‘Response and Recovery’ Emphasized for Cyber Attacks
Cyber insurance is for when technology fails and human nature prevails. That point was driven home most dramatically in an afternoon panel at the Brokerslink Conference Oct. 16 in New York with a story of a $300 laptop that was lost; the company has since spent $800,000 on forensics, notifications and recovery.
Cyber coverage is both readily available and inexpensive, according to Geoff Kinsella, chief operating officer and partner at Safeonline.
“There are 42 underwriters at Lloyd’s that offer cyber coverage, so many that the organization is concerned about aggregation risk and has added a code to track policies that include cyber,” he said.
Cyber lends itself to managing general agents, and there are three at Lloyd’s, said Kinsella. He added, “I just heard that three more MGAs are entering, and capacity is going up. A lot of that is naïve capital that is just following the dollar. Premium volume is projected to go as high as $80 billion from $2.4 billion today, or so it is said, but I can’t find it.”
Scott Corzine, managing director at FTI Consulting noted that “the first thing that clients say to us is, ‘Tell the board about cyber.’ Boards are not comfortable with these risks. They don’t understand the terminology, and they think it is a tech issue.
“So basically there are two kinds of companies: those that have been attacked and know it, and those that have been attacked and don’t know it yet.” — Scott Corzine, managing director, FTI Consulting
“There is a tech part, but after $78 billion spent on cyber defenses, that is clearly not working,” he said. “No amount of spending is going to prevent cyber risk. So we have to turn inside to response and recovery.”
But boards should care, he said, because “it’s not the initial hack that brings down a CEO, or takes a chunk out of the company’s market cap, it’s a bungled management response. Our tech guys tell us the tech part is easy: but that does not change human behavior.”
Marina Barg, senior vice president of U.S. casualty claims at Navigators, noted that while the fall of a top executive or stock price for a major corporation makes the news, “most attacks occur at smaller companies, and wherever there occur, the company often does not know until much later.
“A hack in not like a car accident where everyone knows when it happens. The damage is often not done until way down the road, and by then you are far behind in response.”
“A hack in not like a car accident where everyone knows when it happens. The damage is often not done until way down the road, and by then you are far behind in response.” — Marina Barg, senior vice president, U.S. casualty claims, Naviagators
Corzine concurred. “Big companies often have robust defenses, so attackers can try to worm their way in, or they can get in through a supplier or vendor. In the Target case, the hackers got in through the air-conditioning contractor.
“So basically there are two kinds of companies: those that have been attacked and know it, and those that have been attacked and don’t know it yet.”
The headlines report attacks at Target, Home Depot, Verizon and AT&T, but Joseph Bermudez, regional managing partner at Wilson Elser, said that it is not always malicious activity that causes a cyber loss.
“Sometimes it is a bad act, but often it is an accident,” said, noting that regardless of the cause, “if there is a breach, your client will get a letter from their customer saying that they caused a problem and that they are owed some money. Now your client has a liability.”
Given that likelihood, it would seem owners would be flocking to buy cyber coverage, but that is not the case, said Kinsella.
“Maybe everyone should buy, and every broker in this room has tried to sell cyber. The problem is education. And part of the problem is calling it cyber, because coverage goes much further than just hacking data to mistakes and failures.”
Kinsella listed four motivations for a risk manager to buy cyber coverage: the board said so; there have been losses already; regulatory or compliance requirements; or contractual obligations.
“So education goes back to motivation, and insurance goes back to exposure,” he said. “Companies don’t buy property coverage and then go check the sprinklers. But we see people try to buy cyber coverage before they determine their exposures.”
It’s only at underwriting that the questions start to come, said Kinsella. “How many devices do you have? How do you move data around the company? Who are your key vendors and providers? Who is responsible for the data they handle?”
Navigators’ Barg noted that even as capacity and underwriting expands, policies remain highly variable among first party and third party, extending to pre-consulting and post-consulting, and with multiple sublimits and attachment points.
Options are good, but complications can be just as daunting to a small company as would be high prices.
“It is the smaller companies that have more to lose than the major corporations,” said Bermudez of Wilson Elser. “A big company has people to fight for their reputation. Main Street does not. Their brands are not so resilient.”