The number of U.S. data breaches hit a record high of 783 in 2014, according to a report released earlier this year by the Identity Theft Resource Center (ITRC). This figure represents a significant increase of 27.5 percent over the number of breaches reported in 2013 and a jump of 18.3 percent over the previous high of 662 breaches tracked in 2010. Cyberattacks were ranked fifth in a list of the most likely global risks in 2014, according to a study by the World Economic Forum, while the same survey ranked “critical information structure breakdown,” as fifth in a list of the top five global risks in terms of impact.
The cost to organizations for data breaches is growing, and most of the consequential losses currently remain uninsured. One of the key challenges in aiding development of a viable cyber insurance market is finding the right approach to handling the many elements of complex cyber claims.
Cyberattacks at well-known institutions combined with our growing reliance on technology have captured the attention of risk managers as well as governments, with numerous countries in the past year proposing new and tightened data protection legislation. This past January, President Obama discussed federal cybersecurity activities in a speech at the National Cybersecurity and Communications Integration Center. In his remarks, he made a proposal for protecting businesses and the government from cyberattacks, and he encouraged information sharing between the private sector and the government, along with increased federal penalties for cyberattacks.
In March 2014, the European Parliament voted in favor of new data protection regulation. The reforms include mandatory data breach notification (within 24 hours, if feasible) and an increase in fines for failing to protect sensitive information up to five percent of annual worldwide turnover (or €100 million, whichever is greater). While the legislative process has some way to go before an agreed text becomes law, it is clear that when the rules come into place, it will dramatically increase the exposure of European corporations, creating a more insistent need for risk transfer solutions, crisis management, loss value calculations, and mitigation strategies.
Risk managers do not have to look far for examples of the massive impact a cyberattack can cause; widely publicized cases are all too common. In Atlanta, there have been several cyber incidents in less than a year involving high-profile local companies and potentially significant liabilities. As one example of a breach and attendant liability, no fewer than 44 lawsuits have been filed against The Home Depot Inc. since the company confirmed its payment data systems were breached in September 2014. In that situation, the information potentially put at risk includes names, account numbers, card expiration dates, and card verification values.
Beyond the immediate financial impact of recovering lost or damaged data, the cost of notifying customers and other stakeholders, the fines and penalties potentially levied by regulators, and the lasting reputational harm a breach can cause mean that the dollar value of a cyberattack is escalating. The attack on the Sony PlayStation Network in 2011 exposed an estimated 77 million of its user accounts. Although Sony estimated the cost of the breach to be in the region of $170 million, some analysts pegged the overall impact (including loss of customers and drop in share price) at a significant multiple beyond that figure. The 2013 breach of big box retailer Target exposed 110 million customers’ payment card numbers and cost the company more than $140 million through the beginning of November 2014. The company’s potential expense in litigation and settlements is expected to be several times that cost.
The nature of cyberattacks continues to evolve, with the public blackmail of Sony Pictures Entertainment over distributing the film The Interview as a recent instance. While the Target, Home Depot, and Sony breaches grabbed headlines, so-called “point of sale” attacks focused on checkout terminals are not new. In today’s interconnected world (think of the risk exposure in the telecommunications, technology, and media sectors), an online crisis involving the failure of a major cloud provider, such as Microsoft’s Azure, Google’s Compute Engine, or Amazon’s web services platform, could well be the next global “shock,” according to a Zurich report issued last year. “Cyber risks are not self-contained within individual enterprises, hence risk managers must expand their horizons,” it warns.
Inadequate Insurance Coverage Response
The insurance industry is at the relatively early stage of responding to risk managers’ concerns with customized cyber insurance products. However, current limits available in the Lloyd’s and company markets are low, and attachment points are high. Brokers are working better with insurers to expand wordings in existing classes such as general liability, directors and officers, crime, and product liability to encompass company cyber exposures, but current efforts are far from mature. Other brokers are creating specific products and looking for market support both regionally and globally for their wordings.
At present, many cyber losses involving digital attacks and data breaches are uninsured across a fairly broad range of companies, especially smaller enterprises. Insurers currently lack the data and claims history to build an accurate picture of the exposure and, in lieu of this, are reluctant to offer broad coverage wording and capacity to fully indemnify against first- and third-party cyber risks.
In a report last year, the insurance broking unit of Marsh & McLennan Companies estimated that the U.S. cyber insurance market would double in 2014 to $2 billion in gross written premiums from an estimated $1 billion in 2013. Contrast that amount with Europe, where the market is estimated to be less than $150 million but is rising by 50 percent to 100 percent annually, according to Marsh’s report. Very few carriers are able to offer indemnity in excess of $50 million, with the majority writing a maximum limit of $10 million or under. In Europe, the market is catching up, but the capacity now being offered remains limited.
With such an unsubstantial commercial insurance market for cyber, some insurance buyers are opting to put these liabilities through their captive insurer—if they have one—or are simply retaining the risk on their own balance sheets. We anticipate that this will change as the market develops, urged on by brokers requesting broader coverage terms and greater capacity and, in part, driven by changing legislation.
Cyber Risk Loss Calculation and Preparation
One feature all cyber claims have in common is their high degree of complexity. It is the timely response to these complexities that can help minimize the overall impact of a network failure or data hack. A dialogue between risk managers, information technology executives, brokers, insurers, and claims professionals is essential in building a distinct and robust methodology for coping with cyber claims. This is best done well in advance of the breach as part of an agreed approach to the loss and claims quantification methodology (CQM). Several of the cyberattacks discussed above likely indicate a lack of preparation and investment in procedures to mitigate attacks before they occur.
An effective cyberattack response will encompass business continuity and honest, transparent third-party notification, as well as crisis management efforts and forensic IT investigations. As the stand-alone market for cyber insurance grows and existing coverage expands to encompass cyber exposures, we will see more—and ever larger—claims come into the market. Involving claims experts with the capability to handle the inherent complexity of such losses now will be a crucial step in convincing risk managers that the industry is ready to offer a real solution.