Cyber Insurance Explained

Data Breach Causes
Source
Intent External Internal
Malicious Hacker/Malware Rogue Employee
Innocent External Accident Employee Accident

What is cyber insurance?

Businesses are required by law to safeguard customer, patient and employee:
Personally Identifiable Information (PII), (E.G., name, address, social security number, etc.),
Personal Health Information (PHI), (E.G., doctor visits, diagnoses, treatments, medications, etc.), and
Payment Card Information (PCI), (E.G., credit card numbers).
Should any of that information leave your control--for any reason whatsoever--various state and federal laws trigger you to take numerous required actions with total costs starting near $100,000 and going up rapidly.

Cyber insurance pays those expenses.

Example breach costs

Hackers are so sophisticated these days in evading detection that the average breach is not discovered for 6 months (191 days), and then it takes almost two months to contain the breach (58 days), according to a Ponemon study. (Source:Cost of Data Breach Study: United States, Ponemon Institute Research Report)

Breach response activities typically include hiring a wide variety of highly paid professionals and consultants, hired on short notice from fields where you probably have no experience. Those without cyber insurance can feel that they have little information and a weak hand for negotiation leverage, however that is not the case for those with cyber insurance. Many insurance companies have an approved list of vendors for breach response activities. These vendors are already vetted and perform on good professional behavior to remain on the list. Accountability is a good thing, especially when you hope to use their services once and never see them again. Although costs are trending down, a recent study of cyber claims put the average breach cost at $665,000. (Source: NetDiligence Cyber Claims Study)

Technical

Most breach responses include highly skilled teams of technical consultants including:
• A Forensic technical team to identify the extent of the breach, the number of records compromised and other details,
• A Security enhancement team to build new defenses to secure your data,
• A Penetration team to test the new security systems for vulnerabilities.
All of these teams have high daily rates, and their engagements typically continue for months. (Note to file: if you have your lawyer hire these teams then the results of their work are not discoverable in court but are protected by attorney client privilege.)

Cyber insurance pays these expenses.

Notification

Legal requirements protect your customers or patients and employees. If you had one customer in each of the 50 states, you would have to comply with 50 different state data privacy laws. A whole industry has sprung up of notification companies to meet these requirements. Perhaps you have already received a letter (or letters) yourself as a customer explaining another company's breach including:
• A detailed explanation of what happened,
• How many records were breached, meaning the number of names breached,
• Fields that were breached, meaning the type of information breached, (E.G. name, address, phone number, credit card, social security number, etc.)
• How the company will fix their systems to prevent a future repeat breach and
What the company will do for you (usually a year of credit monitoring)
These letters, which go on for a few pages of single spaced text, are sent to all your customers, whether those specifically breached or not.

Cyber insurance pays these expenses.

Credit/ID monitoring

Depending on the specifics, legal requirements may call for credit/identity monitoring for all of your customers. These services are typically prepaid for each current (or past customer, because nobody deletes anything these days) whether they use them or not. Unfortunately, credit/ID monitoring is both expensive for the company while it provides little protection to customers. Data security experts scoff at the weakness of credit/Id monitoring compared to simple steps you can take to safeguard your own personal information against the dangers of identity theft. (Source: Krebs on Security: OPM wastes $130 million on credit monitoring, Krebs on Security: How I learned to stop worrying and embrace the security freeze)

Cyber insurance pays these expenses.

Legal

Law suits, legal defense costs, and legal guidance through this whole ordeal lead to external law firm costs which are the most frequent breach expense. Depending on the circumstances, breach costs may include:
Legal damages and defense costs for suits brought by customers,
Regulatory actions and fees, yes the FTC can fine you for weak defenses after a breach,
PCI fines, for noncompliance with established credit card Data Security Standards (PCI DSS)
Some of these expenses seem like salting the wounds. Fines for being robbed, really? Yes, what a government pile-on double whammy. However these additional fines have withstood legal challenges and are here to stay.

Cyber insurance pays legal expenses, some pay all the fines and regulatory fees as well.

Public Relations/Crisis communications

Depending on the size of the company and the nature of the breach, the situation may call for communication with the public at large via crisis communication consultants, press releases, statements to the media, news conferences, and interviews.

Cyber insurance pays these expenses.

Loss of Trade Secrets

Although this loss does not involve customers or patients, a company's trade secrets are frequently targeted by hackers. Loss of trade secrets can cause significant impact to financial and competitive position. Once divulged, trade secrets may be disseminated rapidly, leaving no way to get the genie back in the bottle. (Source: NetDiligence Cyber Claims Study)

Some cyber policies pay for trade secret aspects of claims.

Who is at risk?

Breaches occur in businesses in every industry. Wherever there is a computer connected to the Internet there is some level of risk. Financial services have had security since the first bank robbery however the healthcare field has no such history. Data security is still a new and evolving department in the healthcare field.

Breaches occur in businesses of every size. Many hackers have automated the process of scanning the Internet to find networks running software with known vulnerabilities. Small businesses have been targeted because they are perceived to have weaker defenses.

Malware and viruses spread with spam email indiscriminately, putting anyone using email at risk. A popular subject line generating many infections daily is "Brad Pitt Dead (apparent suicide)" with a link to malware. Popular culture figures and current events make for clickable links.

It's not all bad guys either

Somewhere north of 1/4 of all breaches have no malicious intent. Employee accidents and system glitches both share innocent intent. Even the best employees are not above accidents. With the ease and power of automation sometimes a breach is one click away. (Source: NetDiligence Cyber Claims Study, Cost of Data Breach Study: United States, Ponemon Institute Research Report)

Over 1/5 of all breaches result from lost or stolen laptops. Making these machines so freely portable brings a new set of risks. Convenience has a cost. (Source: NetDiligence Cyber Claims Study)

Hackers share their malware on bulletin boards. They update and iterate this code adding sophisticated tools and techniques so that malware is "aware" of its environment in an effort to evade defenses. For example code is freely available to detect if software is downloaded into a "sandbox" for checking by anti-virus software. This software lies dormant while in the sandbox but springs into action once passed through. Such code, which lacks any redeeming use, is available for free on the world's most popular code repository, Github. (Here are two versions: Paranoid Fish on Github by a0rtega, Paranoid Fish on Github by wizche)

In the final analysis...

The odds are not in our favor. We must win every interaction with hackers and malware in order to safeguard our data, however they choose the methods and times of future attacks. One hacker victory could lead to potentially ruinous financial losses. 

Consistently almost 70% of all email traffic is from spam botnets, networks of thousands of hacked computers that spew out email. So more than two spam emails are sent for every "legitimate", intended email. The numbers are staggering. (Source: Kaspersy Lab)

On average the FBI reports over 4,000 ransomware attacks a day. Ransomware is malware that locks and encrypts computers and networks then extorts ransom, usually to be paid in bitcoin. However paying the ransom does not always lead to unlocking the computers. Sometimes paid ransom leads to another ransom demand. (Source: FBI Document: Ransomware Prevention and Response)

In Russia, robbing Americans online is considered a legitimate business model. Brian Krebs detailed the rapid growth and enormous financial success of these businesses in his award winning 2014 book Spam Nation. (Source: Amazon link: Spam Nation)

How is cyber insurance priced?

Most insurance companies quote based on the number of records (customer names) stored in a system as well as the annual sales of the company. Some underwriters require longer applications while other underwriters quote most business with 6 questions. The inherent risk of a specific industry determines what level of detail the underwriter will require.

The cyber insurance market has yet to become standardized the way fire insurance has. Some policies exclude social engineering, which is when a hacker tricks an employee into sending money to the hacker under the guise of a boss's instructions. As this form of hacking is on the rise and millions of dollars have been lost in individual transactions, we do not recommend policies that exclude social engineering. At this time no two policies offer exactly the same coverage. Discuss your needs with your broker and get multiple quotes.

Many insurance companies are writing cyber insurance these days as this is the fastest growing insurance market and they all want a piece of the growth. With these numbers competition can work to your advantage. Request multiple quotes to get an idea of what the market price is.

Underwriters view the universe of risk, and decide which markets they will be most competitive in and which they are not excited about. Each has a different appetite for risk. Some will not quote certain markets at all, but all together there are multiple quotes in every market.

How to handle these risks

Cyber insurance is a piece of a strong and healthy data security program. These days, no electronic data is safe from determined hackers. And as devices become smaller, lighter and more mobile, expect increasing breaches from lost or stolen devices. Protect your business from the huge expenses that accompany a breach, no matter the source. Call to start the quoting process.

Business Insurance Experts
Call (212) 482-1100 for a quote