If your company were hit with a cyber attack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organization's brand, and hardware and software repair, recovery and protection?
It's a question worth careful consideration, given that the price of cyber attacks is rising at an alarming rate.
The second annual Cost of Cyber Crime study, released last August by the Ponemon Institute, reported that the median annualized cost of detection of and recovery from cyber crime per company is $5.9 million -- a 56% increase from the 2010 median figures. The costs of cyber crime range from $1.5 million to $36.5 million per company.
A growing number of insurance companies are offering cyber protection in the event of breaches and other malicious data attacks. But so far, they're having some difficulty making their case. Surveys show companies have yet to embrace these policies, whose costs can be staggering.
The annual PricewaterhouseCoopers Global State of Information Security Survey for the first time in 2011 asked respondents about whether their organizations had an insurance policy to protect against cyber crimes. Some 46% of the 12,840 worldwide respondents -- which included CEOs, CFOs, CIOs and CSOs as well as vice presidents and directors in IT and information security -- answered yes to the question: "Does your organization have an insurance policy that protects it from theft or misuse of electronic data, consumer records, etc.?"
Additionally, 17% said that their firms have submitted claims, and 13% said they've collected on those claims. (PwC didn't ask why the remaining 4% hadn't collected, but says it's likely they were denied.)
Because it's the first time PwC had asked its respondents about cyber insurance, there's no way of knowing if those numbers represent an increase; however, a separate, albeit much smaller, survey indicates that companies may be slow to warm up to cyber insurance.
The 2011 Risk and Finance Manager survey, conducted by global professional services company Towers Watson, found that 73% of the 164 risk managers surveyed work at companies that have not purchased network liability policies. Some 37% of those who didn't have polices said they believed their internal IT departments and controls were adequate, while another 15% either said the cost of a policy was too high or that they weren't overly concerned about the risk.
Confusion in the marketplace
Lawyers and information security leaders say they encounter many executives who harbor misconceptions about cyber insurance. Decision-makers, they say, often mistakenly believe that standard corporate insurance policies and/or general liability policies cover losses related to hacking or that their cyber policies, if they have them, will cover all costs related to a breach. Most of the time, they won't.
A February 2011 paper by Khalid Kark of Forrester Research that addresses the fundamentals of cyber insurance indicates that many companies are still trying to understand the basics of these policies, which are offered by such carriers as ACE USA, Chubb, The Hartford and St. Paul Travelers Cos.
The most common questions revolve around what types of polices are out there, what they cover, how to select the right policy and whether such insurance is even needed.
"We're still seeing a knowledge gap," says Michael Overly, a Los Angeles-based partner with Foley & Lardner LLP and a member of the law firm's Information Technology & Outsourcing and Privacy, Security & Information Management Practices.
IT leaders are particularly susceptible to confusion, only because CIOs, CISOs and other IT executives have not traditionally made decisions about corporate insurance policies. Likewise, the risk management and legal teams that typically do make insurance decisions have not customarily sought out their IT counterparts when purchasing insurance.
Yet IT's input is crucial when it comes to deciding whether to buy cyber insurance and determining what coverage to buy, security experts say.
"The IT people and the risk people desperately need to get together to talk about risk in terms of information technology and the likelihood and outcomes of a breach occurring," says Don Fergus, an IT risk consultant and 2012 chairman of the IT Security Council for the security professionals' organization ASIS International.
"Information professionals, especially information security leaders, need to step up. They need to understand that they're in charge of more than just security. They need to understand and articulate the vulnerabilities that they face in terms of risk. That's the language of the board."
What's covered, what's not
Cyber insurance policies are relatively new -- only about a decade old -- and are still evolving. As a result, executives and managers often misunderstand what policies will and won't cover, Fergus says.
Some companies purchase standard insurance policies and think they're fully covered, not realizing that the policy might cover physical property but not intangibles. Under a property insurance policy, for example, the cost of a server smashed up by a disgruntled employee would be covered, but not the company's liability for failing to perform a service for a client as a result of the server downtime.
Liability insurance generally offers protection from lawsuits or claims, but Fergus quickly points out that general liability, errors and omissions, and directors and officers liability insurance policies will not cover claims arising from electronic data loss or the lack of access to that data.
"From a property crime perspective, it's pretty straightforward. You know what your replacement costs are. That's well understood," Fergus says. "But cyber liability insurance is really the sharp end here. It can be the most costly, and it is very misunderstood. There are lots and lots of differences in coverage across the various carriers."
Ken Goldstein, vice president of Chubb Group of Insurance Companies in Warren, N.J., explains that cyber insurance falls into two general buckets. The first bucket covers costs associated with third-party liabilities, that is, claims from other organizations, and the second covers first-party expenses and/or losses, that is, damage to your own organization.
Additionally, policies are available that cover costs associated with a breach, such as third-party notification and PR expenses.
Of course, companies can purchase policies to address both first and third parties, so they're covered for a range of scenarios -- from the cost of notifying customers whose data was breached, to the cost of hiring a forensic IT team, even to paying extortion/ransom demands, Goldstein says. (See an example of Chubb's range of offerings here.)
IT pros as insurance experts?
Given that cyber insurance policies aren't one-size-fits-all and aren't as straightforward as other types of corporate insurance, companies need to determine exactly what coverage they need and whether it makes sense to pay the premiums associated with that coverage, says Eric J. Sinrod, a San Francisco-based partner at national law firm Duane Morris LLP.
That's where IT comes in. An organization's risk management and legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an organization's information security system than the people who run it.
"The CIO is on the front lines in dealing with information systems and should know about actual and potential problems," says Sinrod, who hosts his firm's TechLaw10 audio podcast updates on technology law issues.
IT managers can also assist with facilitating an accurate cost-benefit analysis. "It might cost the company less to recreate the data than it would be to pay for the insurance premium," he warns.
The risk evaluation process requires more than merely articulating what security measures are in place, explains Mark Lobel, a principal and a security benchmarking expert at PricewaterhouseCoopers.
Companies first must ensure they follow the best information security practices for their industries, he says. Insurance companies will want to know what security exists at a company before they write any policy, and they might even require a third-party audit to verify what's in place.
Then IT leaders should determine potential threats, their likelihood of occurring, and how such threats would impact the organization should they happen.
"You protect as much as reasonable, and insure against your residual risk. You can't insure [correctly] if you don't understand the risks," Lobel explains. "So you have to have a risk-based approach. You have to be able to say, 'Here's what I think can still go wrong because I'm not willing to spend $100 million for security.'"
Lobel suggests companies consider hiring a third party to perform a risk assessment to help fully identify and understand their security risks and identify areas for improvement. In fact, he says many insurance companies require such independent assessments to help determine premiums.
Just what insight can IT contribute to the decision-making process? Foley & Lardner's Overly offers two examples. The IT lead at a furniture manufacturer, for instance, should be able to articulate the case that his company doesn't store customer data electronically and therefore isn't likely to be a target of a hacker looking for credit card numbers but still has critical systems that, if compromised, could shut down not only his own company's operations but perhaps work at the company's partner organizations -- a chain of events that could open his company up to loss-of-revenue liability.
On the other hand, Overly says, that hacker looking for customer data is of great concern to the CIO at a retail operation; if a breach occurred, the company could be required to spend millions on customer notifications, public relations and legal fees.
"A risk management person can't make these decisions without talking to the CIO -- that's the person who will give input on how much insurance coverage the company needs and what [threats] it really needs to worry about," Overly says.
Not all companies -- or all IT departments -- are comfortable with this level of self-scrutiny, ASIS International's Fergus points out.
"There is a head-in-the-sand kind of view, 'I'm happy not knowing what I don't know,' " he says. "IT people and business people in general don't like to be criticized in terms of their ability to perform their duties. They may know they're vulnerable, but they don't want to write it down."
Even companies that have done their due diligence in terms of assessing cyber risk can be in for a jolt, Fergus says. "They go out to the [insurance] carriers, and they get sticker shock."
That's because cyber liability insurance can cost $7,000 to $40,000 per million dollars of loss. And with losses possibly totaling in the tens -- or even hundreds -- of millions, getting a policy able to cover such costs can present a staggering additional cost in insurance premiums.
"Insurance companies want to make money, and the only way they can do that is betting that your premium will exceed the cost of mitigating your claim. [They] are well aware of the costs of mistakes and missing security pieces," says Hord Tipton, executive director at the International Information Systems Security Certification Consortium Inc., or (ISC)2, a nonprofit organization that educates and certifies information security professionals.
Deciding how much coverage to buy can be tricky -- too little, and you don't cover your exposure. Too much, and you face the prospect of sky-high premiums.
Towers Watson's Risk and Finance Manager survey found that 61% of the responding companies that were carrying network liability policies bought $10 million to $49.9 million limits, with only 8% purchasing policies with $50 million or more in limits.
The survey found various reasons for how companies arrived at their particular limits, but 36% said the limit was proposed by their broker and 15% said they reviewed the level of exposure with a third-party cyber risk management firm.
Plan B: Just say no
Some companies take a look at the cost of coverage and balk. Overly says, "One of the fundamental deciding factors [for not getting it] is that it's expensive."
Another concern: A few high-profile cases in which the insurer and the organization filing a claim, including Sony and the University of Utah, wound up in court.
Tipton, whose organization decided not to buy cyber insurance, worries that firms that do purchase cyber insurance can become lax. "A company should not let complacency set in just because they are insured," he warns. "Negligence is not insurable, nor is your reputation or stock price if due diligence is not practiced."
More important, Tipton maintains, insurance couldn't help his firm recover the greatest, most valuable loss it would suffer should a breach occur: its reputation.
"The reputational damage would be huge, and insurance couldn't fix that, so we spend our effort and time securing [our systems]," he says -- while acknowledging that, without insurance, the company would be on the hook if a significant breach were to happen. "There is no such thing as being 100% risk free. Our job is to evaluate and manage our risks -- not to try and eliminate all risks."