Cyberattacks have become an increasing threat to businesses of all sizes across all industries. A wave of cybercrimes has occurred in the last several years, from the 5.4 million Twitter accounts stolen during a massive data breach to 2.5 million social security numbers stolen from Nelnet Servicing – the average data breach in the United States was $9.44 million, with experts predicting total losses to climb to $10.5 trillion annually by 2025.
Overview of cyber insurance
Cyber insurance protects businesses from first-party losses and third-party liability expenses that occur after a cyber-attack. This includes anything from data breaches to cyber extortion. However, it’s important to note that cyber insurance should not be confused with cyber security.
“True cyber security is a blending of people processing technologies that support the mission-critical and business-critical functions of an organization,” said Doug Brush, President of Asell Consulting and a data governance and evaluation specialist.
Having spent the last 30 years working in the technology sector, Brush said the most expensive data breaches, for first-party losses, have been for small companies, “both in revenue and footprint.” For instance, a small C.P.A. firm that’s served the community for 30 years can have a “ton of tax records for hundreds of thousands of people.” All these things add up to “really toxic data,” Brush said.
In a CNBC and Momentive survey, 56% of American business owners said they were not concerned about being the victim of a hack in the next 12 months. Among those, 24% said they were “not concerned at all.”
A misconception exists among small business owners that hackers only go after behemoths – a possible reason why only 40% of businesses have purchased cyber insurance. They fail to realize they’ve become attractive targets, having far less protection and fewer resources to monitor customers’ data. It’s a massive risk for smaller companies, considering a single cyber-attack could be financially devasting – 95% of cybersecurity costs between $826 and $653,587.
The cost of cybercrimes
For 83% of companies, it’s not if a data breach will happen – but when.
“If you look at cybercrime as compared to a G.D.P. number, it’d be the third largest economy on the planet after the United States and China. It makes about $13 to $14 trillion in the industry a year. There’s a lot of money behind it. It’s well funded; it’s well orchestrated,” Brush said.
Data breaches increased by 14% in the first quarter of 2022. In 2013, tech pioneer Yahoo became the victim of the largest breach in history, exposing over 3 billion user accounts. Another massive breach in 2014 targeted hotel mega-giant Marriott, which compromised the credit card details, passport numbers, and birthdates of more than 300 million guests stored in the brand’s international reservation database. Uber, Adobe, and LinkedIn have joined the list of multimillion-dollar household corporations to become victims of costly cyberattacks.
The issue with cyber insurance
One of the biggest issues with cyber insurance is that people don’t understand what it means. In the last several decades, cyber security has been misrepresented and sold as a “technical problem” when the focus should be how “money hits the balance sheets,” Brush said. This misconception has led to widespread confusion and poorly designed processes for how companies go about managing their data.
“Why are we measuring the cyber insurance policies around the IT, not the data?” Brush asked said.
Brush said it boils down to a “data governance issue.” Companies treat data loosely, with limited governance around it, making it difficult for companies to determine the right level of coverage.
Cyber insurance has become an “important part of risk transfer.” Brush said that organizations are substituting insurance for proper risk management strategies with an over-reliance on technology due to a lack of understanding of how to build an effective program.
“And wherever they have risks they can’t fully absorb or build around, they’ll insure it because there’s a dollar value,” he said.
In 2020, the global cyber insurance market was worth an estimated $7.8 billion. But as a cyber war continues to shake the infrastructure of the online world, insurance companies are growing more hesitant about risk, with the average price for cyber insurance rising 79% in the second quarter of 2022.
Brush believes cyber insurance should be only one component of a good cyber securities program, with top-level governance identifying data security protocols from organization owners, board of directors, and officers.
The Fault Lines of Cyberattacks
The growth of ransomware and data breaches has highlighted huge cracks in current cyber insurance.
“Traditionally, cyber insurance policies have been a portion of D.N.A. and other parts of the insurance industry as business lines, and they only account for 6% to 10% of the total underwriting. But there are big losses there,” Brush said.
One question remains: Who’s responsible for safeguarding a company against an attack?
Large enterprises have taken a check-box approach to cyber security. If you look at the larger data breaches, nobody on the executive level, “whether it be a board of directors or corporate officer, gets in trouble,” Brush said. However, a recent Ponemon study found that stock prices fall an average of 5% the day a breach is disclosed, and companies experience up to 7% customer churn.
As far as public perception goes, although a complex hack may not be a C.E.O.’s fault. Consumers are starting to demand more from the executives to whom they entrust their personal data. Meaning, Teflon-coated CEOs may be out the door after an organization suffers an attack.
After a 2013 Target credit card hack compromised the financial information of 40 million customers, C.E.O. Gregg Steinhafel resigned despite a 35-year tenure. A year later, Sony’s CEO Amy Pascal was forced to resign, and Equifax CEO Richard Smith stepped down in light of suffering attacks.
“We need to treat the most valuable data asset or the valuable asset within an organization that’s data like we do money, but we don’t,” Brush said.
Organizations should evaluate their level of risk and ask themselves, “What’s my health like”? They can then identify the gaps and ensure those gaps,” Brush said.
How businesses can reduce their risk
Data breaches pose enormous risks to a company’s brand, reputation, value or stock price, and public perception. Slowing the number of attacks will require companies to tighten the reigns of security access to protect their data. Brush said that having a “good data map” and really “understanding the data sets” along with tightening access controls will be critical for organizations to protect themselves from cybercrimes.
“Too many people from really down at the integral level have access to data they don’t need. Like a bank vault, not everyone should have access to it,” Brush said.
Changing the Landscape
According to Brush, dramatic changes in the market are underway as cyber insurance carriers begin to shift their perspectives and require tighter data security controls as part of the underwriting process, growing tired of covering the high cost of online crimes.
Brush said that litigation would “fundamentally change the game,” holding organizations accountable for mishandling data and making them report losses on their balance sheet.
“Litigation is going to be the path forward to actually enacting changes,” Brush said. He denotes a similar paradigm with bank robberies over the last 100 years.
“Bank robbers made a ton of money, and it’s not because that’s where the money was.” It’s because “nobody was stopping them.” Insurance companies had to push back at the executive level and refuse to cover losses. It wasn’t until we held executives accountable that “banks became hard to rob,” Brush said.
In the meantime, a thoughtful data protection strategy in conjunction with cyber insurance is the most holistic way to manage the significant risks posed to businesses in our digital world.