As the threat landscape continues to grow, the fight between organisations and cybercriminals can often feel like a high-stakes cat-and-mouse game. To reduce the impact of cyber-attacks and data breaches, companies today need to be financially prepared and having a cyber insurance makes smart business sense, security correspondent Daniel Bardsley reports.
Dr Florian Kerschbaum, the executive director of the Waterloo Cybersecurity and Privacy Institute in Canada, has been observing the cyber insurance market since the late 1990s.
More recently, his personal experiences, not just his academic work, have indicated to him the possible need that both individuals and businesses may have for cyber insurance.
“I’ve been offered identify fraud insurance by a whole bunch of insurers which would be targeting the individual,” says Dr Kerschbaum, an associate professor at the University of Waterloo, where the institute he directs is based.
“And I know a local doctor in the town who’s been hacked. Their general liability insurance in this case covered cyber security and they were covering the costs of [fixing] the system so I think particularly the small [businesses] are the ones who should take out cyber insurance.”
Dr Kerschbaum’s experiences hint at a wider trend: as cyber threats appear to grow, cyber insurance is becoming ever more important and the sector is expanding fast, in contrast to earlier years, when it often failed to meet growth forecasts. The increased profile of the sector has been noticed by others.
“I’ve been dealing for the last two years with SMEs [small and medium-sized enterprises]. At the start of 2016, very few had even heard of cyber insurance. Today, a majority of SMEs have implemented it in some level. That might be very, very low level, but they’ve got some support,” says Jake Moore, a cybersecurity specialist with the UK-based internet security and anti-virus company ESET.
Statistics back this up. The cyber insurance market was worth $4.2 billion in 2017, according to Indian-based Zion Market Research, approximately a ten-fold increase on a decade earlier. The overwhelming majority of coverage was in the United States.
In addition, over the past decade or so, the number of insurers offering cyber insurance has, according to reports quoting the insurer Chubb, increased almost four-fold to about 65.
The forecasts are for cyber insurance to keep expanding at a breathless pace, with turnover likely to exceed $8 billion by 2020, according to Morgan Stanley.
Annual growth is running at more than 25 percent, according to Zion Market Research, thanks to the rapid growth in online shopping, the digitisation of government data and the enforcement of legislation on data breaches, especially in the United States.
Cyber insurance policies can cover a wide variety of incidents, ranging from hacking to extortion to the costs of dealing with the fallout of data breaches, which includes contacting customers and even paying fines for breaching regulations on data security.
Yet, for all that cyber insurance is becoming increasingly mainstream and offered by larger numbers of insurers, difficulties remain.
“The primary factor that has limited the growth of cyber insurance has been the lack of good data about how frequently cybersecurity incidents occur and how much they cost. This makes it extremely difficult to build reliable actuarial models,” says Dr Josephine Wolff, the author of the book You’ll see this message when it is too late: The Legal and Economic Aftermath of Cybersecurity Breaches.
Wolff, an assistant professor in the Rochester Institute of Technology’s Department of Public Policy in the United States, says that the data is improving for certain types of incidents such as data breaches, because companies are required to report many of these by law.
“For other types of incidents, such as ransomware or denial-of-service attacks, the data is not improving as rapidly and there are still significant challenges,” she says.
Observers have pointed out that risks do not remain static and, because they are often linked to human behaviour, can be hard to quantify.
Despite concerns that some insurers are exposing themselves to risks they do not fully understand, cyber insurance appears so far to be as profitable as other forms of insurance, with reports indicating that the ratio of losses to premiums is about 55 percent.
Even some large incidents, such as 2017’s WannaCry ransomware attack, have not required vast payouts.
But there are signs that this is changing. The June 2017 NotPetya cyber-attack affecting the pharmaceutical company Merck is thought to be likely to cost insurers well over $200 million, possibly an expensive portent of things to come.
Risks are expanding thanks to the march of digitisation, the way that the Internet of Things is extending its reach into more industries, and the reality that hackers are becoming ever more sophisticated.
“I think that there are a number of potential threats that we only very rarely hear incidents about [yet],” says Kerschbaum.
“One is critical infrastructure, including life-threatening kinds of incidents. So, if you are able to melt a nuclear power plant, that’s a very different kind of threat scenario.
“We’ve seen these cyber-physical systems pose completely different threat levels to those right now.”
Kerschbaum also sees digital currencies and the banking system as being at risk of major attacks that could, in turn, hit insurers hard.
Aside from the question of how cyber insurers will fare is the issue of whether companies themselves benefit from being insured and what possible negative incentives the existence of cyber insurance creates.
“Depending on what your insurance policy covers, it’s possible that insurance will lead to companies being more willing to pay ransoms or create moral hazards problems where companies do less to secure their own data because they know any losses will be covered by their insurers,” warns Wolff.
Concerns have even been expressed by others that insurers could end up paying ransoms to “terrorist” cyber attackers.
Wolff adds, though, that most policies do not cover extortion and many have relatively high deductibles, which helps to drive down some of these unintended consequences.
There is no question, according to Wolff, that companies of all sizes are now buying cyber insurance, perhaps especially small and medium-sized enterprises that cannot afford to invest in security in-house. She does not see this, however, as a case of businesses buying insurance as an alternative to investing in cyber defences.
“Many smaller companies do not have the resources to employ and support their own in-house security staffs and therefore have to rely more on third parties and insurance policies for protection,” she says.
Indeed, ESET’s Moore warns companies against using cyber insurance as an alternative to robust cyber defences. “Companies need to prevent it from happening because they cannot simply rely on insurance,” he says.
What can cyber insurance do in the event of a ransomware attack?
When it comes to ransomware attacks, a key benefit of having cyber insurance may be access to experts who can advise on how to respond, something likely to be especially welcome given the stresses that such events create.
According to a briefing document by JLT Specialty, an insurance broker, background knowledge can help a company that has fallen victim decide whether or not to pay up. The nature of the attacker, the question of whether data can be recovered and the likely results if a ransom is paid should be factored in when determining whether to pay.
The insurer may be able to carry out the negotiations on behalf of the client, determine if paying up breaches regulations, actually make the payment, typically in a cryptocurrency, and eliminate the risk of further incidents.
There are moral considerations too, ones that have raised concerns with Jake Moore, a cybersecurity specialist with ESET, who says there have been “unethical” cases of attackers being paid off.