By Marc Dorneles
Property Casualty Insurance Advisor

To say that Cyber insurance is a hot topic and a current enduring trend, is a major understatement. It might even be difficult to imagine that its significance as an urgent imperative is not common knowledge given its extent as a serious, growing threat and essential component of risk management. Indeed, as Ginny Rometty (IBM former Chairman/current Board Member) has said, “Cybercrime is the greatest threat to every company in the world.”

Warren Buffett went further and said cyberattacks are the number one problem with mankind. Not that I necessarily agree with him on that, but I think it plays well to highlight the importance of the subject at hand!

What is Cyber Insurance? Cyber Insurance covers business liability and associated expenses (defense, settlement, and various business expenses) concerning data breaches. Cyber Insurance has (or with a robust policy rather, should have) two parts with respect to the parties covered – Part 1: First party coverage for your business and Part 2: Third party coverage for your liability exposure. First party typically includes, but is not limited to, coverage such as: notification costs, credit monitoring, costs to defend claims by state regulators, fines and penalties, and loss resulting from identity theft. First party coverage may also cover liability arising from website media content, as well as other exposures from: (a) business interruption, (b) data loss/destruction, (c) computer fraud, (d) funds transfer loss, and (e) cyber extortion according to International Risk Management Institute. Third party coverage typically provides liability coverage for businesses that are responsible for a client’s online security.

Below is a quick summary of the components of a Cyber Insurance policy:

Network Security liability: (3rd party) An insured’s system fails to prevent security or privacy breach. Includes transmission of a virus.
Privacy liability: (3rd party) if an insured fails to protect electronic or nonelectronic info in their Care, Custody and Control.
Media liability: (3rd party) Intellectual property and personal injury perils. May result from website.
Regulatory liability: (1st party) Federal and state fines, penalties, investigations.
Crisis Mgmt.: (1st party) Notification expense, credit monitoring, forensic investigations, public relations.
Data Recovery: (1st party) Expenses to investigate a system intrusion and recover data.
Business interruption: (1st party) Lost income, extra expense to restore operations.
Cyber Extortion: (1st party) Payments made to a party threatening an insured’s system.
Tech services/products & professional E&O: Added when applicable for failure to perform as indicated.

The important distinction here is the notion between a thin layer of coverage, often implemented through an endorsement, added onto a Business Owners Policy or Commercial Package Policy which is limited both in scope of coverage and also in monetary indemnification limits versus a robust stand-alone policy with a premier platform. Claims handling and cyber security services are also a key component and value add.

Why is Cyber insurance important? Because it is a growing exposure. Here are some statistics:

  •  2020 broke all records in data lost and sheer numbers of cyberattacks on companies, government, and individuals (Forbes article: Alarming Cybersecurity Stats: what you need to know in 2021). Importantly, not only volume but sophistication is on the rise as evidenced by recent attacks of Solar Winds and Accellion which targeted the Department of Homeland Security officials and universities respectively, adding to a litany of major organizations that have likewise suffered cyberattacks.
  • Malicious hackers are now attacking computers and networks at a rate of one attack every 39 seconds (University of Maryland).
  • 81% of surveyed organizations were affected by a successful cyberattack (CyberEdge Group 2020 Cyberthreat Defense Report).
  • There were 144.91 million new malware samples in 2019 (AV-Test) and we’re already at 113.10 million new samples in 2020 (as of midway through November 2020).
  • In 2019, 93.6% of malware observed was polymorphic, meaning it has the ability to constantly change its code to evade detection (2020 Webroot Threat Report).
  • Almost 50% of business PCs and 53% of consumer PCs that got infected once were re-infected within the same year (2020 Webroot Threat Report).
  • US ransomware attacks cost an estimated $7.5 billion in 2019 (Emsisoft).
  • Almost 200 million ransomware attacks occurred in the first nine months of 2020 representing a large increase over the previous year (SonicWall). What makes the ransomware problem worse is that nation-states are involved.

As these statistics show, cyber breach incidents are only going to continue to increase. Unlike catastrophic weatherbased claims, cyber breaches aren’t cyclical but rather they are human-induced and therefore inherently unpredictable and not something that can be planned. Some of the top causes of cyber breaches and ransomware attacks are: Phishing emails, lack of training, and weak passwords. Data Breach Notification Laws have now been enacted in all 50 States. Cyber insurance is also an integral part of
a solid Risk Management process as more vendor agreements are requiring cyber insurance from a contractual compliance perspective before the vendor will engage with potential clients.

To summarize, we have only scratched the surface on the volume of alarming statistics, but the picture is crystal clear; Cyber insurance protection is a must. It is also only part of the overall proactive engagement necessary to implement a long-term successful strategy. Other critical components being, partnering with expert IT security firms and active ongoing maintenance, employee training, and having the right tools and procedures in place. Holistically formulating a layered and dynamic approach to the ongoing and increasing cyber threat landscape.

Marc Dorneles is the Vice President of Property Casualty Insurance Advisor in Greenbae, California, which provides homeowners insurance, auto insurance, small business insurance and commercial insurance.