Cyber insurance – a necessary cost of modern business
The Target hack was a consciousness-raising incident for C-level execs, making them realize that the total costs of an intrusion and data theft are much greater than a damaged reputation and associated PR cleanup. The incident cost several execs, including the CEO, their jobs and the company over $250 million in expenses, of which, about a third was covered by Target’s liability insurance, an instructive data point to which we’ll return.
At far less than 1% of Target’s $73 billion in annual revenues, that’s pocket change, but for smaller organizations, the risk of irreparable harm from a cyber attack is all too real, particularly when the motivation isn’t always financial, but sometimes ideological.
Just ask Brian Krebs, a well-known security researcher after his site was taken out by someonedispleased by his recent investigations and, who launched an attack that if sustained would cost millions of dollars to mitigate.
The ability to compromise and weaponize the growing number of connected devices, many of them relatively dumb appliances like IP cameras, thermostats, home broadband routers and set-top boxes, means that any person or group with an axe to grind can knock your site offline with a flood of network noise via a distributed denial-of-service (DDoS).
Given the scale of these attacks, it takes Herculean efforts from organizations with deep security and network expertise plus lots of bandwidth (read, money) to counter. Meanwhile, the target’s business is offline, which for more and more organizations, means that they might as well be closed.
Providing financial protection against unusual events with extreme consequences is the point of insurance and in today’s world of digital business, organizations are more likely to be adversely affected by data hacks and DDoS attacks than fire and flood, which explains the growing interest in cyber risk policies.
According to a report from Betterley Risk Consultants, an independent insurance and alternative risk management consulting firm, the annual volume of cyber risk premiums is around $3.25 billion, up about 18% from last year. The estimate is admittedly imprecise since it’s derived from a manual survey of 18 insurance carriers; however Betterley notes that several companies now write cyber policies totaling $50-100 million or more.
It’s a robust market, with the majority of carriers reporting annual growth in the low double-digits and a few doubling their premium volume over the past year. The report’s author believes that the “market has nowhere to go but up,” however, Allianz expects cyber premiums to explode, hitting $20 billion by 2025 with 24% penetration across U.S. businesses.
Data theft not the only risk
Although the majority of cyber attacks target data that can be easily monetized like customer names and credit card numbers, as the Krebs incident demonstrates, even the savviest of security experts are powerless to stop an aggressor bent on disruption, not theft.
Krebs, whose reporting on an Israeli company that had commercialized a DDoS service, saw the perpetrators or their fellow travelers train their weapons on him in retaliation. The result was an attack of unprecedented size; nearly double the largest previous attack his mitigation service, Akamai, had seen before.