Stuxnet was never meant for Chevron. But in 2010, the sophisticated worm escaped into the wild after debilitating nuclear power plant systems in Iran.
While the U.S. oil giant was merely an accidental victim, but no worse for wear – the malware was written so that its payload only would fire against a specific target list, in this case uranium enrichment facilities in Iran – the incident served as a wake-up call. The fact that a U.S. government-created virus could find its way into an American organization was disturbing. But it also was telling.
What lingered in the minds of many critical infrastructure operators – and those tasked with managing their ledger books – was the uphill battle that lays before them in defending their networks and systems from sophisticated attacks spearheaded by government-sponsored groups.
But, it’s likely that other thoughts festered, too: Namely, what if there was another accident? What if the payload activated next time?
How would the mess be cleaned?
When cyber security insurance was first dreamed up more than a decade ago, the likelihood of a company needing financial assistance after being accidentally compromised by one of the most advanced pieces of malware ever designed wasn’t considered.
Never mind the more likely possibility that a compromised firm might require financial compensation after being infected by any number of today’s stealthy trojans that are built to steal coveted assets, such as customer data or intellectual property.
Cyber insurance originally was conceived as another form of risk mitigation that a company could implement for the possibility of network damage or downtime – the digital equivalent of its roof caving in. For example, recall Melissa, a 1999 mass-mailing worm that forced a number of companies to briefly shut down their email systems, but which resulted in no data theft, espionage or catastrophe.
Standalone cyber insurance policies were available around this time, but the coverage largely insured damages caused by these types of nuisance events. And policies generally were catered to emerging dot-com companies that were dependent on online business.
But, over the years, policies have expanded to include expenses associated with loss, theft and disclosure of data, as well as the costs associated with breach notifications, forensic investigations, credit monitoring services and public relations. Coverage also extends to compensating for legal claims made by impacted customers.
When deciding whether to insure a customer, brokers assess the current security procedures and policies of candidates, in addition to how vulnerable to compromise their assets might be.
As a result, many insurers aren’t interested in rolling the dice when it comes to possible high-risk policy holders, while some customers enter into sticker shock when they learn the premiums they are being asked to pay.
Scott Kannry, vice president of Aon Risk Solutions, an insurance firm headquartered in London, says Stuxnet is a prime example of the type of malware attack for which companies are not prepared to insure.
Kannry spoke at this year’s RSA Conference in San Francisco about the challenges insurance companies face when assessing threats to critical infrastructure – and other difficult-to-quantify assets, such as intellectual property.
“When you are talking about a potential Stuxnet situation, we are talking about billions of dollars in industrial assets,” he says. “And no single insurance company wants to come anywhere close [to taking on] that amount.”
Intellectual property theft, in particular, proves challenging to evaluate, says Nicholas Economidis, an underwriter at London-based specialty risk insurer Beazley, speaking on the same RSA panel. Firms and insurance companies find it difficult to agree on the value of intellectual property, and insurance providers see many organizations as “overly optimistic” about the worth of their proprietary data.
Making the case
The insurance industry hasn’t been privy to enough historical data to help it accurately gauge certain types of threats, or cyber-related incidents in general, says Andrew Braunberg, research director of NSS Labs and the author of a recent report that highlighted why the insurance market hasn’t grown as predicted over the past decade.
“If it was health insurance, home or fire insurance, it’d be much easier to set rates, given the exact situation that you are trying to insure,” he says. Determining an organization’s security posture is not as easy as going through a checklist for which firewall or anti-virus software is in use. Often, these technologies fail at preventing an attack.
A lack of statistics, as well as a number of external factors that contribute to cyber risks – such as missteps by third-party suppliers or partners – can help insurers forecast incident costs. But, these have been scarce. This lack of indicators to substantiate risk are cited as contributing to the sluggish cyber insurance market, the report found. In addition, if a breach does occur, it’s often difficult to quantify losses.
It’s this “unquantifiable number” that worries management who might be considering investing in cyber insurance, says Larry Whiteside, CISO of Grand Rapids, Mich.-based health system Spectrum Health.
Spectrum Health has a policy. However, other organizations remain reluctant, unless they can be shown the real risks.
“The places I’ve been that have chosen not to [acquire insurance] said we make a certain amount of revenue and we are willing to self-fund the cost of a breach up to a certain amount, unless you can demonstrate a potential likelihood that a breach would go over those costs,” Whiteside says.
Cris Ewell, CISO at Seattle Children’s Hospital, says that while his employer purchased cyber insurance about 18 months ago, cost was an impediment.
“I have a policy, and I typically look at it as protecting [my organization] against catastrophic loss,” Ewell says. “We have good controls in place, and I will accept the risk of minor losses and account that into our budget. We have a high deductible for the plan. Most organizations can’t have a very small deductible because it’s very costly insurance.”
Despite the holdups, one study suggests that more organizations are inclined to shift practices to those like Seattle Children’s Hospital.
New York-based insurance firm Marsh found that 33 percent more of its clients had purchased cyber insurance last year compared to 2011. The March report found that business, legal, accounting and personal services firms led the pack. These sectors experienced a 76 percent increase in the number of clients purchasing cyber insurance from 2011 to 2012.
Interest in insurance to address the climbing costs of security breaches may also be growing, according to a study released in February by the Ponemon Institute and Solera Networks, a South Jordan, Utah-based Big Data security intelligence and analytics firm.
The study found that the severity of data leakage incidents has increased over the last two years for 54 percent of the 3,500 IT professionals who responded. Fifty-two percent of those polled said the frequency of breaches also has increased over the same period. Breaches defined as “malicious” cost victim organizations $840,000 on average.
Emile Trombetti, senior vice president at consultancy Booz Allen Hamilton, says small to midsize business are ideal candidates for cyber insurance because they may not be able to absorb the standard costs associated with a breach.
“On the whole, data breach insurance is more beneficial to mid-range or small companies that don’t have the resources to have a general counsel staff,” Trombetti says. “Their loss to try to defend these [claims against them] could put them out of business.”
Indemnify or absolve?
The details of cyber insurance plans are changing as steadily as the threats facing organizations – a major reason to consider the fine print before jumping into a policy, experts say.
Like any insurance, customers regularly pay into a plan, so when catastrophe strikes, they want to be fully compensated for their losses. But, adjusters typically aren’t willing to part with as much money as the customer believes they are owed. These fights often end up in court. Therefore, a policy quibble could wind up costing a breached organization more than the actual attack itself.
Meanwhile, insurers are closely watching privacy and cyber-related legal developments, including changing state laws on notification requirements, says Catherine Mulligan, a national underwriting manager for specialty errors and omissions (E&O) at Zurich North America.
More often than not, the major costs absorbed by insurance companies are usually those associated with the more immediate responses to breaches, as opposed to other liabilities that may show up later, such as legal complaints filed by affected customers, she says.
Currently, Zurich is embroiled in an ongoing lawsuit with Sony over this very matter. Zurich was Sony’s insurer in 2011, when hackers pulled off a massive breach of the electronics giant’s PlayStation Network (PSN) and on-demand entertainment service Qriocity. Sony contended that it should be compensated for the dozens of lawsuits filed in response to the incident. Though a U.S. District Court judge in California ultimately absolved Sony of several charges stemming from a consolidated, class-action suit, the Zurich-Sony battle continues in court.
Meanwhile, in 2009, the Massachusetts Supreme Court upheld the dismissal of a lawsuit launched against BJ’s Wholesale Club by roughly 70 credit unions and CUMIS Insurance Society, their insurer. The credit unions and CUMIS sued BJ’s on the grounds that the retailers, and its payment processor, Fifth Third Bank, violated a third-party contract by failing to protect cardholder data during a 2004 breach in which hackers stole 9.2 million credit card numbers of customers.
In addition to noteworthy legal cases, lawmakers have also significantly impacted the cyber insurance market. Over the last decade, most states have introduced data breach notification laws, and the prospect of covering these costs through a policy is an attractive feature for potential buyers. For example, Connecticut recently amended its data breach notification law to require that businesses notify the attorney general of the state, in addition to residents, making enforcement more probable. The change went into effect last October.
“We are seeing an increase in state attorneys general requiring notification,” Mulligan says. “Connecticut just updated its requirements where notification has to go to the state’s attorney general, who can issue fines.” Penalties can also come down from the Federal Trade Commission, she adds
And, if organizations file more notification-related claims, that doesn’t necessarily mean that insurance premiums will skyrocket, since cyber insurance buyers now include a range of high- and low-risk clients, which helps offset the risk for insurers.
The impact of emerging technology
Over in IT, cloud and mobile are creating new paradigms in the business world. The promise from these so-called disruptive technologies includes greater efficiency and cost savings, but they also present serious risks. As such, insurers must incorporate their potential impact into policies, such as the possibility of business interruptions or data leakage.
“This is of particular interest as more organizations are moving their operations to the cloud,” Mulligan says. “What if a cloud service provider goes down? It could be one event that impacts many policyholders at a time.”
Plus, other advances in technology create other risks. Insurers have begun to introduce exclusions for breaches that result from unencrypted mobile devices that are lost or stolen, Beazley’s Economidis says. “We think it’s reasonable for health care entities, for instance, to encrypt devices because there’s been such an increased incidence of them getting lost,” he says. This specific clause went into effect last year at his company.
However, Economidis sees the trend in the industry removing exclusions rather than adding them. “Over time, as we’ve gotten more experienced and knowledgeable about the risks, we’ve expanded the policy,” he says. “As we understand what the costs are, I think we’ll continue to expand.”
Some state governments are considering taking on cyber insurance as well. It’s imperative for organizations to consider various outcomes that could affect business in case of a breach, says Theresa Masse, CISO for the state of Oregon. “Maybe run through a couple of scenarios that, if a breach happened, you would need coverage,” she says. “You need to be really, really clear on understanding what is covered for the premium you are paying. There’s too many assumptions made during negotiations than there are discussions when [an incident] happens.”
So far, Oregon has grappled with covering certain agencies within the state, as opposed to a more comprehensive plan, Masse says.
Ultimately, says Geoffrey Allen, executive vice president of Willis North America’s FINEX unit, which deals with financial and executive risk and professional liability business, it’s difficult to establish a price range on cyber risk coverage, as it varies according to the size of the business and the amount of data with which it deals. Some of Willis’ bigger clients, however, have purchased up to $300 million in coverage, he says.
When considering cyber insurance, companies are forced to truly take stock in what’s most critical to their business operations. And, in an environment in which advanced and stealthy threats often go undetected for months at a time, that can be tricky.
“Ask yourself what data you have,” Allen says. And, if a business is reliant on its network being available, does it have complete integrity for any data flowing through it.