[BreachExchange] The Pros and Pitfalls of Cybersecurity Insurance

[Destry Winant]

https://www.dmagazine.com/publications/d-ceo/2019/january/the-pros-and-pitfalls-of-cybersecurity-insurance/

Concern about digital crime is at an all-time high in local C-suites,
with major data breaches at giants like Sabre and GameStop keeping
cybersecurity top of mind. Large players like AT&T have come forward
with insurance to offer protection and help companies recover in the
wake of data disasters. But the relative novelty of the policies can
make it difficult to know what they will and won’t pay for.

On the other side, insurers are struggling to determine what damages
they should cover from tech crimes and what they should charge for
premiums. That’s partly because corporate secrecy about hacks means
nobody knows how often companies get hit—or what the bottom-line
impact truly is.

The insurance industry is still working to understand and get a handle
on the extent and variety of cyber risks, says Ernest Martin Jr., a
Haynes and Boone partner who chairs the firm’s insurance recovery
group. Martin has seen more companies buying this form of insurance in
the last 18 months and says that contractual language in cyber
policies can vary widely from one insurer to the next. “Purchasing
them is not as easy as purchasing general liability insurance,” he
says.

There are also unresolved legal questions about coverage for damage to
corporate reputations, which can endure long after a data breach has
been fixed.

As more security technologies become available to small businesses,
insurers are getting increasingly comfortable writing policies for
them, says Anne Chow, president of national business at AT&T. (The
company offers cyber-protection services to small businesses and, via
the brokerage Lockton Affinity, makes related insurance available from
CNA Financial.) “Few [insurers] require cyber loss controls to be in
place before underwriting these risks,” Chow says. “But this is
changing as well, especially if the customer doesn’t want to pay high
premiums.”

Sophisticated, Well-Funded Attacks

Data security has emerged as a top concern for CEOs, because of the
growing risk they present. “It used to be you protected the perimeter
of your enterprise with a firewall, put in a little virus scanning and
called it a day,” says Peter Giordano, senior director of information
technology security at Vizient, an Irving-based supplier of technology
services for the healthcare industry. “Now,” he adds, “you have to
protect everything because everything is interconnected.”

Remington Hotels, a hospitality-management company based in Dallas,
saw that first-hand last year when Sabre, which books travelers’
stays, had a major breach. “It affected 20,000 of our guests,” says
James Clent, Remington’s chief information officer who also is
associated with the Society for Information Management, a trade group.

And though the term “hacker” may conjure images of a lone teen in a
hoodie, technology chieftains worry more about sophisticated,
well-funded attacks. “Cyber thieves, such as nation states or criminal
organizations searching for military or commercial intellectual
property, are a much higher priority than rogue hackers,” says Bennie
Peck, CIO at Fort Worth-based Bell Helicopter.

Russia and China are often behind successful criminal attacks,
according to Clint Emerson, a former Navy SEAL and founder of Escape
the Wolf, a Frisco security company. “No government will take
responsibility, but the digital crumb trail always leads to one or the
other.”

State-sponsored groups may be behind the relatively high number of
cyber-attacks on hospitals near military bases, according to Ross
Carevic, director of technology sourcing at Vizient.

“These organizations have the resources to perform highly advanced
types of incursions, which are publicized and studied in detail by
independent groups that turn vulnerabilities into commercial hacking
opportunities against hospitals,” he says.

Some large criminal groups are developing artificial intelligence
through large information-technology operations they run, according to
Layne Bradley, instructor of information systems and supply chain
management at the Neeley School of Business at Fort Worth’s Texas
Christian University. “Cyber intrusion has become more profitable than
drugs,” he says.

Healthcare systems, especially smaller ones, are the easiest targets
now because they offer criminals the best rewards for the least
effort. But financial institutions often stand to lose the most and
spend about three times as much on cybersecurity, experts say.

All industries are targets, no matter how small or how large. “Data is
a new form of cash,” says Ram Dantu, a professor who directs the
Center for Information and Cyber Security at the University of North
Texas.

Plan Now, or Pay Later

With intrusions a constant danger, executives face pressure to be
prepared for the messes that follow. “They can come with a
billion-dollar price tag,” says Murat Kantarcioglu, a computer science
professor who runs the data security and privacy lab at the University
of Texas at Dallas.

Regulations can force public companies to disclose significant hacks,
something that can hurt their stock prices, make their customers lose
trust in them, and endanger executives’ jobs. Auditors are also
increasing their focus on assuring companies are meeting their
regulatory obligations around cybersecurity.

For these reasons, corporate executives are under pressure to show
they’ve done everything possible to protect their businesses from
technology intrusions. “If you don’t have a well-defined security plan
that you’ve tested and enforced, you’re hanging out on a limb for
responsibility for breaches,” says TCU’s Bradley.

Such plans may help reduce a company’s liability if, say, shareholders
sue over a major cyber intrusion, he adds. “Executives and the board
can say they did everything they could.”

That’s where insurance is supposed to come in—and where problems can
crop up. Aside from helping pay for the damage intruders cause, such
as hiring consultants to remove viruses from a business’ technology,
insurance may pick up some of the tab for defending the company from
lawsuits or regulatory claims that can ensue.

But unlike auto or home insurance, cyber insurance lacks standards,
where every insurer’s policies address the same basic risks and have
the same basic limits on what they cover and how much they will pay.

“Even when a cyber policy provides a particular type of coverage, the
actual scope of that coverage can be restricted in many ways,” says
Dallas attorney Amy Elizabeth Stewart. The problem gets thornier still
for businesses that run most of their technology on other people’s
computers. Policies may not cover what happens on vendors’ systems or
have low limits on how much insurers will pay.

Firms that outsource their tech should check up front on how their
cyber insurance works with their partners’ coverage, Stewart says.
“This is critical for avoiding unpleasant surprises.”

The Good, The Bad, and The Ugly

When she served as finance chief for North Texas companies such as
Stream Energy and Flowserve, Renee Hornbaker did not look forward to
getting cyber insurance.

“I found it to be costly and difficult to purchase because the
application process is very onerous,” says Hornbaker, now retired but
a member of multiple corporate boards.

Landing coverage against tech breaches can entail sharing a ton of
information with insurers, from the basic setup of their networks and
servers to their security practices. It can also run head-first into
executives’ desire to avoid showing the warts of the systems they
oversee.

Businesses are generally better off buying more cyber coverage when
they rely heavily on technology but lack expertise in security,
experts say. On the flip side, companies may need less coverage if
they diligently follow good cyber-security practices.

Because people are the weak link in any security setup, companies
should keep insurers informed about how they communicate safety
measures to employees. This could drive down perceived risk and could
lead to lower premiums.

Tremendous growth in the use of technology and growing sophistication
of hackers means the cybersecurity insurance market is poised for
rapid expansion. According to AT&T, more than 50 insurers now offer
digital policies with net premiums totaling $2 billion. That’s less
than 1 percent of property and casualty premiums that U.S. insurers
wrote in 2017.

Insurers are jumping in despite the hurdles because cyber is one of
the few growth areas in the insurance industry. Orbis Research, which
has its U.S. headquarters in Dallas, projects the global market for
cybersecurity insurance will hit $17.6 billion by 2023.