When you look at the costs of doing business, there are certain line items that are more predictable than others. Take for example monthly software as a service fees or office leases. But one area that has less predictability is that of the costs associated with cyber incidents. This is where cyber risk insurance comes in.
Though it has gained popularity in recent years, cyber risk insurance has actually been around for nearly two decades. The market was driven by data breach notification laws, which were first enacted in the U.S. in California in 2002. In 2009, the European Union implemented a breach notification law for telecoms and ISPs.
As of 2017, 48 states had data breach notification laws, while in Europe the General Data Protection Regulation (GDPR) will take effect on May 25, 2018, replacing earlier data privacy laws. Companies processing and storing personal data of EU residents must comply with the regulations, or face hefty fines for violations, infractions that include failing to notify the authorities and users about a data breach within 72 hours.
“The market has really developed around this effort to deal with the impact of data breaches,” Leigh Wolfrom, policy analyst at the Organisation for Economic Co-operation and Development (OECD) said. Wolfrom is part of the OECD’s Insurance and Private Pensions Committee, which in November released a report on the cyber insurance market.
“Even up until a couple of years ago it was almost exclusively a U.S. market,” Wolfrom says. “In Europe the interest has increased significantly in the past couple of years because of GDPR.”
What the notification laws essentially enabled was companies to associate a dollar figure with data breaches, tallying the costs including those involved with notifying a regulator, providing credit monitoring for impacted customers, and revenue loss, which can be fairly straightforward to calculate if the cyber incident is something like a DDoS attack that brings down a revenue-generating website for a period of time.
[Container World delivers real-world case studies from the cloud-native ecosystem, hands-on technical education, the best speakers and cutting-edge startups under one roof. Get your ticket.]
Prior to these notification laws “a lot of companies weren’t necessarily examining the financial impact of what a cyber incident could have on their operations,” Wolfrom says. This meant that many companies did not have a sense of whether investments to protect themselves against a cyber incident was worth it from an economic perspective, and as such they didn’t have insurance coverage because they didn’t have any idea of what the impact could be.
The penetration of cyber insurance is estimated at less than 30 percent in the U.S., where 90 percent of premiums are currently underwritten, according to Lloyd’s.
According to Wolfrom, most cyber risk insurance coverage has been developed to deal with business interruption. Other types of cyber risk insurance include business email compromise, or CEO phishing, which covers against fraudulent transfer from social engineering deception.
“Business interruption is a line of insurance usually attached to physical damage,” such as damage caused by floods, which compensates businesses for lost profits, Wolfrom said. This type of insurance is now also being applied to cyber events, although it is much more difficult to assess damage.
“When BI coverage is offered for cyber policies, the direct physical loss or damage requirement may be substituted with an electronic data driven event — a specified type of cyberattack,” according to Costantino P. Suriano and Bruce R. Kaliner, partners at Mound Cotton Wollan & Greengrass L.L.P. “As part of a triggering event for BI coverage, there must be a direct causal connection between the cyberattack and the interruption of business and loss of revenue. For an active attack, where an adversary or perpetrator destroys or alters data that brings down the computer system, or a denial of service takes place and business operations cease, the causal connection to any business loss should be fairly straightforward to establish.
“However, the causal connection is less clear in a situation involving a passive network attack, when a computer system is infiltrated but the perpetrator is only gathering data or exploring the system, and no data is disturbed, altered or destroyed.”
Impact of cloud downtime on cyber risk insurance market
When dealing with interruptions to cloud services, the damage can be even harder to calculate. A new report by Lloyd’s calculates the costs associated with downtime of a major cloud provider. According to its analysis, if a cyber incident takes a top three cloud provider offline in the U.S. for 3-6 days, it would result in in ground-up loss central estimates between $6.9 and $14.7 billion and between $1.5 and $2.8 billion in industry insured losses.
“Cyber risks accumulate around sources of risk such as cloud providers. These sources of risk are challenging to identify because most insurers do not know which cloud vendors their insured customers use or to what extent,” Lloyd’s said in its report, Cloud Down: Impacts on the US economy.
“In a scenario where a cloud provider is disabled, a traditional market share approach provides a broad, relatively uncertain view of the risk. It assumes that if the cloud provider has 30 percent market share, 30 percent of the insurer’s portfolio is affected. This might be true, or the portfolio might have more or fewer insured customers who use that cloud provider. Unless the insurer has painstakingly gathered this data, there is no way of knowing which companies would be affected by the outage or how much.”
Other challenges within cyber risk insurance for cloud are the issues of liability and jurisdiction.
“Customers want cloud providers to assume unlimited liability for outages and any resultant business interruption, while vendors want to restrict and cap their liability,” the report says.
Also, there are “considerable complexities involved with which jurisdiction’s laws apply during a particular downtime event” because a customer may live in a different country than where their data resides.
According to a recent OECD report, “a key concern for insurance companies is the level of responsibility that cloud providers will accept in the case of a data confidentiality breach. Some have suggested that cloud service providers will bear only limited liability and that much of the costs of a data confidentiality breach could be borne by its clients (and their insurers).”
Challenges in cyber risk insurance require collaboration
A lack of data is one of the biggest challenges for underwriters, in part because of public information around cyber incidents is relatively scarce. Most private companies who experience a data breach prefer to keep this information under wraps for fear of damaging their reputation.
But Wolfrom said that there are initiatives that are being established to share data on these types of incidents on an anonymous basis to understand the types of incidents and their associated financial impact.
Other industry initiatives include coming up with common definitions of the different types of cyber risk coverage to offset confusion among buyers of insurance who believe cyber insurance is very complex, Wolfrom said.
An area of cyber risk insurance that Wolfrom sees as one to watch is expanding coverage around intellectual property (IP) theft.
“IP is difficult to insure, but it is a main concern of companies in terms of cyber risk,” he says.
OECD is hosting a conference on unleashing the potential of the cyber insurance market on February 22 - 23 in Paris, France.