- January 29, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Cyber Crime, Data Breach, Posts with image, Security Management
The world of cyber insurance is changing to cover new and evolving crimes using the Internet.
The woman received a call, with a terrifying message.
“We have your daughter S. in our truck and this is a kidnapping,” the caller said, according to victim Valerie Sobel. “If you don’t listen and do exactly as told, we will either send you her thumb that we have cut off, or the rest of her in a body bag. Do you understand?”
It turned out to be fake, Sobel said, part of of a trend of kidnapping scams where criminals use information from social media to convince families that their loved one could die unless they pay a ransom, which she said she did.
Now, there is cyber insurance to cover that kind of crime, and many others committed either online or using information from social media.
“As the crimes of the future have stranger and stranger business models, you can expect the insurance market to keep up with products to cover them,” said Eireann Leverett, founder of Concinnity Risks and a senior risk researcher at the Cambridge Centre for Risk Studies.
Some kinds of cyber insurance may only be for the rich, while others may become a part of everyday life and business.
For those with money to spare, one company now offers cyberbullying insurance.
Chubb will pay for up to $75,000 for counseling, time off work, and relocation after harassment online, reported Ars Technica.
Customers may also get help if they lose their job or get wrongly arrested from cyberbullying, and may be able to hire a “reputation management team” to fix the online mess, reported The Telegraph.
“We see insurance as helping our clients get back to how they were before the incident occurred—whether it’s an incident that affects their home or as a person,” said Chubb’s Tara Parchment, according the the article. “So we still help to restore homes, cars and belongings that have suffered physical harm or damage, but increasingly it’s about the person and how they cope.”
For the wealthy
This kind of coverage probably won’t become commonplace, Leverett told Archer News.
“I think ‘troll insurance’ will have a limited value with public figures and media people,” he said.
Chubb surveyed its wealthy customers and found they wanted financial protection from cyberbullying, reported The Telegraph.
It is currently only available to clients in England and Ireland, according to CNNMoney.
But other kinds of cyber insurance are becoming more and more popular.
Lloyd’s of London reported that the demand for cyber insurance went up 50% in the first three months of of 2015, according to The Telegraph.
“In general terms, we’re continuing to see new customers purchasing cyber insurance and existing customers purchasing higher limits following recent high profile attacks,” said Geoff White of Lloyd’s syndicate Barbican in the article.
The cyber insurance market will grow from $2.5 billion dollars now to $7.5 billion by 2020, estimated PwC in a report at the end of 2015.
Companies can buy coverage for data breaches, denial of service attacks, ransomware, extortion and more, said Leverett.
Insurer AIG says its CyberEdge coverage will help customers prevent a breach, as well as deal with the financial consequences after.
“End-to-end risk management solution providing added cybersecurity expertise and responsive guidance whenever companies need it most, even before a breach occurs,” AIG advertises online.
How can it help?
Take a look at the case of a fictional brewery in the Pacific Northwest, suggested Travis Smith with Tripwire, who lives not far from Portland, Oregon.
“To improve efficiency and quality, computers are deployed throughout the brewing process,” Smith told Archer News.
But those computers can also put the brewery at risk for cyber attack.
Smith said a brewery might be a target because attackers want to affect the stock price, if the brewery is publicly traded, or simply because they find the brewery controls open and vulnerable on the Internet.
“Another scenario would be to attack the brand and what it stands for,” Smith said. “Nothing says Pacific Northwest, or even America, for that matter, like craft beer. By attacking the brewery, the attacker makes a statement that America is being attacked.”
There could be two outcomes of a brewery cyber attack, according to Smith.
“Either destroying a batch of great beer, or destroying the equipment that creates the beer,” said Smith. “For a larger brewery, a single batch of beer could cost more than $10,000.”
“If the brewery could prove a cyber event was the primary cause of the destroyed batch, they could potentially recover the cost of the materials, labor, and lost profits,” he said.
If the attacker manages to destroy equipment, that could be covered under the property insurance policy, Smith said. But if the damage is not permanent, cyber insurance may cover it.
For example, a virus could render the brewery control servers useless, and the business might have to reinstall software to be able to make beer again.
“During this downtime, the brewers would have to revert to less efficient manual procedures, or worse, brewers would be forced to sit idle until systems were brought back online,” he said.
“Cyber insurance would recover the business continuity, lost labor and recovery effort costs associated with bringing the brewery back into operation,” he added.
Damage to people
If the attacker actually hurt or killed a worker during the hack, the brewery could face even more difficulties, including potential fines, Smith said.
He gave the example of the death of a worker at Redhook Brewery in New Hampshire where the company was fined almost $45,000 for safety violations.
“In addition to that fine, the company incurred costs for investigating the accident, returning the brewery back to operation, lost profits from closing, the associated publicity, additional salary costs by hiring additional safety consultants, and marketing costs to respond to the press regarding the event,” he said.
“For a large brewery with millions in profits, these costs are not critical to the survival of the company,” said Smith. “For a smaller brewery, which the majority of the 4,000+ in the U.S. are, these type of costs would be catastrophic and may cause the company to shut down.”
Some companies specialize in insurance for large industrial plants and systems, where the stakes are high, Leverett said.
Companies like AIG and Aegis realized there was a market for this operational technology cyber insurance after a number of attacks wreaked havoc in Australia, Poland and Germany, he said.
Hackers caused “massive damage”to a blast furnace at a German steel mill in 2014, reported the BBC. The attackers got in through e-mail, the BBC said.
A 14-year-old boy hacked into the tram system in Lodz, Poland in 2008, playing with it “like a giant train set,” reported the Telegraph. He derailed four cars, leaving 12 people hurt, according to the article.
And in Australia in 2001, a man unhappy over a job application rejection hacked into a waste management system and caused raw sewage to pour out into parks, rivers and a hotel, reported The Register.
How much you pay for cyber insurance may depend on many factors, like the kind of business you have, the kind of security you have, and how much you want to receive if you are hit by cyber crime.
Insurance broker Cyber Data Risk Managers provides sample quotes on its Data Breach Insurance website.
A doctor’s office with a yearly revenue of $700,000 might pay a premium of $649 for coverage with a limit of $500,000, the site said.
A fast food company with $15 million in revenue might pay a $9,000 premium for coverage with a limit of $1 million.
A hospital with $170 million in revenue could pay a $42,000 premium, with a coverage limit of $5 million.
And a data storage center with $15 million in revenue could pay $120,000 for its premium, and a limit of $20 million for coverage.
Bringing down the cost
You may not automatically qualify for cyber coverage.
You may need to show you are following “at least a minimum of ‘best security practices’ for some policies,” according to Tim Erlin with Tripwire.
Can you bring down the cost of premiums?
“Yes, there are many ways to achieve cost reduction. In general, it is required for the business to demonstrate that some measures have already been taken to reduce the likelihood and impact of a potential cyber security incident,” wrote Leron Zinatullin in The State of Security.
Having some sort of certification showing you are following safety procedures can help, he said.
“Or for instance, having an incident response team can drive the premium down,” he said.
Cyber insurance for you?
“Cyber insurance may or may not be appropriate for a given company,” said Erlin.
Insurance company make money because they take in more than they pay out in claims.
“Breaches are difficult to predict, and wildly variable in their nature,” said Erlin. “That means that you have to read the terms of any cyber insurance policy very carefully, and have a reasonable knowledge of how likely those events are to occur.
“For large organizations, cyber insurance can make a lot of sense. The jury is still out for smaller organizations,” he said.
Others have a different view.
“If you’re a small business who can’t quite afford security teams yet, or a large business in a transition period, it might be the right tool to fill a gap in your program, until you can build the security team for today’s threats,” said Leverett.
You will want to understand how the insurance company defines the cyber crimes covered.
Chubb’s coverage considers cyberbullying to be “three or more acts by the same person or group to harass, threaten or intimidate a customer,” reported Ars Technica. Other companies may have different definitions.
Some consultants say you should watch for cyber insurance policies that are too easy to get, and may have exceptions to coverage.
If you run a business, you will want to check with other companies of a similar see to see if they have experienced a cyber crime, and how much it cost them, said consultant John Walker in The State of Security.
The PwC report showed small businesses lost an average of about $410,000 from security incidents, medium-sized businesses lost about $1.3 million, and large businesses lost about $5.9 million.
You can’t replace good security practices with cyber insurance, experts say. But as cyber crime costs people more money, more people are turning to insurance as a way to protect themselves. And the “safest drivers” in the cyber world may come out on top in the cyber insurance game.
“It’s clear that there is a market for cyber insurance. It’s not going away,” said Erlin.