The Target hack was a consciousness-raising incident for C-level execs, making them realize that the total costs of an intrusion and data theft are much greater than a damaged reputation and associated PR cleanup. The incident cost several execs, including the CEO, their jobs and the company over $250 million in expenses, of which, about a third was covered by Target's liability insurance, an instructive data point to which we'll return.
At far less than 1% of Target's $73 billion in annual revenues, that's pocket change, but for smaller organizations, the risk of irreparable harm from a cyber attack is all too real, particularly when the motivation isn't always financial, but sometimes ideological.
Just ask Brian Krebs, a well-known security researcher after his site was taken out by someone displeased by his recent investigations and, who launched an attack that if sustained would cost millions of dollars to mitigate.
The ability to compromise and weaponize the growing number of connected devices, many of them relatively dumb appliances like IP cameras, thermostats, home broadband routers and set-top boxes, means that any person or group with an axe to grind can knock your site offline with a flood of network noise via a distributed denial-of-service (DDoS).
Given the scale of these attacks, it takes Herculean efforts from organizations with deep security and network expertise plus lots of bandwidth (read, money) to counter. Meanwhile, the target's business is offline, which for more and more organizations, means that they might as well be closed.
Providing financial protection against unusual events with extreme consequences is the point of insurance and in today's world of digital business, organizations are more likely to be adversely affected by data hacks and DDoS attacks than fire and flood, which explains the growing interest in cyber risk policies.
According to a report from Betterley Risk Consultants, an independent insurance and alternative risk management consulting firm, the annual volume of cyber risk premiums is around $3.25 billion, up about 18% from last year. The estimate is admittedly imprecise since it's derived from a manual survey of 18 insurance carriers; however Betterley notes that several companies now write cyber policies totaling $50-100 million or more.
It's a robust market, with the majority of carriers reporting annual growth in the low double-digits and a few doubling their premium volume over the past year. The report's author believes that the "market has nowhere to go but up," however, Allianz expects cyber premiums to explode, hitting $20 billion by 2025 with 24% penetration across U.S. businesses.
Data theft not the only risk
Although the majority of cyber attacks target data that can be easily monetized like customer names and credit card numbers, as the Krebs incident demonstrates, even the savviest of security experts are powerless to stop an aggressor bent on disruption, not theft.
Krebs, whose reporting on an Israeli company that had commercialized a DDoS service, saw the perpetrators or their fellow travelers train their weapons on him in retaliation. The result was an attack of unprecedented size; nearly double the largest previous attack his mitigation service, Akamai, had seen before. According to Krebs,
There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.
In Krebs' case, the motivation was censorship, which in his view is far too easy.
The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.
However, the same attack against an online business could easily be used for extortion: "nice little online business you got going there...be a pity if anything were to happen to it." DDoS mitigation services like the one Krebs used have been around for years, however as the scale of attacks reaches a level that only companies with deep pockets can deflect, it makes a compelling case for risk pooling and insurance underwriting.
Cyber insurance basics
The initial demand for cyber insurance was fueled by the theft of valuable personal information, hence policies have focused on liability damage, not business disruption, however, cyber risks and the need for coverage is much broader. According to the Betterley report, there are three categories of cyber insurance coverage:
- Liability: Similar to car or property insurance, provides defense and settlement for damages due to an organization's failure to adquately protect customers' or employees' private data.
- Remediation: Covers costs associated with responding to an incident and cleaning up after a data breach, for example for incident response (like DDoS mitigation), forensic investigation, customer notification, credit monitoring and PR.
- Regulatory fines and penalties: Covers the costs to investigate, defend and settle actions by government regulators or industry bodies like PCI. Betterley notes that this coverage isn't currently offered by most insurers, however they may have options for legal defense costs.
Unfortunately, a nascent market like cyber insurance means there's little uniformity in policies and coverage. A survey by the Council of Insurance Agents and Brokers finds great confusion among most agents regarding cyber coverage due to the many policy nuances, lack of standard terminology and difficulty in identifying policy exclusions.
A significant benefit of risk sharing via insurance is that carriers have a vested interest in minimizing the risk of their customers. Just as health insurers provide discounts for non-smokers or subsidize gym memberships or fitness bands, cyber insurance underwriters can help lower an organization's risk profile through consulting, security audits and financial incentives for security technology and training. According to Betterley:
We also think that insurers will take an increasing interest in helping insureds select and implement improved risk avoidance and mitigation techniques. This approach is similar to the property insurance approach of aiding highly protected risks through rate incentives, education, broader coverage offerings, and the development and installation of protective devices.
An unfortunate, but predictable consequence of business digitization and online commerce is an attendant rise in cybercrime and risk. Just as the proliferation of cars and trucks spawned the need for vehicle accident and liability insurance, the dependence of organizations large and small on data, and online connectivity to customers and business partners creates the potential for catastrophic loss that can only be mitigated via risk pooling and insurance.
As with any new and dynamic market, insurers are still struggling with accurately measuring and modeling different types of cyber risk and their financial consequences. Underwriters are forming partnerships to share data and help quantify risk, however as the Council of Insurance Agents and Brokers survey points out, it's too early to know how effective these efforts will be. It goes on to note,
The lack of actuarial and cyber incident data is a topic being examined at length by both the insurance industry and state and federal lawmakers and regulators. The nature of cyber risk is man-made and constantly changing in order to overcome cyber defenses. Modeling firms are starting to create models but no model is ever perfect. A solution, other than experience and data acquired over time, has yet to be proposed. As one bank-owned regional broker observed, current risk quantification is “not fully sufficient, but a step in the right direction.
The US government has encouraged companies to share cyber incident data to improve our collective understanding of cyber risks and longer-term trends.
As Linus Torvalds famously quipped, "With enough eyeballs, all software bugs are shallow" and I suspect that with enough data, cyber risks will be actuarially quantified. Better data and models will yield greater efficiency in risk sharing that lowers premiums yet provides a sustainable business for carriers. As the cyber insurance market matures, I expect that it will become routine coverage for most organizations: an added, but not onerous cost of living in the digital age of uber-connectedness.