In the beginning
The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational, amidst concerns about the impact of a computer virus or the actions of a “Hacker,” a new term to many of us then.
Despite the lack of actuarial data, a few underwriters in the US and London started to devise solutions to indemnify business interruption losses and the costs to restore compromised data. commonly known as “Hacker Insurance.” We found few buyers beyond large US banks. Clients found the underwriting process both intrusive and expensive as insurers demanded onsite security audits.
On July 1, 2003, everything changed.
California enacted SB 1386, the world’s first data breach notification law. The industry started to understand that the Internet would revolutionize the way that it could store and use data, especially personal information on its customers. However, government and regulators also started to appreciate that this new opportunity could be open to significant abuse and, as the majority of US states started to enact their own data breach notification laws, the risk evolved into a privacy issue.
During the next 10 years, insurers responded by developing solutions to address the risks of handling customer, employee, and patient personal information from either unauthorized disclosure or a violation of privacy. Today it is estimated that total gross written premium exceeds $1 billion and $350 million in total capacity. However, the threat is changing, and the issue for many organizations is moving back to where it started: an operational risk.
While we are coming full circle, this time it is different.
Moving Beyond Stuxnet
You may be familiar with the Stuxnet virus, which is widely regarded as the world’s first cyber weapon. In 2010, it came to light that a sophisticated attack had damaged Iranian nuclear centrifuges. Significantly this provided evidence that physical damage could now be caused by a cyber-attack.
Stuxnet, perhaps unsurprisingly, has stolen the limelight but in many respects, it has had a negative impact in helping board members understand the risk that they are facing. There is no doubt that education and awareness are factors, but many organizations simply viewed Stuxnet as a one-off event with little or no relevance to their own security program.
However, companies face real, tangible operational risks from a cyber-attack today that could cause physical damage, business interruption or bodily injury.
According to Mandiant, a FireEye Company, 95 percent of Advanced Persistent Threats (APT’s) are caused by spear phishing, typically an individual opening an email from who they think is a trusted third party. Opening the email allows the perpetrator to install malware on the user’s network and then connect to a command and control server. That’s all it takes. Once in, the perpetrator will move laterally across the network looking for what he or she wants.
The advent of APT’s raise significant questions about the whole approach to enterprise cyber security. Many CIOs and CISOs have typically set up a “defense-in-depth” strategy protecting the perimeter with a firewall, intrusion detection systems, antivirus software, encryption, and other tools.
However, many attackers increasingly use “zero days,” meaning previously unknown vulnerabilities, thereby rendering signature-based defenses redundant [or irrelevant?].
If you are a board member or executive, you should worry about APT’s, not necessarily an event such as Stuxnet. ATP’s have also started to concern governments worldwide.
Commercial Espionage and Data Security and Privacy capture many headlines, but sabotage, particularly on critical infrastructure industries, is now a serious threat. Enterprises in Energy, Transportation, Financial, Healthcare, and Manufacturing industries amongst others face the biggest operational risk challenges from a cyber-attack. Some of these industries are particularly vulnerable as they use operational technology such as SCADA, systems that are increasingly connected to corporate IT networks.
The NIST Cyber Security Framework
Government concern has not yet translated into legislation forcing industry to improve its resilience and security posture.
In the US, President Obama issued Executive Order 13636 in 2013 tasking the National Institute of Standards and Technology (NIST) with developing a cyber security framework. The insurance industry has reacted very positively, seeing a partnership emerging with government to start addressing previously uninsurable risks. The industry was a key stakeholder in the creation of the framework and is now working with the Department of Homeland Security in its implementation. Other countries are looking to follow a similar approach to the US. The UK government recently announced its Cyber Essentials scheme focused more on smaller businesses rather than critical infrastructure industries.
Although voluntary, many legal commentators feel that the new framework will lead to an increase in risk to boardrooms. A benchmark now exists that shareholders could reference in the event of a major cyber-attack. In addition, and perhaps without realizing it, by directly engaging the insurance industry, the government has done industry as a whole a great favor. Insurers are being forced to confront questions about risks and coverage that had not previously been asked and they are starting to receive some uncomfortable answers.
Am I insured?
Specialist insurance policies to address data breaches and privacy violations are well understood. Theft of corporate intellectual property from a cyber-attack is also commonly known to be a risk that insurers have yet to understand how to address.
However, and particularly in the context of attacks on critical infrastructure industries, there is a great deal of ambiguity for losses involving physical damage, bodily injury or business interruption. Many wonder, “Don’t my property or commercial general liability policies address this?” At best, the answer is maybe. Some policies will specifically exclude, some will provide limited coverage whilst others will be silent. Considering the nature of the threat and the potential impact on the organization, silence can no longer be acceptable, and affirmative insurance policy language is a must.
The good news is that the industry is already starting to respond. Two insurers to date have announced a “Difference in Conditions” (DIC) approach overlaying the gaps that exist in the Property and General Liability forms; another has launched a terrorism policy to also address cyber attacks. This is all positive but it is just the start. Insuring the risks is one thing, but building out significant capacity to ensure coverage is worth buying is also vital.
Over the coming months and years, insurers will start to work more closely with both government and the security industry. Just as enterprises start to realize that they must change their approach to security from, defense-in-depth to an intelligence-led strategy, so insurers will partner with security firms to adapt their underwriting approach on the same basis.
Understanding who is trying to attack you and what they want, aligned with informed decision makers reporting directly to the board or on the board, will be key. Ultimately, the board needs to understand the data its organization handles, where data enters the organization, and where it leaves. Once the board understands these issues, it is in a much better position to recognize its vulnerabilities and decide how to mitigate them.