Back to the Beginning: Moving Beyond Breaches
There’s a saying in the cybersecurity industry that there are two types of businesses today: Those that have been breached and know it and those that have been breached and just don’t know it.
Cyber-related data breach incidents increased in frequency and severity in 2013, driving cyber insurance buying by double digits last year. The trend is accelerating, according to early signs in 2014 and a Marsh Risk Management Research briefing titled, “Benchmarking Trends: Interest in Cyber Insurance Continues to Climb.”
In today’s cyber world everybody has been breached, says Rick Betterley, president of Betterley Risk Consultants Inc. based in Sterling, Mass. In reality, it’s more like continual breaches. “There’s folks that are phishing around in your network right now,” he says.
The future of cyber insurance will move beyond data breaches and privacy concerns. In effect, experts say, the future of cyber coverage will mean going back to basics.
“The U.S. cyber insurance market is being predicated on concept of data breach,” says Graeme Newman, director at CFC Underwriting. “People stopped talking about cyber as a concept and started talking about data breach and data breach response and privacy liability – the market became very fixated on that.”
What’s beginning to take shape today and what some experts believe will evolve into the cyber market of the future is cyber coverage that goes back to original product concepts.
“What we are seeing now is an expansion back to where we started with cyber in the late ’90s when cyber was much more of a first-party, system damaged, system interrupted product that also picked up some liabilities,” Newman says.
“From a product development standpoint, breach is getting ho-hum. We are going well beyond good ‘ol breach,” Betterley says. While cyber coverage for data breach is very important, and there will continue to be a lot of data breach claims, in his opinion, the product has matured.
Consider how the industry went from focusing on the data breach to the response to that data breach.
In 2000, when Betterley, author and publisher of The Betterley Report, a publication devoted to specialty insurance products for commercial insureds, began writing about cyber issues, the concept of breach response coverage was vague.
By 2005, The Betterley Report mentioned data breach response coverage only as a “side coverage or add-on coverage.”
Today, cyber is “all about breach response,” he says.
Breach response will begin to take a back seat, in Betterley’s view. The cyber insurance “pendulum is swinging back to non-response, first-party coverages – such as loss of data, corruption of data and especially business interruption.”
“So far, the real cost has been on the first-party side,” according to E. Stuart Powell Jr., vice president of insurance operations and technical affairs for the Independent Insurance Agents of North Carolina. But those costs have come from data breach response costs – credit monitoring, forensics, notification costs, crisis management, among others.
In the next five years, the cyber insurance market will move away from data security and privacy issues – which is what everybody talks about right now – to a more all-encompassing cyber product for intangible assets and system availability, Newman says.
Newman is already seeing the expanded coverage idea take hold in some companies.
“We are seeing companies now understanding that they currently insure their physical assets of the business,” such as plants and machinery, he says. While insurance coverage for those tangible assets is in place, the costs of those assets – the physical equipment – has come down dramatically. “But the value of the data – the intangibles assets of the business – has grown exponentially, and yet they can still buy cover for the physical assets and not the intangibles,” he says.
Newman anticipates a mind-shift in the insurance industry and in the way commercial insureds view cyber coverage in five years. He expects cyber insurance to become the direct mirror to a property policy.
“So right now businesses buy a property policy in case they have physical damage; cyber will become the mirror image of that, which will cover all things – the intangible loss – any non-physical damage giving rise to financial loss,” he says. “I think the policy, which in the U.S. market has become privacy focused, will expand back out to become much more about first-party elements and that’s going to start driving people’s buying behavior.”
That move back to the beginning where cyber coverage focused more on first-party elements is already happening, according to John Wurzler, president of OneBeacon Technology Insurance.
“Outside of the United States, the rest of the world has a less litigious legal climate and the emphasis of cyber coverage has been the first-party elements,” he says. “Even within the U.S., the recent innovations in cyber coverage have been on the first-party side as companies recognize that remediation expenses and loss of business due to cyber incidents can have a large financial impact on their organization.”
Underwriters predicting the exposures for the next 10 years have much to consider.
“When we talk about how the internet and things are developing and in 10 years’ time, we will undoubtedly have everything from driverless cars to refrigerators and ovens that will be internet connected,” Newman says. As a result hackers will have lots of new crime targets.
As an example, in the recent Target breach, hackers were able to get into the corporation’s point of sale software through a connection with a heating and air contractor, OneBeacon’s Wurzler says. Most commercial and new HVAC systems have external monitoring going through the internet to enable adjusting the settings remotely.
That’s one of the drawbacks to the “internet of things” for underwriters.
“We are currently concerned with the ‘internet of things’ where every electronic device is connected to – and managed through – the internet and can be used to infiltrate larger systems,” says Lloyd Takata, senior vice president of OneBeacon Technology Insurance.
Even restaurants can be a risk. “There have also been exploits where hackers introduced malware into the online menus of restaurants popular for takeout lunch, so when the menus were downloaded by local corporate employees, the hackers were able to gain access to their company’s network,” Takata says.
While it’s bad enough that cyber attacks cause loss of economic value and physical property, underwriters must also worry about attacks that could bring about bodily injuries as well.
“We are also concerned that there is a serious potential for real, not virtual, harm if hackers can get into programs supporting healthcare devices,” Wurzler says. “Consider devices that monitor certain functions through an internet connection and automatically dispense medication or adjust body levels of a certain chemical. If these are hacked and disrupted, that person’s health could be at risk.”
The bottom line is that there are new exploits every day.
As cyber coverage continues to evolve, one coverage area – or loss of coverage – that will become increasingly important to corporations involves the war exclusion and cyber war, according to Betterley.
“If you think about insurance and you think about war exclusions, and cyber war, you think insurance policies that exclude war-type activities,” he says. Some of the cyber exposures where there have been losses are believed to be war-like acts by other countries.
“At what point is the cyber insurance industry going to say that even though we can’t identify who the attacker is, it is believed to be under the sponsorship of a hostile nation and therefore we will deem it a war-like act and we will exclude it,” Betterley says.
Right now, if an insured has one of those losses “you can’t really prove that it’s war; therefore you can’t deny the claims,” he says. “Some of us have concerns that the industry is not going to be able to tolerate that level of risk and is going to need to find a way to exclude it.”
In Betterley’s view, that exposure presents an opportunity for an insurance product that will buy back that risk, similar to terrorism insurance. While the concept may seem “out there,” the exposure is real, he says.
“There are attacks that are done by ‘bad actors’ in China that appear to be closely aligned to the Chinese government,” he says. While it’s almost impossible to prove, he says, it’s almost certain that other countries are sponsoring cyber attacks on U.S. companies.
Those cyber attacks are not about stealing credit card information. “Those attacks are more about breach on how you are designing your latest advanced machine tool, or military device, on and on. At some point you have to wonder how the insurance industry is going to respond because the industry is not in the business of protecting against war-like acts.”
Tip of the Iceberg
The opportunities for the future cyber insurance market are plentiful, the experts say.
“If you wanted to use privacy as the tip of the iceberg, then 75 percent of the rest of the iceberg has gone unexamined, at least by the insurance community,” says Bob Parisi, Network Security and Privacy Practice leader for Marsh.
The significant increase in interest for cyber coverage, as well as new business that was initiated during the third quarter of 2013 as a result of high profile cyber events, has continued and even accelerated so far in 2014, according to a recent Marsh report (see page 32).
“The exposure that companies have because of their reliance upon technology – whether it’s point of sale devices, inventory, or even just something as small as email – there’s no company that doesn’t have that technology-related risk as part of their operations,” Parisi says. Businesses that don’t hold privacy risk haven’t been looking at cyber exposures as aggressively as other industry sectors, until now.
The technology used by various industries and how that affects cyber risk will be a focus for the next few years, Parisi says.
“What you are going to see – and the market has started to respond and provide some solutions – is the industry looking at what happens when technology doesn’t work, when data is corrupted, what happens when the supply chain or manufacturing process because of a technical failure or because the vendor that a business relies on – whether it’s a technology provider or cloud provider or some other vendor – isn’t there when needed and they provide some aspect of the corporate infrastructure?” he asks.
When businesses and the insurance industry begin examining that type of risk, then a much broader spectrum of industries will start to embrace cyber coverage, Parisi says.
“Financial institutions, retail, healthcare, higher education, all of those industries are very much attune to privacy-related risks. But when you start to talk about technology as the driver behind risk, you start to realize and look at manufacturing, life sciences, pharmaceutical firms – every other industry in addition to those that are concerned about privacy.”
People have always thought about online sales as being the driver for cyber but that psychology is changing now, according to Newman.
The Target breach, as an example, had nothing to do with online sales. “It was their traditional point of sale software,” Newman says. “Whether you are a small retailer on a corner shop or a huge global retailer it is irrelevant, you are as exposed, you are a target for cyber criminals.
While the cyber insurance industry has seen a huge influx of buyers since the Target breach, Newman predicts that within the next five to 10 years cyber coverage will be the norm in all industries.
“Cyber as a product will be as mainstream as buying a property or commercial general liability policy,” Newman predicts. “It will be seen as a core pillar of anybody’s insurance program whereas now it’s seen as a niche product or an ancillary product.”
Newman believes fewer than 15 percent to 20 percent of businesses purchase cyber coverage today. “But my guess is that percentage will move to 70 percent to 80 percent in five to 10 years’ time.”
What happens in the future is anyone’s guess, and predicting can be a dangerous game, says Powell.
But based on his decades of insurance industry experience, Powell believes the future of cyber insurance might follow the path of other insurance products.
“I remember 20 years ago now when employment practices liability was first coming on to the scene and it was all surplus lines market business,” Powell says. Coverage was very expensive, with high deductibles. EPLI forms differed tremendously and policy applications were complicated. “Within 20 years employment practices has evolved to be included into most standard package policies,” he says.
Powell believes that it’s reasonable to assume that cyber insurance will follow a similar track.
“Right now the problem with cyber is we don’t have a lot of experience; it’s a little bit risky to price because you don’t have historical data,” Powell says. In a few more years that will change. “Once experience develops and pricing becomes more precise, I think you’ll see it become a more standard coverage issued by standard markets.”