A bead of sweat rolls down the CEO’s forehead as her computer screen flashes red. An alert warns her that IT sensors have detected a cyber-attack against her company.
She and her team have to quickly figure out how to block the attack. The CEO’s mind races. Will the security systems the company put in place keep the criminals at bay? She watches with her executive team as the attackers repeatedly try to penetrate the company’s cyber defenses.
To their relief, each attack comes up on the screen as denied. In a last-ditch effort, the criminals attempt to launch ransomware against the company. The CEO and her team reverse-engineer the malware and defeat their adversaries!
The above scenario can be found in the pages of a recent PricewaterhouseCoopers report on the state of cyber risks and what insurance companies can and should be doing in the face of a growing threat.
By now, after the breaches at Yahoo, Target, AT&T and countless others, the idea of insuring against cyber hacks is old hat, especially among larger companies. Unfortunately, many small and mid-market corporations are still going without.
Cyber criminals, as we all know, are constantly probing for weaknesses and adapting their tactics. Despite the best efforts of experts across all industries, cybercrime remains costly, hard to detect and difficult to combat.
“From an insurance perspective, while analogies are often made with terrorism or catastrophe risks, cyber risk is in many ways a risk like no other,” PwC said.
It’s not hard to see why the buyers of cyber insurance are still predominately larger companies.
Cost is part of the issue. Insurers charge more for cyber coverage compared to other types of liability coverage. They do that in part to cushion some of the uncertainty over losses, but also because there are still a limited number of insurers in the cyber market.
More alarmingly, there’s also the erroneous belief that an attack is no worse than having a website go down for a few hours.
Here are a few statistics gathered by PwC that should help put things into sharp relief:
- The average payout from an insurance company for a data breach is $665,000;
- there were nearly 43 million “global security incidents” detected in 2014, the equivalent of more than 100,000 attacks a day;
- 61% of the CEOs interviewed for one of the firm’s global surveys said they saw cyber-attacks as a leading threat to the growth of their business, ranking it higher than changes in consumer behavior, the speed of technological change or supply-chain disruption.
In other words, the problem is big and getting bigger.
We’ve said this before but it bears repeating:
Not all cyber-security insurance policies are created equally, so it pays to be extra careful about what you’re buying.
There are “first-party” and “third-party” risks associated with data breaches and cyber risks. Coverage of first-party risks would include loss of a policyholder’s own data, while third-party coverage addresses liability to clients or government entities.
The better policies allow companies to tap into a built-in network of IT experts, PR firms and “breach coaches” who are experienced in responding to cyber-security matters and whose rates the insurance carrier has already negotiated.
Beyond covering the theft or destruction of confidential information, more robust cyber policies typically also include:
- the costs of client notification and expense of providing credit monitoring services to affected clients;
- the costs associated with restoring, updating, or replacing business assets stored electronically;
- business interruption;
- liability associated with libel, slander, copyright infringement, product disparagement, or reputational damage to others when the breach involves a business website, social media or print media;
- expenses related to cyber-extortion or cyber-terrorism; and coverage for expenses related to regulatory compliance for billing errors.
In today’s world, the idea that a data breach will never happen to you just sounds increasingly naive. Anyone with a bank account can find themselves targeted. Cyber coverage will put you back on your feet and get your company moving again.
Scott Carlson is an Assistant Vice President at CCIG. Let him know if you have questions or concerns. Reach him at ScottC@thinkccig.com or 720-330-7925.