Cyber insurance 101: Policy can be life ring on sea of cyber risk
GRAND FORKS, N.D. – In the history of fire insurance, the Great Chicago Fire stands as a milestone.
The 1871 fire destroyed some 3½ square miles of the city and bankrupted 68 of Chicago’s 200 fire insurance companies. But the city and the insurance industry not only recovered, they did so while pioneering dramatic improvements in fire protection, firefighting and fire insurance practices.
Today, businesses and homeowners routinely carry fire insurance. And they need it blessedly seldom, because thanks to prevention, catastrophic fires now are rare.
Here’s hoping the recent ransomware attacks in Atlanta and Baltimore help speed a similar evolution. Because right now, too many “cyber structures” in America are rickety and made of figurative wood – and as we’re learning, it doesn’t take much to make the structures go up in virtual flames.
Cybersecurity is a big part of fixing that situation.
So is cyber insurance, and that’s what this story is about.
Cyber insurance helps protect companies financially against hacking, ransomware and other internet-based risks. It’s one of the fastest-growing areas of insurance; premium totals will triple in the next few years, jumping from $2.5 billion in 2017 to $7.5 billion in 2020, PWC Global predicts.
The growth is understandable. "Cyber crime is the greatest threat to every company in the world," Ginni Rometty, IBM's chairman, president and CEO, said in 2015.
Rometty had a point, as Atlanta and Baltimore’s experiences in March showed. “Hackers launched cyberattacks in both cities,” reported Governing magazine, “hobbling the 911 emergency response system in Baltimore, crippling a wide swath of city services in Atlanta, knocking out Wi-Fi at the nation’s busiest airport and forcing city workers to keep records with pen and paper.”
Such attacks get people’s attention, coming as they do on the heels of infamous breaches of Target, Equifax and other large firms.
But Prairie Business readers, take note: It can happen here. That’s because these days, small and mid-sized businesses in the upper Midwest and elsewhere are at serious risk, said Adam Hamm, former North Dakota insurance commissioner and past chairman of the cybersecurity task force for the National Association of Insurance Commissioners.
“Cyber attackers are looking for soft targets,” Hamm said. Small businesses often qualify because they lack strong cybersecurity protections.
The response of any business should be twofold: First, strengthen cyber defenses; and second, consider cyber insurance.
Basically, “it doesn’t matter what size business you are, whether you’re a multinational or on Main Street,” Hamm said.
“A cyber liability insurance policy is likely a prudent course of action.”
The region’s organizations now are learning this first-hand, said Gregg Schaefer, senior producer and vice president of sales at Vaaler Insurance in Grand Forks.
“I spoke with one fellow, he bought a policy and a week later, he got hacked,” Schaefer said.
“That claim probably was in the $20,000 range. We also had an $85,000 claim; we had written it for a client, and 10 days later, he got hacked, too.”
These days, about half of all cyber attacks target small businesses, Schaefer said.
“Before it was, ‘This will never happen to me,’” he said.
“Now, it’s happening a lot, and people are hearing about it.”
Organizations that are thinking about buying cyber insurance should engage in a four-step process, said Hamm, who’s now in Chicago as a managing director and cyber insurance expert for Protiviti, a consulting firm.
- “The first question is, ‘What kind of coverage does your business need?’” Hamm said.
For example, first-party policies cover the company’s direct costs in the event of a breach. These may include notifying customers, buying credit monitoring for those customers, recovering blocked data and mounting a PR campaign to restore the company’s reputation.
Third-party policies protect against lawsuits, such as from individuals whose credit-card numbers were accessed during the breach.
“In your first conversation with an insurance agent, you want them to understand what you do in your business, and what kind of data you have that a breach could expose,” Hamm said.
“Then you work backwards to decide what kind of coverage you need. That’s Step 1.”
- Step 2 calls for figuring out the company’s maximum liability. Is the business a small shop where an attack might cost thousands of dollars? Or does the firm’s extensive data and Internet presence potentially expose it to a multi-million dollar expense?
Remember, even a business with seemingly little exposure probably keeps employee data – including Social Security numbers – on its computers.
Also remember “supply side attacks.” Like the 9/11 terrorists who leveraged box cutters into destroying the World Trade Center, cyber crooks used the stolen credentials of a single HVAC vendor – not Target itself – to penetrate Target’s defenses and steal 40 million credit and debit card numbers in 2013.
So, if your company links with other organizations’ systems, then mind your cybersecurity, lest you be used as a backdoor.
- In Step 3, the company simply balances how much risk it wants to transfer to the insurer, with how much premium the company is willing to pay.
- “And the fourth question is really the difference between the companies that make this purchase with their eyes open, vs. those that may be in for a rude awakening,” Hamm said.
That question is this: What will the policy not cover?
“Because this type of insurance is developing so fast, there’s very little consistency between products regarding what’s covered, what’s not covered and how much the policies cost,” Hamm said.
For one thing, not enough actuarial data has been gathered to bring about industry-wide consistency. For another, cyber crooks keep launching new and unexpected attacks – and that keeps saddling American industry with new and unexpected risks.
There is good news in all of this, and one piece is the fact that cyber insurance doesn’t have to break the bank. The field’s growth means companies are fighting for market share, and consumers can benefit from the prices that result.
For example, consider a policy offering $100,000 in coverage. It might cover notifying customers, recovering data, paying the ransom in a ransomware case, lost-income expenses and a list of other first- and third-party costs of an attack
Depending on the type of business and other factors, the premiums for such a policy might start at less than $100 a year, said Desiree Khoury, vice-president for specialty reinsurance at NAS Insurance Services in California. (North Star Mutual Insurance Co. in Cottonwood, Minn., is among those that offer NAS’s cyber insurance plans.)
With higher limits will come higher premiums. At Vaaler, for example, a construction company’s annual premium for a Travelers cyber insurance policy with a $1 million limit likely will be in the neighborhood of $5,000, Schaefer said.
But in all cases, the focus on insurance mustn’t blind executives to the need for good cybersecurity. To protect against the potential devastation of a fire, today’s business owners have smoke detectors, sprinkler systems and fire insurance, Khoury said.
That’s the way owners can lower their cyber risk, too.
“So, when you get that reminder to do a security update on your computers, don’t just click out of it,” she said.
“Make sure you make the update.” The whole process starts with sweating such details, because businesses first should make their systems as hacker-proof as they can be.
Editor, Prairie Business