By John Hintze
What with major attacks at big retailers, government agencies and other entities, cybersecurity is taking over as the top worry. Here’s a look at the current environment and how it’s changing.
Forget about fluctuating interest rates and currencies, or new regulations and accounting guidelines—been there, done that. Cyber attacks appear to be multinationals’ red flag issue of 2015, including how insurance fits into the mix.
“We get attacks all the time, mostly out of China, and we just don’t know where the next attack is going to come from,” said a treasurer of a major industrial company at a NeuGroup Treasurers’ Group of Thirty meeting earlier this year. He added that the company has taken an interdisciplinary approach involving the CIO, CFO, and the head of enterprise risk management (ERM), in an effort to talk through all the potential issues and risk exposures.
“We’re trying to make sure we’re thinking about the issue broadly—about what could happen—and we want to do whatever we can to have the appropriate defenses and awareness,” the treasurer said. “We don’t know if we’ve gotten our arms around it.”
First Steps
Experts say establishing that framework—identifying the risks and defensive measures—is the first, critical step toward addressing cyber risk. Companies must also scrutinize their existing insurance policies, including property and crime policies, to understand their cyber-related coverage before looking at rapidly evolving stand-alone cyber liability policies.
Developing that framework is a multi-step process, and determining the need for cyber insurance is one of the last steps. Cyber policies today mostly cover breaches impacting personal identification information (PII) or personal health information (PHI), and companies’ crime and property policies often cover some other cyber-related risks. Only recently have cyber policies been structured to address risks involving fund transfers and other exposures more directly concerning corporate treasuries, although major gaps, such as intellectual property theft, still exist. The pre-insurance steps companies must take are not only critical for insurers to even consider providing insurance but also for companies seeking to build effective defenses.
“We believe that cyber insurance is an important market force that can drive improved cybersecurity for companies—and thus improve protection to consumers and the nation as a whole,” said Ben Beeson, senior vice president of cybersecurity and privacy at insurance broker Lockton Companies, testifying before the Senate Committee on Commerce, Science, and Transportation, in March. “It should not just be seen as another insurance transaction. As the cyber insurance market develops, it will provide incentives for companies to understand and mitigate their risks.”
Kevin Kalinich, global practice leader, network risk and cyber insurance, at Aon Risk Solutions, said that a company’s first step toward developing a cybersecurity framework is to identify its unique exposures, beyond PII and PHI. Those exposures can result from the company’s supply, distribution or logistics chains breaking down, or its website crashing and prohibiting it from conducting e-commerce. In the case of treasury, hackers may steal account information and redirect electronic payments away from their intended destinations. Or if the company’s bank payment system is breached it could find itself unable to make critical payments—treasury’s modus operandi.
“There’s modeling available now that puts those risks into the proper context and can give a company Monte Carlo simulations of exposures for one-year, 50-year and 100-year events,” Mr. Kalinich said.
Getting into the Risk Details
The second step, said Mr. Kalinich, is identifying the frequency and severity of those exposures. Risk mitigation follows, extending well beyond information-technology (IT) security to implement risk-management best practices throughout the company, including training the company’s own employees as well as those of vendors, so they understand which parts of the company’s network they have access to.
Mr. Kalinich noted that J.P. Morgan did a “tremendous” job segregating critical information inside its database, so while 76 million customer accounts were accessed last fall when its network was breached through a neglected server, customers’ vital information remained safe.
Another step is planning for when breaches occur. Jeff Diorio, managing director at Treasury Strategies, said that a year ago insurers mandated rigid defensive requirements companies had to follow to get cyber coverage, but they’ve since accepted that breaches are inevitable.
“You still have to have those defenses in place, but now you need to have a way of identifying breaches as soon as they happen and have an action plan to respond to and mitigate them,” Mr. Diorio said. He noted one client’s bank had experienced successive denial-of-service attacks, rendering its payment system inaccessible for a period of time, and causing a delay in crucial daily payments. The client established shadow accounts with another bank, so if one bank system was compromised it could still make payments. And to counter the possibility of a denial-of-service attack against the bank or internal client systems, it arranged to physically locate a treasury executive at a terminal at the bank.
Seeking indemnification from third parties the company does business with is another important component. “If a bank itself suffers a breach, the company using that bank really needs to ensure there is some kind of indemnification in place—that the bank has some kind of bond or other crime policy to cover the loss of funds, or that it’s adequately capitalized to cover a catastrophic event where funds have gone missing,” said Matt Donovan, global practice leader, technology and privacy, at specialist insurer Hiscox.
The same applies to vendors that companies outsource services to, such as the treasury risk management (TRM) systems treasuries often use through software-as-a-service (SAAS) agreements. Companies must clarify in their contracts with third-party providers where the liability lies, and whether a vendor holding liability has the wherewithal to cover potential losses if it is breached. Retailer Target’s network was breached, for example, when credentials for access reportedly were stolen from Fazio Mechanical Services, a third-party provider of refrigerator units.
And before deciding whether to buy cyber insurance, a company must look at its existing coverage. Crime policies, for example, may cover some losses stemming from fund transfers that are fraudulently diverted to hacker accounts, while property policies can cover losses from breaches that shut down business. “Companies should engage their insurance brokers to look at their existing insurance to analyze coverage under property, generally liability, crime, professional liability, and possibly kidnap and ransom policies,” Mr. Kalinich said.
CoverinG Treasury-Related Exposures
Can companies get cyber insurance coverage for breaches besides those of employee and customer data, such as a corporate treasury department’s fund transfers fraudulently diverted? Or a denial-of-service attack that freezes up a bank’s payment system, so its corporate treasury clients can’t make or receive payments? Or if an important SaaS provider of treasury risk management is breached and its services are unavailable for days? Property stolen by cyber thieves can literally be worth billions of dollars, but will insurance cover such losses?
Corporate treasurers are grappling with those questions, and definitive answers are hard to come by given that cyber adversaries seem to be always one step ahead. One certainty, at least for now, is that a company’s own intellectual property (IP) stolen via a cyber breach remains uninsurable due to complications in valuing the risk exposure.
“Is it valued at the cost to create, or the potential monetization of that IP, or something else?” Mr. Donovan said. On the other hand, he added, companies can find coverage for legal expenses resulting from a third-party suing them for losing its IP through a cyber breach of their networks.
“If you’ve lost your own IP, then there’s nobody to sue except yourself, and if it’s leaked to a country like China, good luck getting any IP laws enforced,” Mr. Donovan said.
expanding beyond the personal
Most cyber policies until recently have covered personally identifiable information (PII) and personal health information (PHI), covering expenses and losses stemming from breaches resulting in stolen employee or customer data, a market that has grown to about $2 billion in premiums, up from $1.5 billion two years ago.
Other cyber exposures, such as funds stolen from corporate accounts or fund transfers, may be covered by existing crime polices, and property policies can cover losses stemming from business interruptions. However, those contracts must be read carefully.
“Unless customized, most base crime policies only cover employee theft—employees accessing their own company—but what happens if a third party breaks in [through a cyber attack]?” Mr. Kalinich said.
Mr. Donovan noted that an emerging scenario is a hacker breaching a company’s network, intercepting a routine invoice, and then changing the routing number so the company voluntarily releases the funds, but unknowingly to a criminal entity. He compared that to a gas station owner handing over cash to someone who falsely claims to represent the regular armored car company.
“It’s not necessarily a covered claim [under crime policies], depending on the wording. You’ve been deceived, but you voluntarily released those funds,” said Mr. Donovan at Hiscox, adding, “So we’re rolling out a ‘cyber deception’ policy to bridge the gap between crime policies and what’s covered under traditional cyber policies, providing a sort of sublimit of insurance so that if you’re deceived into voluntarily releasing these funds you can receive some coverage.”
The Chubb Group of Insurance Companies has been one of the few, if not the only, carriers to cover losses from cyber breaches impacting electronic payments. Jeff Diorio, managing director at Treasury Strategies, said he spoke to the head of cyber risk at a major package delivery company, which a year ago had been the second of Chubb’s corporate clients to get that coverage.
“The company went to Chubb and said, ‘We already have general liability insurance with you, and we need a rider to cover this scenario [of payment-stream breaches],” Mr. Diorio said. Chubb declined to comment.
Tracie Grella, global head of professional liability at AIG and its cyber insurance efforts, said crime policies have often provided some coverage for losses stemming from fund transfers, but traditional cyber policies have typically excluded the value of the fund-transfer loss. AIG’s off-the-shelf cyber policy doesn’t cover that exposure yet, but Ms. Grella said that as the biggest cyber-policy provider, it is looking to address the differences between cyber and crime policies. Nor does it cover losses stemming from trade secrets stolen by hackers—a common exclusion across the industry.
However, AIG’s Cyberedge PC policy does cover a wider and growing range of exposures that traditional cyber policies do not. Its approach is similar to the one Hiscox is pursuing, filling in gaps that may not be addressed by the crime, property and general-ledger policies already on offer.
“It’s not something that’s broadly given,” said Ms. Grella. “One reason for that is we find many organizations are not doing proper due diligence of the third parties they’re working with, and they don’t understand who is responsible for the security, they’re not monitoring those companies,” and sometimes don’t even know who these providers are. She said companies must essentially underwrite their vendors and map out whether they are compliant with industry risk standards. Ms. Grella added that companies should ensure their vendors indemnify them and preferably have cyber insurance, and monitor their vendors regularly. “Most companies are very far from having a comprehensive program in place, but those are the things we would look for.”
AIG launched its Cyberedge policy more than a year ago, and it covers risk to physical assets posed by cyber attacks that can lead to equipment failure, physical damage to property, and physical harm to people. The product addresses coverage gaps in property, casualty, energy, aerospace, marine, environmental, healthcare, and financial lines policies, where cyber-related exposures may be excluded or coverage too limited, the company says.
Mr. Beeson said the Brit syndicate within Lloyds of London has developed a stand-alone cyber policy addressing property damage and business interruption. He favored AIG’s approach, referred to in industry lingo as the difference-in-conditions, difference-in-limit (DICDIL) approach. It provides a “wrap-around specialist policy” that fills in the gaps other policies don’t.
Insurance Still Affordable, Capacity LackinG
Target’s losses stemming from its 2013 cyber breach were close to $250mn, with $90mn covered by insurance. Good luck to large retailers finding even that much coverage today.
Massive data breaches at retail big-box store chains like Target and Home Depot have besmirched the sector in the eyes of insurers, fairly or not. And the Anthem and Premera Blue Cross breaches earlier this year have put healthcare players in similar underwriting crosshairs. As a result, even companies in these sectors that have diligently determined their cyber risk and developed sophisticated defense frameworks are finding less coverage available at higher prices.
Until recently, multinationals have been able to find coverage in the $200 million to $300 million range. “In the retail industry, that capacity has contracted; if you’re a retailer, you’re likely going to struggle to get more than $125 million,” said Lockton’s Mr. Beeson. He added that some insurers are actually declining to take on clients whose policies they would have probably underwritten a year ago. Unsurprisingly, as supply of cyber coverage has dropped, premiums have jumped.
Mr. Donovan at Hiscox said that cyber insurance costs have been “extraordinarily affordable” for a number of years, given the growing number of insurers competing for that business. “That said, certain industry segments are experiencing massive pricing increases, especially retail, after recent payment card breaches,” Mr. Donovan said, adding that since some of those breaches occurred over the last year or two, the annual renewal schedule has resulted in premium hikes only recently.
What’s already there matters
Whether insurers will underwrite at all the cyber risk of companies in the big-box retail sector largely depends on the defense framework they have put in place. Mr. Beeson said that existing clients will have a better chance at keeping premiums down than new buyers, but even retailers taking precautionary measures such as encrypting data and deploying multi-factor authentication will nevertheless be viewed as high risk.
“Insurers have raised the security baseline or floor that retailers must meet in order to acquire cyber insurance today,” Mr. Beeson said. “If you are not encrypting payment card data or using alternative tools such as tokenization, many insurers will now decline to offer coverage at all. If you want to buy cyber insurance as a retailer now, most of the insurance industry is saying that, as a baseline, you have to encrypt payment card data where the card is swiped on the payment card machine.” And, “if you’re not doing that, you’ll now have a really hard time even getting cyber insurance.”
He added that premiums for certain industries have not increased but have generally gone up by 10 percent over last year, and significantly more for the retail and healthcare sectors.
Peter Foster, executive vice president for global resources for cyber risk at insurance broker Willis, said that premiums today, except for retailers, are typically 1.2 percent to 1.3 percent of the limit for insurance up to $300 million.
“Nevertheless, we are seeing underwriters pull or back out of underwriting larger cyber accounts” across regulated industries. This is especially true when the insured wants limits above $100 million, and where premiums have been reduced significantly, Mr. Foster said. He added that previously insurers providing a company with $100 million in coverage had little concern that losses would exceed that amount, but that has changed and now they want premiums closer to the primary policy premium for the first $30 million to $40 million limits.
“Building capacity for existing [plans] without having to take apart the lower layers—below $100 million—has become a major challenge,” Mr. Foster said.
Tom Wakefield, a broker at Aon Benfield specializing in cyber risk, said that outside the big-box retailers and healthcare providers, large companies can still find capacity in the range of $200 million to $300 million, and as high as $450 million for the big banks. Likewise, aside from those two sectors, premiums have remained fairly stable for traditional cyber policies as well as more innovative policies from insurers such as AIG, Brit and Hiscox, that cover cyber-risk gaps that existing property and crime policies miss. “Price remains a function of capacity required and exposure,” Mr. Wakefield said.
The banking industry has certainly had its cyber knocks; J.P. Morgan, for example, experienced a breach last year that reportedly exposed 83 million accounts. In this instance, however, bankers probably aren’t complaining about being a highly regulated business. “Banks might appear to be high risk, but interestingly the insurance market looks more favorably on financial institutions, even J.P. Morgan, because they’re heavily regulated and have to make significant investments in cyber security,” Mr. Beeson said, adding that many retailers haven’t made those investments, and their thin margins can result in cyber breaches inflicting much greater damage.
In the case of J.P. Morgan, it had segregated critical information in its database, so key information such as customer credit card numbers remained secure.