What industry gets wrong about cyber insurance

When Lake City, Florida, was struck by a ransomware it decided to pay.

The city's insurer Beazley said recovery could mount to $1 million. Guided by math and its cyber insurance policy, Lake City decided to pay the $462,000.

Under the terms of its policy, the cyberattack ultimately cost the city a $10,000 deductible and the tenure of its IT director.

Bucking industry tradition, the new normal might be "pay the ransom."

If the math is right, and it usually is when hackers know their victims' assets, paying a ransom is almost always cheaper than the cost of recovery — especially if the organization has a cyber insurance policy.

"Insurers offering cyber insurance policies have done well to present themselves as a sanctuary of reason and resourcefulness amidst the frenzy of a ransomware attack," Jerry Ray, COO of data security company SecureAge, told CIO Dive.

The number of organizations that "do not know" whether cyber policies could meet their needs dropped from 44% in 2017 to 31% this year, according to the 2019 Cyber Risk Perception survey from Marsh and Microsoft. On the other hand, the majority of organizations with cyber insurance are fairly or highly confident in its coverage.

Data from Marsh and Microsoft's 2019 survey on global cyber risk perception

Naomi Eide / CIO Dive

Misconceptions about the role insurance plays in a cyber event's aftermath are common. There are also assumptions that insurance providers are inadvertently playing a role in the 500% year-over-year increase in ransomware attacks.

Cyber insurance is "an up-and-coming product, so we expect to take questions about it," Matthew McCabe, SVP of insurance broker Marsh's Cyber Center for Excellent Practice, told CIO Dive. But "there's published misinformation about it and conclusions thrown out for public debate that just don't make any sense," such as the notion insurance is encouraging more cyberattacks.

"If I had any one wish, I guess there'd be a lot more clarity about what the product does. And about its ability to pay claims," said McCabe.

Cyber insurance is an investment

Cyber insurance is used to offset penalties or reparations, plain and simple. It picks up where general liability insurance drops off; covering businesses for event-related costs, infrastructure restoration, breach disclosure and recovering data.

"First and foremost, it's really important to understand that cyber insurance is a post-fail assumed breach or assumed failure control," Chris Kennedy, CISO at security firm AttackIQ, told CIO Dive. “It's a way to adjust risk when you're assuming that your security program is not going to work."

Almost half of organizations have adopted cyber insurance, up from 34% in 2017, according to the Marsh and Microsoft survey. More than half, 57%, of companies with more than $1 billion in revenue have policies, compared to only 36% of companies with revenue under $100 million.

Privacy coverage made cyber insurance mainstream. "Privacy is an invaluable component of insurance," especially for data aggregators, said McCabe. As more privacy legislation and regulation is introduced, it's becoming a competitive advantage.

Technology errors or omissions were part of policies, but as tech matured and the services companies could provide consumers, a demand for something more inclusive grew in insurance in the last 10 years especially. "That kind of morphed with a collection of other coverages into what is today a cyber insurance policy," said McCabe.

Nearly one-quarter of ransomware incidents in Q3 2019 originated from an IT vendor or managed service provider, according to incidents reported by Beazley's internal breach response team. Those attacks contributed to a 37% year-over-year increase in ransomware in Q3 compared to the previous three months.

Business interruption and data destruction are other leading policy adoption motivators. In 2017, NotPetya, a wiper disguised as ransomware, "put the proof in the pudding" that a cyber event can lead to catastrophic damage, said McCabe.

How to choose a cyber insurance policy

Cyber risks are usually outlined in filings with the Securities and Exchange Commission, but when contemplating an insurance policy, companies have to give them a monetary value, which are usually calculated using mathematics rooted in risk assessment.

Historically, "people were scared to death of cyber events because they were unsure of it," as the digital economy matured, said Jeremy Alexander, senior risk expert at Walmart, who spoke at a FAIR Conference event in September. Insurers knew they should offer cyber coverage, but they were unsure of how to calculate policies quantitatively.

But as companies and insurers migrate to quantitative methods, everyone became more comfortable with accepting risk, said Alexander. Cyber insurance rates are improving because the competition is too.

When evaluating a plan, companies have to study the structure of policies first. Consider a retention: a clause put on policies that are similar to a deductible. A retention says if an event occurs, the policyholder is responsible up to a certain amount.

Other times policies are capped, "you may be back on the hook for anything above" the deductible, said Alexander, referring to more detrimental events.

There are a number of theoretical scenarios companies can draw on when evaluating risk and the best policy for diverting it.

"Benign" scenarios, including cloud storage and buckets, are frequently mismanaged. For example, if a company left a bucket exposed — which is often a default setting — but it contained log files and no personally identifiable information, the loss would be minimal.

"Armageddon" scenarios are the ones worth consideration, "throw out what's absurd," or the scenarios that are completely unfathomable, said Alexander.

There are usually only a few scenarios that sit between "benign" and "Armageddon." There will always be high priority ones, like a confidentiality breach. To estimate those costs, look to other companies' financials. Walmart is in the same industry as Target, so the retailer can learn from its competitor's mistakes.

In 2013, Target had a data breach compromising about 40 million credit cards. By 2017, Target agreed to pay nearly $19 million in a bulk settlement to 47 states.

Before the settlement was reached, the retailer incurred about $184 million-worth of breach-related expenses in 2014 and 2015, according to its 2016 annual report. "For 2016, data breach-related expenses were negligible," said the company.

When Target filed its annual report, the retailer had spent $292 million on breach costs. About $90 million was "offset" by insurance recovery.

Target's net breach-related costs were about $200 million. With about 40 million records compromised, risk management teams, like Alexander's, were able to give this particular breach a data point: Each compromised record cost the retailer about $5 a piece.

Using this data point, companies — or competitors of Target — can more or less predict the cost of a breach by asking, "how many customer records do we use or have?"

This is a broad summary of assessing risk. Frequency is another component to consider and that is where effective communication with executive leadership comes into play. "You want to be able to show uncertainty, but you don't have to show distributions," said Alexander.

Insurance loopholes

Companies leaning on property insurance policies for cyber-related recoveries may be hard pressed to find solace.

Mondelez International, manufacturer of Wheat Thins and Chips Ahoy! Cookies, had a net revenue of nearly $30 billion in 2017, when it was hit by NotPetya.

About 1,700 servers and 24,000 laptops were left "permanently dysfunctional" after NotPetya. The company is leaning on a property policy, which includes the loss of electronic data, software and physical damage "caused by the malicious introduction" of malware.

The food company is suing its insurer, Zurich American Insurance, for $100 million for failing to cover its NotPetya-related damages.

But Zurich isn't budging. The insurance provider said Mondelez's NotPetya attack was "warlike" in a "time of peace," exempting Zurich from covering costs.

"It's important to note that the NotPetya coverage litigation process with Mondelez involves a Zurich property policy and not a Zurich standalone cyber policy," said Michelle Chia, head of Professional Liability and Cyber at Zurich North America, in an email to CIO Dive. "Standalone cyber insurance policies are a much better response to emerging cyber risks than expected cyber coverage sitting in the traditional policies, such as first party property or general liability."

The lawsuit is ongoing, but in the months after NotPetya, industry and the White House concluded that while it was a nation-state sponsored attack, most victims were collateral damage and not the primary targets, such as Mondelez and shipping giant Maersk.

"I think the insurance carrier is way off," said McCabe. In reality, most of NotPetya's victims were not targeted as an act of war.

According to Marsh research, "conflating the war exclusion with a non-physical cyber event like NotPetya" is the result of:

The wiper's massive economic impact
U.S. and U.K. governments attributing the attack to Russia

Even the combination of the two factors is insufficient to "escalate this non-physical cyberattack to the category of war or 'hostile warlike' activity," according to the research.

Other considerations involve characterizations of the victims:

Location: Is it by a conflict zone or "places far removed from the locale" of warfare?
Do they have military connections?

In the case of NotPetya, victims were far removed from any warlike scenarios, according to Marsh. If insurers are so inclined to evoke the war exclusion clause, Marsh recommends they reform it, to clarify circumstances that warrant its application.

However, because of the maturing nature of cyberattacks and the bad actors behind them, it's an opportunity for businesses and carriers to step up.

"Businesses concerned about cyber terrorism risks should consider standalone cyber insurance policies," said Chia. Zurich has cyber-specific coverage and "has paid for significant losses related to NotPetya" under such policies.

"Those policies included a war exclusion with a cyber terrorism exception," according to Chia. Cyber terrorism is covered in Zurich's cyber policies, including "attacks or threats by any individual organization or government against an insured's network security.

In other words, Zurich's "war or civil unrest exclusion" in its cyber policy is not applicable to cyber terrorism.

In the Mondelez case, "hostile and warlike acts exclusions contained in property policies … generally do not have an exception for loss resulting from a cyberattack that has penetrated an insured’s network security," according to information provided by Zurich.

Mondelez didn't respond to request for comment by time of publication.

Security considerations

Unlike auto insurance, where the provider will replace a damaged vehicle, cyber insurance can't underwrite compromised intellectual property.

A former employer of Kennedy, for example, held $116 billion of publicly available customer assets. "You can't replace that," he said. The data that company possessed gave it maneuvering power "to beat the markets," making it an impossible asset to wholly insure.

The responsibility for deciding a plan — while influenced by risk management and other departments — usually falls on the chief security executive. Risk management teams will inform their chief of security of the mathematical implications and impact of an event.

The chief financial officer, another staple of risk management, is likely to have similar questions as the CISO, according to Marsh research.

The security organization has to answer these questions:

Where is something likely to go wrong?
What protection capabilities are in place?
If something goes wrong, what does the security organization do?
How does the security organization and insurance provider collaborate in recovery?

As a CISO, "you need to make sure you have adequate coverage and there aren't any, I guess to say shortly, any 'gotchas' in the contract," said Kennedy. Though he would prefer if companies invested more in cybersecurity in the first place, putting insurance "into a smaller corner of need."

Insurers' role in incident response

Companies don't have to jump through hoops to get cyber-insured.

The threshold for obtaining insurance is usually very low, Felicia Thorpe, assistant VP of AHT Insurance, told CIO Dive. Most entities perform quantitative risk assessment "far beyond" what most insurers require.

"If you think about it, if you're the first to market to say, 'we're going to require X, Y, and Z, in order for us to provide coverage,' then they're making it harder to do business" with customers, she said.

Insurers are more likely to take on the carrier market as a whole and decide on standards together. But with that, carrier influence is common, whether among other carriers or policyholders.

There's the chance victims could see paying a ransom as an insurer's default, said Ray. "The decision to pay or not pay became the insurer's right to choose, based solely on claims of expediency or the recommendation of the independent incident response experts called in."

There are many ways insurers are trying to appease customers, through initiatives like coverage grants, which broadens coverage to more specific areas.

This is likely due to an increased demand in cyber insurance, said Thorpe. Eventually insurers will be more rigorous with their standards, holding customers more accountable for their "cyber health" — a nod to Kennedy's emphasis on cybersecurity.

Even now, insurers are not usually the primary consultant victims turn to for response advice after a cyber incident. Insurers that immediately come into play after a cyber event usually provide a forensic vendor for diagnosing the severity of the incident.

The "forensic vendor works for the insured and that's where the relationship is," said McCabe, and it's likely the vendor will have experience with the bad actors behind the incident.

That experience can inform the victim that bad actors are good on their word and will restore functions after a ransom is paid.

Inflicted entities also call on legal counsel to answer key questions:

What will this mean for my reputation?
What are the mandates that need fulfilling?
Who do we need to inform?
If it's a municipality, what will this mean for taxpayers?

"It's never been my experience that the carriers in the room are saying you should do this," said McCabe.

At the end of the day, insurers have a business to run, just as their customers do. A mutual understanding of both entities' modus operandi will dispel skepticism toward the insurance industry.

Companies know cyber insurers have paid off claims. "I think the product responded as intended and I think the carriers have done a great job. I just wish that they were given more credit for that," said McCabe.