Cyber: Rising Interest, Insurers’ Response and Fears of a Mega Breach

From news stories to webinars to presentations and discussions at trade shows, it's been nearly impossible over the past year to avoid the topic of cyber risk. The threat is not new, and insurance addressing the risk has been around for about 15 years now, but only recently has the issue become top-of-mind for so many. 

Before the 2014 RIMS Annual Conference and Exhibition, PC360 asked four risk managers that sit on National Underwriter's editorial board what the most significant emerging risk on their radar was. Three of the four mentioned cyber risk. And that was just a preview to the mood at the RIMS conference, where cyber was a popular topic among both buyers and sellers of insurance. 

For example, Chubb Corp. released its 2014 Multinational Risk Survey at RIMS, which questioned 300 U.S. and Canadian companies about their international global exposures, and data breach/cyber was the second-biggest threat cited by respondents after supply-chain failure. 

Kathleen Ellis, senior voice president, Chubb Multinational Solutions, said cyber has been of great interest to clients, and she added she would not be surprised to see cyber top the list of threats in a future survey.

Why has cyber become such a major issue? Tom Srail, senior vice president, Willis, says news over the years about high-profile breaches in conjunction with mounting data-privacy and notification regulations have pushed the conversation forward over time. "Every time one of those big industry events leaks into the day-to-day media, there's renewed interest in and discussion about cyber," he says. 

And the past year saw plenty of big cyber events. A report from Risk Based Security says four of the top ten breaches, with respect to the number of records exposed, occurred in 2013, including the highest of all time, which exposed 152 million records. The report says the number of incidents was down from 2012, but the number of exposed records shot up to 823 million compared to 264 million in 2012. 

Source: Risk Based Security

Toby Merrill, leader of ACE's cyber risk practice, also mentioned the recent news about large material breaches as a reason for the spike in interest, but he does not believe that is entirely what is driving it. 

"Probably the biggest contributing factor is just technology in general," Merrill says. "Look at how we use technology in business and our personal lives," he continues, pointing out technology has "transformed how we interact as human beings."

To be competitive today, Merrill says companies have to rely fairly heavily on technology to deliver a product or service, and those who take advantage of modern technology are in a better competitive position relative to their peers. But with the rapid technology evolution comes rapidly evolving risks. 

"In the risk-management community, we want to pause and take a breath," he says. "We're OK with the benefits, but before we jump into the pool, let's talk a little bit about if we need swimmies first."

 

Where insurance plays a role

Insurance protection and services have grown over the years to become, if not swimmies, at least a critical life preserver that can keep businesses afloat in the event they do suffer a breach.

Srail notes that in the early days of insurance for cyber risk, insurers would pay for notice and credit-monitoring expenses. buyers were generally limited to dot-coms and some retailers and banks. 

Coverage has since progressed and become relevant for a wider base of customers. "For a good chunk of the industries out there, cyber is very useful for them," Srail says, although he acknowledges that not every industry would find the coverages useful.  

"An easy one is manufacturing," he says, explaining a wholesale manufacturing company that is not selling to customers would only have its employee data, "which is sensitive, but there's a limited amount of it." He says a billion-dollar manufacturer potentially losing data on its 5,000 or 10,000 employees would not be a "meaningful enterprise risk" for that company.

Srail also mentions limitations for energy companies, stating the "off-the-shelf cyber we see in the news in the retail breaches isn't as directly impactful to some of those organizations." Although,"Even that's changing," he says, noting "one of the big carriers" released a new coverage targeted primarily toward power, energy oil and gas companies.

American International Group last month announced CyberEdge PC, an expansion of its cyber insurance offering to include property damage and bodily injury exposures. The company said it was "a response to growing incidents and threats of cyber attacks directed at commercial industries that can lead to equipment failure, physical damage to property, and physical harm to people."

And for most other sectors, the addition of coverages and services over the years has made the cyber-insurance market more attractive. For example, Srail says adding coverage for fines and penalties made a big difference in health care, among other sectors. "We've seen a third example over a short amount of time of an over $1 million health-care fine from either a federal or state regulator for a relatively small breach," Srail says, noting that this seems unique to the health-care industry. "We don't see a bank losing 20 credit-card numbers and getting a million-dollar fine," he says. "We do see that in the health-care world."

Source: NetDiligence® 2013 Cyber Liability & Data Breach Insurance Claims Study

Beyond the coverages, ACE's Merrill notes the insurance industry has developed expertise concerning cyber to the point where "even some levels of the federal government have recognized the insurance industry as a resource to help promote best practices around risk management."

For ACE's part, Merrill believes the insurer's expertise is what helps set it apart, offering insureds resources and experts to assist with recovery after a breach takes place. "We have a lot of experience," Merrill says. "We've seen good processes, but we've seen some pretty horrible mistakes. We try to do our best to get [insureds] access to the resources to avoid the mistakes."

 

Capacity and underwriting

Despite what Srail calls the "year of the mega breach" in 2013, carriers have mostly retained their appetite to write cyber-liability insurance. "We've seen a couple of carriers restrict or pull back," he says, "but most of the rest have been pretty calm."  

Srail says Willis' team does what it can to keep carriers calm in the face of large and public losses, explaining that more people than ever will be buying coverage now. 

In fact, he says the market "needed to see a $100 million limit-loss payout to get larger firms on the fence to buy and mid-size firms dipping their toe in the water" to purchase larger limits. 

Speaking to pricing, Srail says it "seems to make sense. It's still inexpensive, but I think there are good numbers behind it now."

 

Fears of a mega breach

Not all in the industry believe insurers are where they need to be when it comes to addressing and pricing cyber risks. Jonathan Hall, executive vice president, FM Global, believes carriers have work to do to stay ahead of the risks. "I think the industry is reacting to a client need," he says, "and trying to catch up. I think the industry is trying to react as quickly as it can," he adds, "but it's hard because every time you turn around, there's a new twist to it." 

The secret, he says, is finding the point at which insurers can provide the right coverage at the right price that meets client's need. The challenge is trying to discern exactly how big a serious loss can be for insurers. 

Hall says he is not concerned about one hit. Insurers, he said, can all take a $50 million to $200 million loss. "It's the aggregation," he says regarding his concern. "The balance-sheet issue here is you have to start looking at cyber kind of like flood, earthquake and wind," says Hall. "How many of my clients can be involved potentially in one event?"

Having a $100 million single-client event hit 100 or 500 clients becomes "a massive potential exposure to the balance sheet," he says. "And I think that's part of what the insurance companies are trying to understand: how big can this be?"

This potential exposure is considered against the backdrop of more companies storing their data in the cloud.  "It's a huge concern," Merrill says of the potential for a breach at a cloud provider that could affect the data of multiple companies. "It's very real and the perception is it can happen."

Srail says the issues for cloud providers go even beyond a breach. "Cloud providers can have a big breach where they lose data for 1,000 customers, sure," he says. "But they can also have a big downtime issue that can shut down 1,000 companies. So they're involved on both sides."

Merrill also notes there's "very little contractual indemnification" with many cloud providers, limiting companies' recourse should their stored data be compromised. "And that's important because why would you ever trust anybody if they don't have repercussions?"

Srail says cloud providers initially thought "they could be a utility, like the phone company. You can't sue the telephone company when you get an obscene phone call." Along those lines, Srail says cloud providers had hoped they could hold data, but that's it—so if cyber criminals steal a customer's password and access that company's data, it would not be the cloud provider's fault.

He also says providers were not charging for the responsibilities that come after a breach. Cloud providers have been charging very little to store large amounts of data, "plus, they're professional security firms," Srail says. "It sounds great."

From the perspective of companies using cloud providers, Srail says the thinking has been, "We want all that, and want it to cost nothing. But if anything goes wrong, we want [the cloud provider] to pay." Cloud providers, naturally, felt differently.

Srail says there has been progress in bridging this divide recently after pushback from companies that use cloud providers as well as regulators. More cloud providers now are "taking on more obligations and charging for it," Srail says. "I think that's good. I think that's what we need to do."

 

It all starts with loss control

Ultimately, says Merrill, companies have to make sound decisions when they decide to store information in the cloud. Many cloud providers have "incredible security controls," he says, but companies must still consider: 

• What type of data they are going to store in the cloud? 
• What applications and services they are they going to access on the cloud?
• Are they using a public or private cloud?
• Are they encrypting that data, and are they the ones holding the encryption keys?

And for risk managers, questions should extend beyond how to store data and address what data needs to be collected in the first place. In the age of Big Data, the perception is that more is better, "but I don't necessarily agree with that from a risk-management perspective," Srail says. "It's risky to keep all that data."

Companies must consider what data they should collect, when they should get rid of data they do not need and how they can securely destroy that data, he says.

Merrill likewise talks about the risks associated with gathering large amounts of data, and the education that needs to go with collecting it all. He says ACE insures companies in many different industries. "They have all this data, and they see the benefits of Big Data," he says. "They're finding correlations between different types of data that's going to help their business. And that's a good thing, but it also presents some risk."

Beyond the risk of a breach that exposes the collected information, Merrill raises questions about privacy that companies should consider: "When you wrote your privacy policy, did you disclose you'll be collecting that type of data, or using it in some way, or sharing it with third parties?"

He says the Federal Trade Commission is looking into how companies gather and store information, explaining that when people download apps, for example, they may not read through the disclaimers. "I get a free app," he says, "I get to play around, but I don't realize what you're doing with my information."

Source: FTC December 2010 report: Protecting Consumer Privacy in an Era of Rapid Change

The data collected goes beyond what may be perceived as "personal information" in the traditional sense, Merrill says, tracking activities such as a person's location, what the person does with his/her time, where they spend time, etc. 

"This stuff is being monitored," says Merrill, "and I don't know that it's been terribly transparent to consumers. The FTC is looking at that."

Beyond reviewing policies and procedures, companies must train their employes, Merrill says, noting that a significant number of losses are still caused by employee errors—both honest mistakes and malicious intent. "Getting that culture and training is a huge risk-management-mitigation tool," says Merrill.

Catherine Padalino, senior vice president, Chubb Specialty Insurance, who offered comments at RIMS during a presentation on the company's Multinational Risk Survey, spoke to employee risks as they relate to companies' "bring your own device" policies. She says this is a popular policy, but it puts companies at risk, especially as employees travel with devices containing business-confidential information. 

Padalino says companies should think about what information employees store on their devices and what measures are in place—password protection, encryption, the ability to remotely wipe date from the device—to protect that information.

She says employees should be provided examples of what they can and cannot do—what information they can store, what they can transmit and even what can they post on social-media accounts.

 

After a breach, is there a 'right' way to respond?

Risk managers also need to be thinking about what to do in the event their companies suffer a breach. During a breach, a company can face criticism from many directions. Target, for example, in the breach that it suffered around the holidays, was criticized by some for taking too long to reveal the breach to consumers and not sharing a lot of information when it did. But then it received further criticism when the breach turned out to be larger than the company had initially said.

Should Target have waited longer to report the number of records compromised? Is there any one "right" way for companies to handle data breaches?

"It's almost a no-win situation," Srail says. "it's just a not-lose-too-bad situation." 

ACE's Merrill says each breach is different, and it is difficult for a company to know exactly how it will react to the specific breach it suffers. He compared it to parents-to-be expecting a child: "You have absolutely no idea how you're going to react the moment you have this little person," he says. "You just don't know until you experience it yourself. 

"And so many variables can come into a breach just like when you have a baby. You're going to get dealt different fact patterns. And if you have multiple children, you know no two are the same. They're all a little bit different. Data breaches are just like that. You have no idea how your organization's going to react." 

He says even if a company has a plan in place, and has discussed it with all of the relevant personnel, data breaches "all have personalities."  

He adds, "Facts are so important when dealing with breaches," and says it is difficult for people outside the company to know what was going on inside. "It takes a lot of work for companies to get to point of notice" and notify the public in the right way with the right facts.

And he says there can be complications. "Sometimes you're being told [information] by a vendor and you don't even know yourself," says Merrill.

But he says, "You want to get it right," and adds that companies that rush to notify can get in trouble.

Despite the chaos that can ensue after a breach, Willis' Srail says, "I think the right thing to do is to have your plan in place." He says companies must review their incident-response plans to make sure they "work with the world that we're playing in today," and also that they work with any cyber-insurance policies the company has purchased. Some insurers, Srail notes, require insureds to use a certain vendor or select from a list of vendors, for example. 

"As you're evaluating carriers," Srail says, "make sure the policy works within your plan or adjust your plan."

He says the plan should also address who is going to—or not going to—speak to the media. One carrier that sells policies and services, Srail says, explains to clients that they do not want their public-relations firm involved. The job of PR, he says, is to "get your name out there." 

A company that suffers a breach does not necessarily want that. It may instead want an expert communications firm that can deliver critical information timely and accurately and then get the company's name out of the news, making the event one of the breaches the public largely forgets about rather than one people talk about.

Srail also says companies should work with the best industry professionals. For example, lawyers who understand notification laws and can advise that "for every day you delay here, you increase class-action potential, but decrease the chance of regulatory actions, fines or penalties from state attorneys general."  

Merrill likewise talks about the importance of working with the right vendors and conducting "tabletop exercises to go through scenarios to see if processes are working" as the company intended.  

But companies also have to be able to "adjust and be nimble," he says. What works for one company may not work for another, even if the records breached are similar. "There are so many variables that come into data breaches," Merrill says, adding, "I've never seen the same breach response work in two different cases."