A Canadian company recently was the victim of ransomware: Attackers shut down one of its Web sites and sent a message — pay up within 48 hours or the rest of the site would also be shuttered.
Management didn’t call the bank, police. Instead one call went to their insurance company.
“We were able to assist them by connecting them to some immediate legal expertise that would help them understand what the next step should be,” recalled Matthew Davies, director of professional, media and cyber liability at Chubb Insurance Co. of Canada.
Meanwhile the firm also pulled in a forensic consultant it had used before for help, who was able to prevent further damage.
Cyber insurance can help pay for problems like this, including specialized IT personnel, disaster recovery, legal and media advice. At a time when the average Canadian data breach is estimated to cost about $5.3 million, this kind of protection can be useful.
That’s why an increasing number of Canadian chief risk officer, CISOs and CEOs are looking into cyber insurance coverage. “It’s an area that is growing rapidly” at Chubb, Davies said.
“We’re seeing many submissions on a weekly basis requesting quotations for cyber,” he said in an interview here. “Relative to four years ago it’s probably our most active new business opportunity”
One measure of the increasing demand for the product is a study by Betterley Risk Consultants, which estimated the premiums paid for cyber insurance by organizations around the world — overwhelmingly in the U.S. — in 2014 was US$2 billion, up from US$1.3 billion the year before. Meanwhile PriceWaterhouse Coopers believes the global cyber insurance market could grow to US$5 billion in annual premiums by 2018 and at least US$7.5bn by the end of this decade.
While the financial sector initially took up cyber insurance over a decade ago, the number of industries who use it now are varied. Chubb’s customers range from corporations to not-for profits, from professional services firms like law and accounting practices to a golf course. In fact, Davies added, increasingly organizations are demanding their partners — like services firms and vendors — carry cyber insurance.
“I think that cyber insurance will probably become less of a discretionary purchase in the future and more of a standard purchase many organizations will buy,” he said.
Megan Brister, senior manager cyber risk services Deloitte Canada, says the consulting firm has in the past two years has also seen “a relatively significant increase in clients who are seeking out and buying cyber insurance, including as a component of their overall cyber risk strategy.”
That’s because attacks have been what describes as “relatively simple things to deal with,” such as the loss of portable media with personal information, Web defacement or a denial of service attack that causes network to go down.
However, the increasing number of attacks from criminals and nation-states disrupting organizations means the impact of an attack is much more significant. And, Brister adds, attacks increasingly can’t be predicated very well by risk officers and are harder to clean up.
It’s important to remember what cyber insurance is not: A magic wand that eliminates risk. Like property insurance, it’s used to pay for damages. Depend on the insurer it can cover such as those related to the loss of personal information of customers (notification to victims/potential victims, credit monitoring and related lawsuits), legal advice, forensic investigators, labour costs for restoring damaged hardware/software systems, regulatory fines some business interruption costs and possibly ransom.
Depending on the policy it may not cover loss of money or property through social engineering fraud (like a staffer who is duped by an email and releases money), loss of corporate confidential information or loss of brand reputation.
There may also be limitations, such as staff failing to follow corporate security rules (think of losing a disk of unencrypted data), errors by a third party (for example, your cloud provider), software bugs that cause malfunctions or an act of war that voids the policy.
And there’s the problem of calculating how much to buy. A Deloitte article for the Wall Street Journal earlier this year gave a theoretical example a credit card processor that purchased a cyber insurance policy with coverage of $30 million against a cyber incident. If there was a data breach involving several million credit cards resulting in the company paying over $145 million in compensation for fraudulent payments, it had to come up with $115 million beyond the coverage.
Target has estimated its well-reported 2013 data breach may cost US$264 million. It has a US$100 million cyber insurance policy.
One problem the C-suite has with cyber insurance is whether it provides value. Some organizations feel premiums are too high and terms and conditions are tight, the Pricewaterhouse report notes. There’s some evidence of that: According to the Insurance Institute of Canada, global cyber insurance premiums are less than one-half of one percent of the estimated cost of cyber crime. The industry admits it has trouble calculating risk when the cost of breaches keep going up — as do the ways of breaching enterprises.
Large corporations may not see the need for cyber insurance, figuring their security policies are tough — and their cash supply deep enough to lower risk. In an era when the best practice is to assume if you haven’t already been breached you will be that may seem risky.
Toronto Hydro is one Canadian organization weighing the pros and cons. Utilities are potential targets as part of a country’s critical infrastructure, but so far it has stayed away from cyber insurance. “When we looked at if a few years ago cyber insurance wasn’t mature at all,” said Robert Wong, Hydro’s executive vice-president and chief information and risk officer. “There were too many exclusions and premiums too high.”
But, he added, he’s taking a second look in part because the cyber insurance industry has changed and is offering more comprehensive coverage “at a premium rate that makes business sense.”
Cyber insurance is only one piece of an organization’s entire security puzzle, he added, echoing what other experts say . “You’ve got to understand the profile of your industry, your company, how you do business, and more importantly, how effective is your overall cybersecurity practice … Insurance just covers the things that you feel are still exposed.”
One advantage of having is insurance auditors can help the CISO/CRO quantify an organization’s risks. That’s something to think about because security vendor Raytheon Websense predicts that insurance companies will increasingly refuse to pay for breaches caused by ineffective security practices. As a result requirements for insurance will become as significant for some companies as many regulatory requirements.
One thing for certain is that cyber insurance premiums are rising in certain sectors, while maximum coverage is being limited to $100 million. Marsh & McLennan Co. told Reuters earlier this year that cyber insurance premiums for retail companies increased 32 per cent in the first half of 2015. That report said some companies are struggling to find the money to buy coverage they want.
When buying cyber insurance “you really have to sit down and look at the risk you’re trying to insure for because not every business will have the same kind of risk profile, in terms of data that may be accessible — through the cloud or their own system,” says Bernice Karn, a partner who specializes in IT and privacy law at Cassels Brock in Toronto, “and then try to go into the market and find a product that will address that kind of risk.”
Considerations also include understanding what the organization will have to do to make a claim, including preserving logs and other evidence. Davies made one suggestion: Before getting insurance look at what information you hold, why are you collecting, storing or hosting it, how long are you going to keep it and how will you destroy it. Those questions play into establishing risk.