Risk of cyber attacks is only going to increase, and there is little to prevent it, as hackers seem to stay a step ahead of the technology. Bill Cosgrove, managing principal and practice leader for EPIC Insurance Brokers & Consultants' Financial & Executive Risks Practice, says preparation, diligence and a good insurance policy can ease the pain for targeted companies.
Information is the fuel that drives our 21st century economy. The rapid growth of big data, virtualization, cloud storage and other service applications doubles network bandwidth requirements every 18 months, seriously challenging security solutions. Factor in the growing sophistication of cyber criminals and their diverse motivations for attacks, and you have a recipe for disaster.
Cyber security breaches are one of the biggest risks businesses face — not just in terms of immediate dollar loss, but also as a threat to long-term growth and carefully built brands. Recent high-profile attacks, such as those against Premera Blue Cross and Anthem Insurance Cos. Inc. this year, highlight the substantial effect and significant costs associated with these attacks. And the breaches we hear about are just the tip of the iceberg, as a growing number of companies know they have been attacked but don't report the breach because no data were stolen.
The risk of attack continues to mount while readiness remains a challenge. A recent Ponemon Institute study estimated the average annualized cost of cyber attacks at more than $12 million per U.S. company, and PricewaterhouseCoopers L.L.P. estimates that cyber incidents have increased at a compound annual growth rate of 66% since 2009. The broad range of recent attacks means that no business is immune to a problem so pervasive that some companies are collaborating — even with competitors — to combat cyber crime.
Are you prepared?
Don't be lulled into complacency because you haven't (or think you haven't) been breached. While most cyber attacks might have been easily detected and remediated just a few years ago, that's not the case today.
Threats have evolved from pranksters looking for bragging rights into more sophisticated attacks by individuals, organized crime, disgruntled employees, competitors, nation states and cyber terrorists — their motives running the gamut from profit to revenge to mayhem. This is a constantly shifting battlefield. Threats can morph, move laterally or lie dormant as ticking time bombs. And the attacker may already be behind that “wall” you've built, waiting. The inevitability of cyber attacks isn't really in question, only their timing and severity.
Planning your approach
Cyber security is no longer just an issue for the information technology department. It should be understood at the highest levels of management as a key strategic issue and approached with a glaringly realistic attitude. It should be an integral part of corporate strategy, addressed at the C-suite and board levels and permeating your organization.
Risk and governance should have policies and procedures in place. Human resources should ensure that employees are adequately trained, and security should ensure that physical access to sensitive information is limited. Department and practice leaders should understand the technology that supports their business and its vulnerabilities.
It's also crucial to recognize that cyber security is not a “set it and forget it” thing. It requires a customized, proactive approach to stay ahead of the creative people who are trying to hack your systems. You need a dynamic, layered approach because there are so many possible attackers and means of attack, internal and external.
There's also no one-size-fits-all solution. Constant updates of antivirus and antispam programs aren't enough. You need to take on an “only the paranoid survive” attitude, matching your protection to the speed and complexity of your networks and systems. Still, operations must appear seamless to users.
Getting good legal advice is key. According to Walter Andrews, a Richmond, Virginia-based partner at Hunton & Williams L.L.P., many companies are seeking advice from law firms with dual expertise in post-breach legal preparation and the evolving case law on cyber insurance products.
Having a plan can make a huge difference in insurance protection and claims. As evidence, Paragon International Insurance Brokers Ltd. in London handled 35 cyber breach claims in the first six months of 2015. There was a noticeable difference in the cost of those claims, which involved companies that were “prepared” for the event by having a tested incident response plan as opposed to those that didn't.
On top of this, even the best counterstrategy is likely to fail at some point. I have conversations with corporate executives who are unsure about the effectiveness of their organizations' cyber security strategy. What they are sure of is that they have a growing need for cyber insurance. No wonder U.S. spending on cyber risk insurance continues to rise, nearly doubling to about $2 billion from 2013 to 2014, including companies new to the market and those that purchased additional coverage. And the number of companies buying cyber cover has tripled through September, according to a BDO USA L.L.P. survey.
Cyber insurance: key considerations
The expanding number of carriers entering the cyber insurance market is certainly positive from the standpoint of cost and capacity for the buyer. But the lack of a standard product makes comparing carriers a challenge, heightened by the disparity in understanding the risk and the sophistication of the underwriting teams. If you don't have cyber insurance or are re-evaluating your coverage, there are several things to consider.
• It is important to understand that cyber coverage is part of a risk management process and not a solution. Because insurance is the financial backstop when all else fails, a mitigation plan is critical.
• Look for providers with a solid grasp of emerging case law, evolved actuarial models and a firm commitment to the space.
• Consider a company that helps minimize your risk by bundling security solutions with insurance. Brian Branner, managing director of insurance at Overland Park, Kansas-based RiskAnalytics L.L.C., predicts that this approach, similar to loss control as part of a property/casualty placement, will become the standard in the cyber insurance space.
Finding a provider with the perspectives and information to help you make an informed decision is key. Look beyond marketing hype, test products and go with experts with third-party certifications. Check references from several customers, including back-channel references. Integrate cyber into directors and officers renewal discussions, too, because several high profile cyber events, including the 2013 breach of customer data at Target Corp., have triggered D&O claims.
Above all, engage with a broker who can help you scale to your current and future needs, who can guide you through the operational risk elements and not merely hand you an application. Applications, though useful, merely grab the information a carrier requires to price your risk to its policy form and should not be the sole basis of a risk discussion. A broker that understands the disconnect between insurance jargon and the specific technology and risks of your business can be the difference between a covered and uncovered claim.
Bill Cosgrove is the New York-based managing principal and practice leader for EPIC Insurance Brokers & Consultants' Financial & Executive Risks Practice. He can be reached at firstname.lastname@example.org or 646-452-4033