From news stories to webinars to presentations and discussions at trade shows, it's been nearly impossible over the past year to avoid the topic of cyber risk. The threat is not new, and insurance addressing the risk has been around for about 15 years now—but only recently has the issue become so top-of-mind for so many.

Before the 2014 RIMS Annual Conference and Exhibition, PC360 asked four risk managers that sit on National Underwriter's Editorial Advisory Board what is the most significant emerging risk on their radars. Nearly all of them mentioned cyber risk. And that was just a preview to the mood at the RIMS conference, where cyber was a hot topic among both buyers and sellers of insurance.

For example, Chubb Corp. released its 2014 Multinational Risk Survey at RIMS, which questioned 300 U.S. and Canadian companies about their international global exposures, and data breach/cyber was the second-biggest threat cited by respondents after supply-chain failure.

Kathleen Ellis, senior vice president of Chubb Multinational Solutions, said cyber has been of great interest to clients, and she added that she would not be surprised to see cyber top the list of threats in a future survey.

Why has cyber become such a major issue? Tom Srail, senior vice president at Willis, says news over the years about high-profile breaches, in conjunction with mounting data-privacy and notification regulations, have pushed the conversation forward over time. "Every time one of those big industry events leaks into the day-to-day media, there's renewed interest in and discussion about cyber."

And the past year saw plenty of high-profile events. A report from Risk Based Security says four of the top 10 breaches (with respect to the number of records exposed) occurred in 2013, including the highest of all time—which exposed 152 million records. The report says the number of incidents was down from 2012, which sounds like positive news until you discover that the number of exposed records shot up to 823 million compared to 264 million in 2012.

Toby Merrill, division senior vice president of ACE's Global Cyber Practice, also mentioned the recent news about large material breaches as a reason for the spike in interest, but he does not believe that is entirely what is driving it."Probably the biggest contributing factor is just technology in general," Merrill says. "Look at how we use technology in business and our personal lives," he continues, pointing out how devices have transformed how we interact as human beings.

To be competitive today, Merrill says companies have to rely fairly heavily on technology to deliver a product or service—and those who take advantage of modern technology are in a better competitive position relative to their peers. But with that rapid evolution in technology comes a new spate of evolving risks.

"In the risk-management community, we want to pause and take a breath," he says. "We're OK with the benefits, but before we jump into the pool, let's talk about if we need swimmies first."

Where insurance comes in

Insurance protection and services have grown over the years to become, if not swimmies, at least a critical life preserver that can keep businesses afloat in the event they do suffer a breach.

Srail notes that in the early days of insurance for cyber risk, insurers paid for notice and credit-monitoring expenses. Buyers were generally limited to dot-coms and some retailers and banks.

Since then, coverage has progressed and become relevant for a wider base of customers. "For a good chunk of the industries out there, cyber is very useful for them," says Srail, although he acknowledges it's not for every industry.

"An easy one is manufacturing," he says, explaining that a wholesale manufacturing company that isn't selling to customers would only have its employee data to lose, "which is sensitive, but there's a limited amount of it." In contrast, he says a billion-dollar manufacturer potentially losing data on its 5,000 or 10,000 employees would not be a "meaningful enterprise risk" for that company.

Srail also mentions limitations for energy companies, stating the "off-the-shelf cyber [exposure] we see in the news in retail breaches isn't as directly impactful to some of those organizations." Yet even that's changing, he adds, noting that one major carrier released a new coverage product targeted at power, energy oil and gas companies.

American International Group last month announced CyberEdge PC, an expansion of its cyber insurance offering to include property damage and bodily injury exposures. The company said it was a response to growing incidents and threats of cyber attacks directed at commercial industries that can lead to equipment failure, physical damage to property, and physical harm to people.

And for most other sectors, the addition of coverages and services over the years has made the cyber-insurance market more attractive. For example, Srail says adding coverage for fines and penalties made a big difference in health care, among other sectors. "We've seen a third example over a short amount of time of an over $1 million health-care fine from either a federal or state regulator for a relatively small breach," Srail says, noting that this seems unique to the health-care industry. "We don't see a bank losing 20 credit card numbers and getting a million-dollar fine," he says. "We do see that in the health-care world."

Beyond the coverages, ACE's Merrill notes the insurance industry has developed expertise concerning cyber to the point where "even some levels of the federal government have recognized the insurance industry as a resource to help promote best practices around risk management."

Despite what Srail calls the "year of the mega breach" in 2013, carriers have mostly retained their appetites to write cyber-liability cover. Srail says Willis' team does what it can to keep carriers calm in the face of large and public losses, explaining that more people than ever will be buying coverage now.

In fact, he says the market "needed to see a $100 million limit-loss payout to get larger firms on the fence to buy and mid-size firms dipping their toes in the water" to purchase larger limits.

Fears of a mega breach

Not all in the industry believe insurers are where they need to be when it comes to addressing and pricing cyber risks. Jonathan Hall, executive vice president at FM Global, believes carriers have work to do to stay ahead of the risks. "I think the industry is reacting to a client need and trying to catch up," he says. "I think the industry is trying to react as quickly as it can," he adds, "but it's hard because every time you turn around, there's a new twist to it."

The secret, he says, is finding the point at which insurers can provide the right coverage at the right price that meets a client's needs. The challenge is trying to discern exactly how big a serious loss can be for insurers.

Hall says he isn't concerned about one hit. After all, he says, insurers can take a $50 million to $200 million loss. It's the aggregation of such losses that concern him. "The balance-sheet issue here is you have to start looking at cyber kind of like flood, earthquake and wind: How many of my clients could potentially be involved in one event?"

Having a $100 million single-client event hit 100 or 500 clients becomes "a massive potential exposure to the balance sheet," Hall adds. "And I think that's part of what the insurance companies are trying to understand: how big can this be?"

This potential exposure is considered against the backdrop of more companies storing their data in the cloud."It's a huge concern," ACE's Merrill says of the potential for a breach at a cloud provider that could affect the data of multiple companies. "It's very real, and the perception is, it can happen."

Srail says the issues for cloud providers go even beyond a hacking loss. "Cloud providers can have a big breach where they lose data for 1,000 customers, sure," he says. "But they can also have a big downtime issue that can shut down 1,000 companies. So they're involved on both sides."

Merrill also notes there's "very little contractual indemnification" with many cloud providers, limiting companies' recourse should their stored data be compromised. "And that's important, because why would you ever trust anybody if they don't have repercussions?"

Srail says cloud providers initially thought "they could be a utility, like the phone company. You can't sue the telephone company when you get an obscene phone call." Along those lines, Srail says cloud providers had hoped they could hold data, but that's it—so if cyber criminals steal a customer's password and access that company's data, the cloud provider wouldn't be liable.

He also says providers weren't charging for the responsibilities that come after a breach. Cloud providers have been charging very little to store large amounts of data, "plus, they're professional security firms," says Srail. "It sounds great."

From the perspective of companies using cloud providers, Srail says the thinking has been, "We want all that, and want it to cost nothing. But if anything goes wrong, we want [the cloud provider] to pay." Cloud providers, naturally, feel differently.

Srail says there has been progress in bridging this divide recently after pushback from companies that use cloud providers as well as regulators. More cloud providers now are "taking on more obligations and charging for it," adds Srail. "I think that's good. I think that's what we need to do."

Best to think twice

Companies must consider what data they should collect, when they should get rid of data they do not need—and how they can securely dispose of it.

Merrill recognizes the risks associated with gathering large amounts of data, and the education that needs to go into both collecting and compiling it. He says ACE insures companies in many different industries: "They have all this data, and they see the benefits of big data. They're finding correlations between different types of data that's going to help their business. And that's a good thing, but it also presents some risk."

Beyond the risk of a breach that exposes information, Merrill raises questions about privacy that companies should consider: "When you wrote your privacy policy, did you disclose you'll be collecting that type of data, or using it in some way, or sharing it with third parties?"

He says the Federal Trade Commission is looking into how companies gather and store information, explaining that when people download apps, for example, they may not read through the disclaimers. "I'll get a free app," he says, "I get to play around, but I don't realize what you're doing with my information."

The data collected goes beyond what may be perceived as "personal information" in the traditional sense, Merrill says, tracking activities such as a person's location, what the person does with his or her time, where they spend time, etc.

"This stuff is being monitored," Merrill says, "and I don't know that it's been terribly transparent to consumers. The FTC is looking at that."

Beyond reviewing policies and procedures, companies must train their employees. A significant number of losses are still caused by employee errors—both through honest mistakes and malicious intent. "Getting that culture and training is a huge risk-management-mitigation tool," Merrill says.

Catherine Padalino, senior vice president, Chubb Specialty Insurance, is concerned about employee risks as they relate to companies' "bring your own device" policies. She says this is a popular policy, but it puts companies at risk, especially as employees travel with devices containing business-confidential information.

Padalino says companies should think twice about what information employees store on their devices and what measures are in place—password protection, encryption, the ability to remotely wipe data from the device—to protect that information.

She says employees should be provided specific examples of what information they can store, what they can transmit and even what can they post on social-media accounts.

After a breach, is there a 'right' way to respond?

Risk managers also need to be thinking about what to do in the event their organizations are hacked. During a breach, a company can face criticism from many directions.

Target, for example, in the very public breach that it suffered around the holidays, was criticized by some for taking too long to reveal to consumers that their data had been exposed at all. But then it received further criticism when the data stolen turned out to be of larger magnitude than the company had initially stated. Should Target have waited longer to report the number of records compromised? Is there any one "right" way for companies to handle data breaches?

"It's almost a no-win situation," Srail says. "It's a not-lose-too-bad situation."

ACE's Merrill says each breach is different, and it is difficult for a company to know exactly how it will react to the specific hacking it suffers. He compared it to parents-to-be expecting a child: "You have absolutely no idea how you're going to react the moment you have this little person," he says. "You just don't know until you experience it yourself.

"And so many variables can come into a breach just like when you have a baby. You're going to get dealt different fact patterns. And if you have multiple children, you know no two are the same. They're all a little bit different. Data breaches are just like that. You have no idea how your organization's going to react."

Even if a company has a plan in place and has discussed it with all of the relevant personnel, data breaches "all have personalities," says Merrill. "Facts are so important when dealing with breaches," he adds, noting that it is difficult for people outside the company to know what was going on during the investigative process; it takes an immense amount of work for companies to get to the point of notice and notify the public properly. "Sometimes you're being told [information] by a vendor and you don't even know yourself."

Despite the chaos that can ensue after a breach, Willis' Srail says companies must review their incident-response plans to make sure they "work with the world that we're playing in today," and also that they work with any cyber-insurance policies the company has purchased.

Some insurers, for example, require insureds to use a certain vendor or select from a list of vendors."As you're evaluating carriers," Srail says, "make sure the policy works within your plan or adjust your plan."

The plan should also address who is going to—or not going to—speak to the media. One carrier that sells policies and services, Srail says, advises clients not to get their public-relations firm involved.

The job of PR is to "get your name out there," he says, and a company that suffers a breach does not necessarily want that. It may instead want to enlist an expert communications firm that can deliver critical information urgently and accurately and then get the company's name out of the news, making the event one of the breaches the public largely forgets about rather than one people talk about.

Merrill likewise talks about the importance of working with the right vendors and conducting "tabletop exercises to go through scenarios to see if processes are working" as the company intended.

Companies also have to be able to "adjust and be nimble," he says. What works for one company may not work for another, even if the records breached are similar.

"There are so many variables that factor into data breaches," Merrill says, adding, "I've never seen the same breach response work in two different cases."

What to Store?

Ultimately, Merrill says, companies have to make sound decisions when they decide to store information in the cloud. Many cloud providers have "incredible security controls," he says, but companies must still consider:

  • What type of data they are going to store in the cloud?

  • What applications and services they are they going to access on the cloud?

  • Are they using a public or private cloud?

  • Are they encrypting that data and who holds the encryption keys?

And for risk managers, questions should extend beyond how to store data and address what data needs to be collected in the first place. In the age of big data, the perception is that more is better, "but I don't necessarily agree with that from a risk-management perspective," Srail says. "It's risky to keep all that data."

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.