party claims – such as settling legal action initiated by the individual affected or paying regulatory penalties.

According to Parisi, the market has the capacity to provide close to US$1bn of coverage limits for any entity, though the largest purchases have so far hovered around US$500mn.

Stephen Ridley, UK head of cyber at Hiscox, has observed slightly smaller amounts: “We as a company can provide up to £10mn worth of cover, but in the broader market we’re seeing some companies towering their insurances, buying several policies to reach £150-£200mn-plus of coverage,” he tells GTR.

As for costs, they vary widely depending on the size and nature of companies – from a few hundred pounds a year for SMEs to hundreds of thousands for large corporates.
Of course the efficiency of insurance is only measured when things go wrong, and here again it would appear that things are evolving. In its 2015 Cyber claims study, cyber risk assessment firm Net Diligence analysed 160 claims which occurred in the US between 2012 and 2015 and concluded that data breach response costs for an uninsured organisation could be up to 30% higher than costs for an insured organisation.

Asked how many claims the firm has had to pay since the relaunch of its current cyber insurance policy in the UK two years ago, Hiscox’s Ridley replies: “Too many!” He adds that so far in 2016 there have been 30 to 40 claims, ranging from small ransomware incidents to “much more significant claims”.

The Net Diligence report reveals how wide the claim gap can be: while the overall average claim was US$673,767, for large companies that number went up to US$4.8mn, while in the healthcare sector it was US$1.3mn – still very far from the US$500mn the largest companies buy coverage for.


Crisis management

Some of the largest costs associated with a cyber breach are those of crisis management. Net Diligence reports that the average cost for crisis services in the US is US$499,710. These involve forensics, notification, monitoring, legal guidance and public relations, amongst others, and this is where cyber insurance can make a difference.
“Companies don’t just get a cheque,” says Ridley. “We provide access to experts to go in and handle an issue for our clients: the legal firms, PR consultancies etc, and manage all of that process with certain vendors that we have a retainer for. We have a 24/7 claim response line for our cyber product, so that whenever an issue arises they can get on with dealing with it straight away. It doesn’t need to go through normal claims process which can be pretty slow with a lot of insurers.”

While Marsh’s Parisi admits that reputational risk is “close to being uninsurable”, he points out that the services provided by crisis management teams as part of a cyber insurance policy – and paid for by the insurer up to the limit agreed – can make a tremendous difference in the future of a company after a breach.

This can be illustrated in the study of two of the most high-profile breaches to have hit US retailers in recent years. In 2013, about 40 million account holders were compromised by hackers who infiltrated clothing retailer Target’s accounts via its card payment system. About a year later, it was 56 million account holders who were affected in exactly the same way, this time through DIY firm Home Depot. In many ways, Home Depot’s attack was worse: not only did it affect more people, it took place over a staggering five months before being detected – compared to just three weeks for Target. Yet Target’s stocks were still dropping a year after the attack, while Home Depot’s barely budged.

Target’s response to the breach is now used as a prime example of what not to do in the case of a cyber-attack: the retailer did not notify customers immediately, preferring instead to start working with banks behind the scenes. This led to unjustified limits on card purchases and general incomprehension.

It then made a number of conflicting statements in the press, notably around pin numbers – initially assuring none had been stolen and later retracting that statement. Its response was perceived as insufficient and dishonest, and led to the stepping down of its chief information officer and even its CEO.

In comparison, Home Depot confirmed rumours of a breach almost immediately, but kept its statement short, saying it was investigating with the appropriate authorities and avoiding speculation. The cost of handling the breach was similar for both firms – around US$160mn, but brand image and reputation was much more damaged in the case of Target.


Financial sector growth

The corporate world is slowly but surely adjusting to the reality of the cyber threat, realising that it is a risk to be managed rather than a problem to be eradicated, and this awareness is spreading to the financial sector.

In its cyber insurance benchmark report, Marsh reported 28% growth in uptake from financial institutions in 2015, as well as an increase in the average limits purchased by the sector, from US$51.8mn in 2014 to US$61mn a year later.

Financial services were also the second-most affected sector in Net Diligence’s claims report, with 27 claims (compared to 34 for healthcare and 21 for retail).

Worryingly, the financial sector was largely affected by insider threats: while only representing 17% of the claims, it accounted for 22% of insider incidents. This type of threat is recognised by the insurance community: Hiscox’s Ridley confirms that the data breaches covered include hacking but also “employees maliciously or negligently mishandling data, digital or paper-based records”.

According to Ryan Stolte, chief technology officer at cyber protection software company Bay Dynamics, the financial sector is a step ahead of other industries as it has always had some kind of anomaly detection in place, but it only recently started to expand that to third-party vendors – another factor of vulnerability that is increasingly at the centre of the cyber discussion.

“One thing that we see from the attackers is that they definitely follow the path of least resistance: They’ve determined that, because there is such a big ecosystem of third-party suppliers and dependencies out there [not only] within a particular market but also globally, they can come in through a different door and still make it through to an important target,” he tells GTR.

Regulators, particularly in the US, are now working on liability standards for contracts with third parties, and this is being reflected in the insurance sector. “We’re seeing it becoming a contractual requirement to carry insurance much more frequently, and that’s something that seems to be filtering from the US. Companies are now saying
‘if we’re going to entrust you with our data, you have to make sure that you have adequate cyber insurance in place’,” says Ridley.


Auditing process

Insurance has come a long way in its understanding and handling of cyber breaches in recent years, but one area that may require further improvement is the assessment of companies’ risk before wording policies.

Parisi explains that Marsh provides a self-assessment tool based on ISO standards, and engages the various stakeholders responsible for risk within a company to make sure everyone understands what’s involved.

At Hiscox, Ridley breaks down the assessment type according to company turnover and limits requested: simple statement of facts for companies under £10mn of turnover and “more explicit questions” for mid-sized companies. “At the very large end of things, so typically around the tens of thousands of pounds of premium, we use the services of an IT security consultancy to undertake an audit of our insured,” he explains.

The problem in assessing risk may lie in the multitude of data protection tools bought by any one company, and whether or not they have been implemented correctly. “We keep buying more and more technologies and controls to put in place to help us stop something, but the problem is that all these solutions don’t make sense together, so it’s
very difficult to ask simple questions like ‘how secure are we?’, ‘are we missing controls that can lead to a breach?’ or ‘where do we have vulnerabilities?’,” says Bay Dynamics’ Stolte.

According to him, optimal mapping of cyber vulnerabilities requires a thorough assessment of how much data each vendor has access to and how damaging a breach through that vendor would be. “Historically, people have talked about cybersecurity in a very technical way and without marrying up with identifying the value that was at risk – that’s the demand we’re getting from senior executives: talk to me about the value at risk instead of the number of vulnerabilities we have,” he adds.