Concern about digital crime is at an all-time high in local C-suites, with major data breaches at giants like Sabre and GameStop keeping cybersecurity top of mind. Large players like AT&T have come forward with insurance to offer protection and help companies recover in the wake of data disasters. But the relative novelty of the policies can make it difficult to know what they will and won’t pay for.
On the other side, insurers are struggling to determine what damages they should cover from tech crimes and what they should charge for premiums. That’s partly because corporate secrecy about hacks means nobody knows how often companies get hit—or what the bottom-line impact truly is.
The insurance industry is still working to understand and get a handle on the extent and variety of cyber risks, says Ernest Martin Jr., a Haynes and Boone partner who chairs the firm’s insurance recovery group. Martin has seen more companies buying this form of insurance in the last 18 months and says that contractual language in cyber policies can vary widely from one insurer to the next. “Purchasing them is not as easy as purchasing general liability insurance,” he says.
There are also unresolved legal questions about coverage for damage to corporate reputations, which can endure long after a data breach has been fixed.
As more security technologies become available to small businesses, insurers are getting increasingly comfortable writing policies for them, says Anne Chow, president of national business at AT&T. (The company offers cyber-protection services to small businesses and, via the brokerage Lockton Affinity, makes related insurance available from CNA Financial.) “Few [insurers] require cyber loss controls to be in place before underwriting these risks,” Chow says. “But this is changing as well, especially if the customer doesn’t want to pay high premiums.”
Sophisticated, Well-Funded Attacks
Data security has emerged as a top concern for CEOs, because of the growing risk they present. “It used to be you protected the perimeter of your enterprise with a firewall, put in a little virus scanning and called it a day,” says Peter Giordano, senior director of information technology security at Vizient, an Irving-based supplier of technology services for the healthcare industry. “Now,” he adds, “you have to protect everything because everything is interconnected.”
Remington Hotels, a hospitality-management company based in Dallas, saw that first-hand last year when Sabre, which books travelers’ stays, had a major breach. “It affected 20,000 of our guests,” says James Clent, Remington’s chief information officer who also is associated with the Society for Information Management, a trade group.
And though the term “hacker” may conjure images of a lone teen in a hoodie, technology chieftains worry more about sophisticated, well-funded attacks. “Cyber thieves, such as nation states or criminal organizations searching for military or commercial intellectual property, are a much higher priority than rogue hackers,” says Bennie Peek, CIO at Fort Worth-based Bell Helicopter.
Russia and China are often behind successful criminal attacks, according to Clint Emerson, a former Navy SEAL and founder of Escape the Wolf, a Frisco security company. “No government will take responsibility, but the digital crumb trail always leads to one or the other.”
State-sponsored groups may be behind the relatively high number of cyber-attacks on hospitals near military bases, according to Ross Carevic, director of technology sourcing at Vizient.
“These organizations have the resources to perform highly advanced types of incursions, which are publicized and studied in detail by independent groups that turn vulnerabilities into commercial hacking opportunities against hospitals,” he says.
“Cyber intrusion has become more profitable than drugs.”
Layne Bradley, Neeley School of Business, Texas Christian University
Some large criminal groups are developing artificial intelligence through large information-technology operations they run, according to Layne Bradley, instructor of information systems and supply chain management at the Neeley School of Business at Fort Worth’s Texas Christian University. “Cyber intrusion has become more profitable than drugs,” he says.
Healthcare systems, especially smaller ones, are the easiest targets now because they offer criminals the best rewards for the least effort. But financial institutions often stand to lose the most and spend about three times as much on cybersecurity, experts say.
All industries are targets, no matter how small or how large. “Data is a new form of cash,” says Ram Dantu, a professor who directs the Center for Information and Cyber Security at the University of North Texas.
Plan Now, or Pay Later
With intrusions a constant danger, executives face pressure to be prepared for the messes that follow. “They can come with a billion-dollar price tag,” says Murat Kantarcioglu, a computer science professor who runs the data security and privacy lab at the University of Texas at Dallas.
Regulations can force public companies to disclose significant hacks, something that can hurt their stock prices, make their customers lose trust in them, and endanger executives’ jobs. Auditors are also increasing their focus on assuring companies are meeting their regulatory obligations around cybersecurity.
For these reasons, corporate executives are under pressure to show they’ve done everything possible to protect their businesses from technology intrusions. “If you don’t have a well-defined security plan that you’ve tested and enforced, you’re hanging out on a limb for responsibility for breaches,” says TCU’s Bradley.
Such plans may help reduce a company’s liability if, say, shareholders sue over a major cyber intrusion, he adds. “Executives and the board can say they did everything they could.”
That’s where insurance is supposed to come in—and where problems can crop up. Aside from helping pay for the damage intruders cause, such as hiring consultants to remove viruses from a business’ technology, insurance may pick up some of the tab for defending the company from lawsuits or regulatory claims that can ensue.
But unlike auto or home insurance, cyber insurance lacks standards, where every insurer’s policies address the same basic risks and have the same basic limits on what they cover and how much they will pay.
“Even when a cyber policy provides a particular type of coverage, the actual scope of that coverage can be restricted in many ways,” says Dallas attorney Amy Elizabeth Stewart. The problem gets thornier still for businesses that run most of their technology on other people’s computers. Policies may not cover what happens on vendors’ systems or have low limits on how much insurers will pay.
Firms that outsource their tech should check up front on how their cyber insurance works with their partners’ coverage, Stewart says. “This is critical for avoiding unpleasant surprises.”
The Good, The Bad, and The Ugly
When she served as finance chief for North Texas companies such as Stream Energy and Flowserve, Renee Hornbaker did not look forward to getting cyber insurance.
“Data is a new form of cash.”
Ram Dantu,ꃎnter for Information and Cyber Security, University of North Texas
“I found it to be costly and difficult to purchase because the application process is very onerous,” says Hornbaker, now retired but a member of multiple corporate boards.
Landing coverage against tech breaches can entail sharing a ton of information with insurers, from the basic setup of their networks and servers to their security practices. It can also run head-first into executives’ desire to avoid showing the warts of the systems they oversee.
Businesses are generally better off buying more cyber coverage when they rely heavily on technology but lack expertise in security, experts say. On the flip side, companies may need less coverage if they diligently follow good cyber-security practices.
Because people are the weak link in any security setup, companies should keep insurers informed about how they communicate safety measures to employees. This could drive down perceived risk and could lead to lower premiums.
Tremendous growth in the use of technology and growing sophistication of hackers means the cybersecurity insurance market is poised for rapid expansion. According to AT&T, more than 50 insurers now offer digital policies with net premiums totaling $2 billion. That’s less than 1 percent of property and casualty premiums that U.S. insurers wrote in 2017.
Insurers are jumping in despite the hurdles because cyber is one of the few growth areas in the insurance industry. Orbis Research, which has its U.S. headquarters in Dallas, projects the global market for cybersecurity insurance will hit $17.6 billion by 2023.
