Criminal advances dictate changes in cyber coverage
Digital technology and the Internet offer endless possibilities for doing business. Just when we think we’ve mastered one concept, something new comes along. Sadly, those in the business of cybercrime are always one step ahead of the rest of us. These criminals never cease to amaze with their tenacity and creativity in finding ways to infiltrate network security systems to steal money and valuable information.
In the beginning
Back in the late 1990s, cyber policies only covered lawsuits stemming from external data breaches. But studies proved that more than 50 percent of all data breaches were internal, originating from disgruntled or rogue employees. The insurance industry responded by widening coverage to include losses arising from employee cybercrimes.
Finding treasures in trash
It soon became apparent that cybercrime wasn’t limited to attacks on networks, but also consisted of what became known as “dumpster diving.” Thieves would literally gather sensitive information from paper sources. Again the insurance industry responded with policies that included coverage of “real world” sensitive information, not just electronic data. This in turn brought about the development of network security and privacy policies, which offered complete coverage of paper and electronic information.
Another type of coverage that developed was for business interruption following a breach. However, research showed that businesses experiencing a data breach usually revert to manual systems until security is installed or repaired. The business interruption is typically only a delay in revenue resulting from the switch to manual methods, not a loss of income.
In the mid 2000s there were several incidents in which companies that didn’t agree to pay criminals for stolen data were threatened to have their reputations ruined or networks corrupted. This type of crime gave birth to cyber extortion coverage under a separate agreement from the cyber liability policy. Criminals soon figured out that it was too easy to get caught when actual money changed hands. As a result we have a rise in the use of digital anonymous BitCoin currency that is virtually impossible to track. Extortion by ransomware is also on the rise.
The cost of a breach
Soon states enacted breach notification laws. The first to legislate was California in 2003. Today, all but three states have similar laws. These laws have made it mandatory to notify anyone whose personal identifying information has been compromised. In the legal sense, personal information is defined as a first name or initial and last name in combination with either a Social Security or driver’s license number, or any account or credit/debit card number in combination with a security, access code or pin number. Because the cost involved in investigating and responding to a breach, of which notification is a part, is so high, sales of cyber coverage have risen dramatically in recent years. The cost of computer forensics, legal fees, public relations expenses are typically included in this coverage.
Where we are today
Historically, rating of cyber coverage has been based on income, which actually has little to do with risk exposure. More carriers are now requesting to know the number of records the insured keeps to make a more accurate determination of risk.
We live in the Information Age, which is no different from the Iron Age, the Age of Enlightenment, and the Industrial Revolution in that they brought about great shifts in society – positive and negative. Digital technology is still in its infancy and as it continues to develop, for better or worse, the insurance industry will continue to create products to keep up with the risks to which businesses are exposed.
Source: Brian D. Brown, “The Ever-evolving Nature of Cyber Coverage,” Insurance Journal, Vol. 92, No. 18. 22 Sept. 2014.