Three cyber-attacks occur every minute, equating to approximately 1.5 million attacks annually and growing.1 With this, the need for Cyber and Privacy insurance coverage has been steadily increasing.
“Every company that holds or processes some sort of personal information has a cyber exposure,” said Ken Labelle, Professional and Executive Liability Broker, Burns & Wilcox Brokerage. “Brokers should discuss insuring smaller business clients against cybercrime because a data breach could severely limit their cash flow or put them out of business altogether.”
“When speaking to clients about this type of insurance, brokers should ask about the type of data a business processes, where it is being held, how much data is of concern and how IT systems are set-up,” said Karl Olson, Vice President, Professional Liability Regional Practice Leader, Burns & Wilcox Brokerage.
Cyber and Privacy/Network Security insurance covers added costs of a data breach, including data recovery, business interruption, credit monitoring, forensics, cyber extortion, public relations and legal costs. Labelle and Olson discussed four major trends that brokers should be aware of when speaking with their clients on Cyber and Privacy/Network Security coverage.
1. Social engineering
“Social engineering is a major form of cybercrime and is one of the most prevalent today,” said Labelle.
Most commonly, hackers will emulate a company’s or executive’s identity by creating a very professional looking email requesting an action, such as funds to be transferred, a sales deck to be reviewed, court appearance, and FedEx tracking notices.2 These social engineering scams are referred to as phishing.
Tech firm Ubiquiti Networks was swindled by a phishing scam that cost the company $46.7 million in wire transfers in 2015.3 Unfortunately, the company was only able to recover $8.1 million.
“Other forms of phishing scams are less focused on fund transfers and more focused on sensitive data that a company may be holding,” said Olson. “If data is stolen or a hacker takes a company’s system down, revenue is lost – increasing the importance of business interruption coverage under a Cyber and Privacy policy.”
2. Cyberterrorism
“It only takes one person to fall victim to a phishing scam to open the door for a company or government entity to a cyber terrorist attack,” said Olson. “This coverage is not new, yet many companies do not think it is applicable to them.”
Cyberterrorism attacks have been used to shut down North Korea’s internet for 9.5 hours, crash Microsoft’s Xbox Live on Christmas Day, publicize executive emails and leak movies from Sony, for example.4 Many cyberattacks are carried out through distributed denial of service (DDoS) attacks – a tactic where a large amount of data is sent by a hacker to disrupt the functionality of a server. This was the case with a recent attack that shut down much of the internet on the East Coast of the United States in October 2016.5
“Network security and privacy coverages are expanding to include attacks from foreign enemies of the state,” said Olson. “For policies from Lloyd’s of London for example, it is common to have a war exclusion; but, what most people do not know is that exclusion also applies to cyberattacks from certain countries, including China and Russia.”
Labelle added that while cyberterrorism insurance is emerging it does not cover physical or bodily harm.
3. Cyber-related property damage
“We are seeing cyber property damage in other unexpected ways as well. For example, if a hacker turns off a computer-controlled cooling system for a warehouse with $10 million in fresh steak the physical damage could severely impair the company,” said Olson. “The market is still trying to figure out the balance between property and revenue loss.”
One incident that crosses over between cyberterrorism and cyber-related property damage is Stuxnet. This was a program created to shut down the Iran nuclear program.6 Stuxnet became known as the world’s first digital weapon.
As the move to automate all processes and records continues to penetrate all levels of industries, the potential to be hacked increases. Hackers are not specifically focused on just large, household-name companies anymore. The focus has moved to what data is most sensitive and valuable to a corporation, rather than how much a hacker can be paid on the dark web for stolen data.
4. Targeting Medical Records
Medical records are some of the most valuable data today. Hackers are accessing and locking valuable patient data in ransomware attacks to extort money from a healthcare system in exchange for the safe return of their data.
“Medical records are the worst data to lose, as it includes nearly everything that someone would need to know about a person,” said Labelle. “We are seeing more hospitals fined by the FBI over poor data practices than ever before – especially against healthcare systems that notify them of a cyberattack improperly or too late. Clients have a duty of care for their patient’s information and it must be protected.”
Cyber-related healthcare policies are a growing segment of the professional lines specialty market. These types of policies protect a healthcare system by covering costs related to patient notifications, forensics, credit monitoring services, call center support, class-action lawsuits, public relations and regulatory fines.
Cyber and privacy policies are highly customized policies that are based upon a company’s individual exposures. Working with a cybersecurity insurance expert that understands these policies should be a must for brokers and agents. Keeping up-to-date on trends, litigation and changes by state in this space takes daily monitoring. Hackers are always looking for new opportunities to capitalize on the weaknesses of companies and it is important that brokers know what to ask for, what is available and how to tailor that for their client’s needs.
“There is more fluidity to Cyber and Privacy coverage than established coverages such a General Liability or Property and that is very exciting,” said Olson.
References
