Cyber Risk is Changing
In the recent past, the traditional view of cyber liability was the exposure of an organization to liability arising from the negligent management of private data in its care. The traditional exposure here was mainly for retail, health care, or banking industries, and the costs associated with a cyber loss were essentially the costs to pay affected individuals’ membership fees in an identity theft protection program.
However, just as technology has rapidly evolved, so have the risks associated with this evolution. Industries not traditionally exposed to cyber liability are now finding that their risk is reaching the point where some type of risk financing needs to be considered.
According to industry sources, in 2014 there were a record 1 billion records compromised (e.g., those from Target, Sony, and the Feds). In addition, up to 80 percent of organizations larger than 1,000 employees detected incidents during 2014. I emphasized detected because, if you talk with IT insiders, they will all admit to being targeted, they just may not all know it. As proof of this, in 2015, 39 percent of cyberthreat sources remained unknown, even after detecting and fixing the resulting damage they caused. And costs are escalating as well. According to Poneman Institute’s 2014 Cyber Risk Survey, the average annual cost from cyber losses is $13 million, with each average event lasting 45 days and costing $1.6 million.
No longer are we only concerned about the hazards arising from identity theft. As industry is increasingly mobile and in the cloud, important company data, functional assets, and even operational controls are at risk. Consider the increasing risk from a manufacturer that is networking their production control systems. Previously, to shut down a production line in Omaha, you physically had to sit in the plant (and sometimes at the line itself). Now, important production inputs in Omaha can be compromised from remote locations anywhere in the world, leading to production shutting down even if the machines are still operational.
Cyber Insurance is Also Changing…but Slowly
Fortunately, the insurance industry is also recognizing this increased risk exposure. They are adopting modified insurance forms that include coverage for costs beyond just third-party identity theft protection fees.
Modern forms include coverage the traditional privacy claims (defense costs, fines, damages, etc.). But now they also cover first-party costs such as: 1) legal, forensic, notification, and PR/crisis communication fees, 2) Cyber extortion costs (ransom payments, value of goods, and expert fees), 3) direct damage from hackers, and 4) lost profits from interrupted business operations.
As demand for and purchase of this type of coverage increases, the costs (currently between $10,000 – $25,000 per million of limit) should drop. However, insurers are still having difficulty in underwriting these exposures as they are changing so rapidly, and the losses are not generally public.
Smart risk managers can take advantage of the changing environment and can find great deals amid all of the chaos. Careful market analysis is required, however.
If You Buy, How Much Should You Buy?
Of course, keep in mind that most insurance brokers will gladly sell you as much as you can afford. However, this is rarely a winning risk management strategy. Most companies will buy based on what their preferred peer is buying. Brokers will cite benchmarks of what others are buying as a starting point. However, you can also buy based on historical loss experience. Your IT and legal departments can often give you insight into what these losses have been costing in the past. But also keep in mind that the past is a bad indicator of future exposure in this rapidly-changing area.
Perhaps the best way to buy is to use a more advanced risk analysis that considers your particular risk appetite, your culture and the economic consequences and probabilities of future loss. In addition, undertake a comprehensive study of where you are currently covered for cyber risks within your existing property and casualty insurance.