The cyber liability insurance market is likely to morph in the near future as a result of the massive Equifax data breach, according to some industry executives.
It's too soon to tell just how many millions or even billions of dollars insurers may have to shell out as a result of this summer’s Equifax breach, which the company says impacted 143 million people in the United States, Canada and the United Kingdom. But cybersecurity and insurance professionals say the impact from this event will be lasting.
Historic cyber attack
Equifax revealed the cybersecurity breach on Thurs., Sept. 7, 2017. The company said it discovered the attack, in which hackers compromised a website application in order to gain access to private consumer information, in July 2017.
"This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes," Equifax CEO Richard F. Smith said in a press release. "We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations. We also are focused on consumer protection and have developed a comprehensive portfolio of services to support all U.S. consumers, regardless of whether they were impacted by this incident."
The company directed consumers to a dedicated website, www.equifaxsecurity2017.com, where individuals can investigate their potential exposure. The site also outlines a 5-step plan for how Equifax intends to bulk up its cybersecurity efforts.
Although Equifax carries cybersecurity, crime, general liability, property and business interruption insurance, these policies are likely insufficient to cover the company’s expenses related to this breach.
Consider that Anthem agreed in June to pay $115 million to settle class-action lawsuits stemming from its 2015 cyber breach that may have affected nearly 80 million customers, and the price tag on Target’s 2016 cyber breach is expected to top $450 million by year’s end, according to Forbes. (Target reportedly carried $100 million in cybersecurity coverage.)
Cyber insurance industry representatives say that the Equifax cyber insurance program is carried by Marsh, with Beazley as the primary carrier. Representatives from Beazley did not reply to emails requesting comment for this story.
Cyber liability wake-up call
Michael Born is vice president and account executive of the Cyber Technology Practice at Lockton Companies, based in Kansas City, Missouri. He said this week that many of his colleagues "have been waiting for this shoe to drop," or the arrival of a massive cyber breach such as this one that has the likelihood of furthering the cybersecurity and cyber insurance markets.
"Cyber insurance is a very soft market," Born said. "There are a lot of new players, coverage is broadening, pricing is going down, and underwriting is getting a little looser … But I think you may see that change."
Born said there are generally two stages in recovering from any cyber breach. The first stage is the initial impact of the breach and the subsequent identity theft monitoring. This is the process in which Equifax is currently involved.
"The next part is a longer tale," Born said, "and that’s the liability portion."
Anthem agreed in June to pay $115 million to settle class-action lawsuits stemming from its 2015 cyber breach that may have affected nearly 80 million customers. (Photo: Diego M. Radzinschi/ALM)
Growing class actions
There will certainly be regulatory investigations and class action lawsuits. These suits may come from consumers impacted directly as well as Equifax business clients who relied on the company to safeguard employee data.
"We could see (cyber insurance) pricing change and underwriting getting more stringent within the next couple of months," Born said.
Cybersecurity executive Sidd Gavirneni concurred.
"Other recent attacks have had an impact on pricing for sure," said Gavirneni, CEO and co-founder of Zeguro, a San Francisco-based cyber insurance MGA that provides cybersecurity services. "The scale of the Equifax breach will lead to a higher demand for cyber insurance. The users whose data has been compromised will take this fear to work and to the businesses they run. Also, underwriters now have more data to base pricing on."
The Equifax breach, he added, is a chance for agents and brokers to illustrate just how catastrophic a cyber breach can be for business. This will be a chance to "provide customers with insights into why and how the Equifax breach happened, and help them understand the cyber risks their businesses face," Gavirneni said. "Only then can they understand the real need for cyber insurance."
Policy pricing impact
David Derigiotis is corporate vice president of the Professional Liability Center of Excellence at Burns & Wilcox, a major North American insurance wholesaler. He said the Equifax breach "will be the largest, most financially draining cyberattack the world has ever seen impacting a single organization," and that the costs associated with the event are likely to skyrocket.
"This data breach should drive continued cyber insurance growth within the P&C industry, causing organizations of all sizes to reevaluate their insurance and cybersecurity strategy," Derigiotis said.
He was, however, skeptical about the idea that the Equifax breach will impact policy pricing.
"It is not just one insurance company covering the loss, it is a tower of insurance companies involved providing financial ventilation," he said. "There is so much interest in this space that there are any number of other insurance carriers to step in and provide coverage. A tremendous amount of capacity is available for Cyber Liability policies right now."
The greater lesson may be that no company, no matter how large or sophisticated, is immune to a cyber breach.
"Knowing large-scale organizations have a difficult time rebounding from data breaches, smaller companies will not have a chance," after a breach, and will not likely be able to sustain such an attack, Derigiotis said. "Brokers and agents can use (Equifax) as an example on how to better address cyber risks, including having the necessary resources and insurance coverage to survive an attack,"
Dan Burke, vice president and Cyber Product Head at Hiscox USA, said any business that handles sensitive customer information on part with the type of information that hackers accessed from Equifax (names, social Security numbers, birth dates, addresses, driver’s license numbers and credit card information) must now be well-aware of the important of information security hygiene.
"Hackers are incredibly crafty at finding cyber security and data vulnerabilities," Burke said. "To keep hackers at bay, businesses should aim to supplement technology protections by creating a ‘human firewall,’ meaning all employees are trained and have an awareness of the potential warning signs of an attack. It’s much easier to hack people than the technology. Have the strategy, resources and processes in place before a hack occurs, in order to identify a breach early and get back to business as quickly as possible. This is still a major concern – for more than half of US business, it will take two or more days to return to business as usual after a large breach.”
Three other top cyber insurance carriers contacted for this story — Zurich North America, Travelers and Chubb — declined to comment.
Related: Uncovering silent cyber risk
Human resource issues
Tracey Malcolm, the Global Future of Work Leader for Toronto’s Willis Towers Watson, said the Equifax breach could spur organizations to build cybersecurity into employee functions at every level.
"We are seeing organizations really have to get real about what is the readiness of their cybersecurity workforce," Malcolm said. "We’re seeing a shift in acquisition strategy” with more corporations interested in both executives and employees who possess a hybrid of business acumen and cybersecurity training."
Willis Towers Watson’s Cyber Pulse Survey conducted ealier this year found that while three out of four U.S. businesses believe their organizations are safeguarded against a cybersecurity breach, there remains a disparity between feelings of preparedness and the increasing number of cybersecurity incidents. To that end:
- 79% of U.S. employees believes they have insufficient understanding of cybersecurity risks;
- 45% spent 30 minutes or less on cybersecurity training during 2016; and
- 25% of U.S. employees received no cybersecurity training whatsoever in 2016.
"As the world has seen with the proliferation of phishing scams, most recently highlighted by the global WannaCry ransomware attack, the opening of just one suspicious email containing a harmful link or attachment can lead to a companywide event," Anthony Dagostino, head of global Cyber Risk at Willis Towers Watson, said in a press release about the Cyber Pulse Survey. "However, there appears to be a disconnect between executive priorities around data protection and the need to invest in a cyber savvy workforce through training, incentives and talent management strategies."