Every day we read stories about data breaches and cyberattacks on business and government websites, and the resulting the loss of personally identifiable information (PII). Cybercrime is on the rise, and given the ever-evolving methods of attack, meaningful relief and reliable measures to fend off cybercriminals are unlikely in the foreseeable future.
It would seem obvious that companies need to insure against cybertheft, but amazingly enough it appears that many businesses, likely the majority, do not have any cyber insurance.
It is hard to determine the exact number of companies that currently have some form of a cyber insurance policy, since there is no centralized reporting repository. However, PWC estimates only about 30 percent of companies have cyber risk insurance or cyber liability insurance coverage (CLIC). If correct, that figure seems shockingly low, given today's environment.
Most businesses apparently do not believe they are at risk of losing one of their most valuable assets -- customer data -- to cybercriminals. Anyone who reads the daily news knows that is a foolish gamble to make. It is common, if not mandatory, for U.S. companies to purchase a variety of insurance policies, including commercial general liability (CGL), directors' & officers' (D&O), and errors & omissions (E&O).
Not all CGL, D&O, and E&O policies are identical; often they are industry-specific. For example, a company building and selling bicycles is radically different that an e-commerce retail business (like Target) that collects PII and credit card data (regulated by the payment card industry (PCI). Cyber risk for bicycles may not exist, but bicycle manufactures and sellers would need insurance for faulty design. On the other hand, an e-commerce retail business surely would need cyber insurance.
New companies should invest the time to investigate cyber insurance needs for their industry, and understand the risks of being sued by customers for loss of PII, PCI data, or personal health information (PHI).
Insurance companies use historical data to set premiums based on business and industry categories. In the foregoing example, an insurance company would have no problem offering traditional insurance policies to the bicycle manufacturer, given the long history of manufacturing and selling bicycles in the U.S.
The same cannot be said for CLIC policies, since cybercrime is relatively new and cyber risks change frequently. Even the most sophisticated companies have difficulty keeping up with the ever-evolving and prolific number of cyber risks.
Nowadays, once a chief information security officer (CISO) fixes a potential cybersecurity risk, the cybercriminals unleash a new form of cybercrime. This makes the underwriters' job of identifying and quantifying risks tricky.
The limited data available to underwriters further compounds the issue. All 50 states now require some form of reporting for cyber intrusions when PII is compromised, and many insurance policies provide those impacted individuals with credit protection (think Lifelock) for 12 months. Oftentimes, however, organizations fail to report the full impact of breaches in order to avoid negative publicity that could damage the trust of customers.
Since quantifying and identifying specific cybercrime threats is so challenging, insurance companies tend to focus on types of losses -- which are more fixed in nature (e.g., first-party losses and third-party claims) -- when determining premiums.
In addition to a company's industry, insurers look at the type of services that company provides, data risks and exposures (e.g., does the company store and maintain sensitive customer PII, PCI data or PHI?), security protocols in place (if any), policies, and annual gross revenue.
Insurance companies study every claim to see if there will be insurance coverage irrespective of the type of business -- be it the bicycle manufacturer or e-commerce business. Because there is more historical data for the bicycle industry, the insurance company generally can make a decision pretty easily.
In the e-commerce world it is not so simple. Sometimes a particular type of cyber incident has never happened before so the insurance company will reject the claim.
Today some insurance companies are rejecting cyber insurance claims when the criminals are outside the U.S. and state that the cyber incident was an act of war.