[BreachExchange] Cyber Insurance Now Critical as Data Breaches Wreak Havoc

[Audrey McNeil]

http://www.sci-tech-today.com/story.xhtml?story_id=103003JXN4GU

While 2016 may have been one of the worst years in history for network
security, there is at least one silver lining for enterprise IT
departments: insurance companies are becoming increasingly skilled at
underwriting cybersecurity risks.

According to the Insurance Information Institute, more than 60 different
insurance companies are now offering standalone cyber insurance policies,
with an estimated U.S. market of more than $3.25 billion in gross written
premiums this year.

That figure is the direct result of two related trends. First, data
breaches are becoming more expensive for enterprises, with the average
breach in 2016 costing $7 million and representing the third-costliest
business risk this year. That increase has given rise to the second trend,
which is that businesses are becoming much more concerned about protecting
themselves against potential financial losses as the result of hacks that
are becoming almost inevitable.

A New Challenge

Historically, the insurance industry has successfully managed to adapt to
the risks posed by new technologies, including automotive and air travel
tech. Nonetheless, insuring against data breaches and other attacks
presents its own set of challenges and complications.

In particular, the constantly changing range of perpetrators, targets and
exposure values, a lack of historical actuarial data and the interconnected
nature of cyberspace, combine to make it difficult for insurers to assess
the likely severity of future cyberattacks.

While most traditional commercial general liability policies do not cover
cyber risks, standalone cyber insurance policies typically address a number
of risks associated with data breaches or attacks.

About Time

Chief among these is liability insurance to help companies cover costs,
such as legal fees and court judgments, that may be incurred following the
theft of enterprises data and the unintentional transmission of a computer
virus that causes financial harm to a third party.

Crisis management is another aspect of standalone cyber insurance, covering
the cost of notifying consumers about data breaches that resulted in the
release of private information and providing them with credit monitoring
services. Cyber insurance also covers the cost of retaining a public
relations firm or launching an advertising campaign to rebuild a company’s
reputation.

Some policies will also cover liabilities incurred by directors, corporate
officers or other members of management who might be at risk due to
decisions made on behalf of the company. Business interruption stemming
from an attack can also lead to a loss of income, another risk insurers are
increasingly starting to underwrite.

Ransomware and Data Destruction

Cyber extortion has also been a major concern this year, with the San
Francisco transit system falling victim to an attempt to extort it for
millions of dollars. That attack caused the system to offer free rides to
patrons over Thanksgiving weekend. Cyber extortion coverage helps cover the
settlement of an extortion threat as well as the cost of hiring a security
firm to track down the blackmailers.

Insurance companies are also beginning to cover damages resulting in the
destruction of data or other valuable assets stemming from viruses,
malicious code and Trojan horses, as well as the cost of posting criminal
rewards for information leading to the arrest and conviction of malicious
hackers.

If 2016 was any indication of what lies ahead, these kinds of insurance
policies should be in even greater demand in 2017.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161219/c6d709fa/attachment.html>