Today’s Cyberthreat Landscape is evolving and changing daily. It seems that no sooner is one threat vehicle launched, than many variants follow soon after. A perfect example of this is Phishing. This is probably one of the oldest forms of a Cyberattack, yet it is still being used heavily today in many variations, such as Spear Phishing and Business Email Compromise.
This situation can be compared to a cat and mouse chase. The cat is the Cyberattacker, and the targeted company or agency is the mouse. The goal for the mouse is to stay one step ahead of the cat, but it seems that when Cyberattack is the cat, it has a distinct advantage. The bottom line is that a Cyberattack is real, and it can have devastating effects on a business or agency.
Tangible vs. Intangible loss after a Cyberattack
After an organization has been hit by a Cyberattack, it will experience downtime until the baseline level of operations is restored, so that mission critical processes can keep running. There is the often a loss of revenue experienced during the downtime. But these are only the tangible losses.
There are also the intangible losses, which are the unquantifiable. They include the following:
- Tarnished brand image
- Loss of reputation
- Loss of customers
- The time it takes to attract new customers
- The time it takes to notify customers and stakeholders (both Internal and external) that their Personal Identifiable Information (PII) could be at risk
- The time it takes to answer questions posed by law enforcement and regulators (both at the federal and state levels)
- Any additional downtime caused by a potential lawsuit.
Here are some examples of what the latest Cyberattacks have cost Corporate America:
As is evident in the diagram above, the cost of a Cyberattack can be enormous, and they are only getting worse year after year. But keep in mind that these are only the tangible costs, not the intangible costs. If the latter were to be factored in, the costs would be even more staggering.
After the large-scale Cyberattacks described above, Corporate America began looking into procuring Cybersecurity insurance as means to cover the losses incurred after a Cyberattack. However, purchasing a plan is a little bit more complicated that it is when getting car or medical insurance, and it is poorly misunderstood by the C-Suite. The goal of this 3-part article series is to provide an overview into Cybersecurity insurance, focusing on the following:
- The definition, purpose, and history of Cybersecurity insurance
- The advantages and disadvantages of Cybersecurity insurance (what is covered and what is not)
- The factors that insurance companies consider when providing coverage
- What you need to take into consideration when choosing an insurance carrier
- An introduction to Triple Helix®, a revolutionary new product designed to ascertain your level of Cybersecurity Risk.
The purpose and evolution of Cybersecurity insurance
In its broadest sense, Cybersecurity insurance can be defined as follows:
“A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event.” (Source 2)
Cybersecurity insurance is not a new product by any means. It has its roots going back to the late 1970’s, when the Errors and Omissions concepts were first introduced. The first versions of Cybersecurity insurance came out in the 1980’s and were primarily designed to help the losses covered by large financial firms and other Fortune 500 companies.
But it was not until the late 1990’s when interest in Cybersecurity insurance policies started to grow in the marketplace. The primary catalyst for this growth were the fears of Y2K, which were generated by the fear that there would be widespread computer shutdowns on a global basis at the turn of the 21st Century. At that time, Lloyd’s of London has been credited with offering the first true Cybersecurity insurance policy.
This initiative was launched by Keith Daniels and Rob Hamesfahr, former attorneys at the law firm known as Blatt, Hammesfahr & Eaton. The underwriters for this first policy were Ian Hacker (who was an underwriter at Lloyd’s of London), Ted Doolittle, and Kinsey Carpenter. The primary goal of this policy was to offer third party coverage for major business interruptions.
It should be noted that there was no first party insurance coverage offered at that time. Also, these first types of Cybersecurity insurance did not cover losses experienced by Insider Attacks caused by an employee with malicious intent, or failure to come into compliance with any federal rules and regulations, and any fines or penalties that could be imposed on a business entity by a regulatory body.
It was after the 9/11 attacks that interest in Cybersecurity insurance spiked even further. This was because many leaders, at both the corporate and government level, were starting to realize the gravity of Cyberattacks. The types of threat vehicles that emerged at that time were Trojan Horses, Viruses, and primitive forms of Malware.
Because of this, there was also the stark realization that it is not just physical attacks that can cause business interruptions, but threats launched towards the virtual world could also bring an organization to its knees. This type of loss was not covered by Cybersecurity insurance during that time frame, primarily because there was no historic data on which to calculate insurance risk and premiums. As a result, many insurance providers focused most of their offerings on losses that were incurred by attacks to physical IT and Network Infrastructures.
But as Cyberattacks continued to mount and proliferate upon the Cloud (or Virtual) Infrastructures, the demand for Cybersecurity insurance policies to cover this type of loss started to grow, due to the sheer amount of identity theft and data breaches that were occurring.
New security breach laws: A catalyst for the insurance industry
Another catalyst that finally prompted the insurance industry to extend their policies to cover these kinds of losses was the passage of the California Security Breach Information Act of 2003. This law mandates that any entity which conducts business transactions in the state of California must notify any customers whose Personal Identifiable Information (PII) was at risk because of a Cyberattack which occurred.
Many other US states passed and implemented similar laws rather quickly, and even the European Union passed similar laws with a major focus on telecom providers and Internet Service Providers (ISPs).
Due to all of this, major insurance carriers began offering first party coverage to businesses and corporations. This coverage includes such things as forensics investigations, public relations damage and repair, credit monitoring services offered to victims, and costs associated with notifying people that they may have been impacted.
Despite this, not all insurance carriers during this time frame offered the same type of coverages to Corporate America. For example, many of the carriers had extremely strict sub limits still set into place, and the amounts that were paid out differed greatly. One of the main reasons for this was that each carrier had varying risk tolerances they were willing to take on, and different methodologies for quantifying what level of risk was deemed to be acceptable and how much was too much. After all, insurance providers are businesses themselves, and they want to make sure that they don’t to take on too much of a burden if it is going to directly impact their bottom line.
The turning point that made the insurance carriers loosen their purse strings was the horrific security breach that occurred at the retail giant known as TJ Maxx. In this attack, over 45 million credit card and debit card numbers were stolen, which cost the company almost $5 Billion. Over 25 class action lawsuits were filed, and the retailer had to dole out $177 million in settlement claims. Even to this day, the TJ Maxx Cyberattack is considered one of the worst in history.
To top this off, there were also security breaches at Anthem Blue Cross Blue Shield and Target, in which over 10 million credit card and debit card numbers were heisted. This demonstrated that despite the best lines of defense having been implemented, any business or corporation is at risk for a large scale Cyberattack. Thus, today the demand and need for a comprehensive Cybersecurity insurance policy is at its highest point ever.
Next Up: The Advantages and Disadvantages of Cybersecurity Insurance
Part 2 of this series will outline the advantages and disadvantages of Cybersecurity insurance. It will also break down what specific types of Cyber losses are covered–and what are not.
Related article: Is Cybersecurity insurance a Double-Edged Sword?
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.