Cyber Insurance: Should You Get It?
You have probably noticed the gradual increase in the number of ads over the past two years selling “cyber insurance,” or insurance that covers a hack. The market for this kind of insurance has been growing.
According to a 2017 Deloitte report on cyber insurance, the market is currently $1.5 to $3 billion dollars in the United States and will grow to over $20 billion by 2025. In our opinion, that is a conservative estimate which should be higher, based on the growth and size of breaches we have been seeing.
In a May 2017 survey from the Council of Insurance Agents and Brokers, only 32% of US businesses had some type of cyber insurance. Many of those do not have full coverage.
As a courtesy to our customers, we are going to briefly discuss the current state of cyber insurance and provide some data and a few anecdotes to help you make a decision on whether to purchase coverage. I have included sources at the end of this post.
Wordfence and our team do not sell cyber insurance. This is report is informational and as a courtesy to our customers.
Cyber Insurance Overview
Cyber insurance is a relatively new market, and it is challenging for both customers and for insurers.
The challenge for insurers is that they do not have much historical data they can use to price risk. In addition, they face the problem that cyber attacks keep evolving. There also is a risk that insurers will have to pay out for a large number of breaches simultaneously. Insurers may have difficulty understanding what to cover in a highly technical and rapidly evolving field.
Buyers of insurance, who are mostly non-technical, may have trouble understanding risks and their insurance options. Buyers may also find that the risks associated with a cyber breach cover a wide range of policy types. Policies lack standardization, and most countries lack a body of legal precedent to help predict outcomes when there is a dispute.
Some of the kinds of loss a company may experience during a cyber breach are:
- Direct monetary loss through electronic theft.
- Losses due to extortion from DDoS blackmail or ransomware.
- Costs of mitigating and investigating the incident.
- Losses due to downtime.
- Losses from damage to data and systems, and the costs associated with restoring systems back to normal.
- Costs of remediation, including the cost to improve security and prevent a similar breach going forward.
- The cost of customer breach notification, including legal costs and public relations.
- Expenses of customer compensation, including credit monitoring, service-level agreement penalties, refunds and contractual breaches.
- Costs of liability associated with the breach, including legal costs.
Policies to cover such diverse risks are complex, which presents a challenge to insurers who have trouble pricing the risk, and a challenge to consumers who could have trouble understanding the coverage.
Cyber Insurance Policies Don’t Always Pay
The past few years have seen several high-profile examples of cyber insurers refusing to pay out, and the issue has usually ended up in court.
Insurer Does Not Cover BitPay’s Theft of $1.8M in BitCoin
Bitcoin payment processor BitPay had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC). In December 2014, they were hacked when an attacker spearphished their Chief Financial Officer.
The attacker used the hacked email account to spoof emails to the CEO and tricked BitPay into transferring 5000 bitcoins into their wallet. The bitcoins were worth $1,850,000, and they were transferred in three separate transactions over two days.
MBC did not pay out on BitPay’s cyber insurance policy, so BitPay sued MBC. In court documents, MBC claimed:
The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
The dispute was settled in May of last year, two years later. The terms were not disclosed.
Cyber Breach Costs P.F. Chang’s $1.9 Million in Assessments. Insurer Doesn’t Pay.
In 2014, Federal Insurance Company, a division of Chubb, sold a policy to P.F. Chang’s parent company that they said was “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology dependent world.”
In June 2014, hackers stole 60,000 customer credit card numbers from P.F. Chang’s point-of-sale system and posted them on the Internet.
Federal paid P.F. Chang’s more than $1.7 million for losses associated with the breach. They did not pay out on an additional $1.9 million in fees and assessments imposed by MasterCard.
P.F. Chang’s sued Federal to recover the assessment charges. They lost – and are currently appealing that ruling.
Should You Buy Cyber Insurance?
Cyber insurance is a new product for the insurance industry in a field that is rapidly evolving. It presents unique challenges for buyers and insurers.
As a small company, your best approach is to avoid a breach in the first place. That means investing in systems that secure your applications and networks, and investing in people and services to support those systems.
For example, if you use WordPress as a publishing platform, investing in a firewall like Wordfence Premium can dramatically reduce the risk of a breach. You can also have our team perform a security audit on all your WordPress installations to further reduce risk.
If you are a small business with a low budget, cyber breach insurance may not be for you at this time, because it may simply be too complex or expensive. As the industry matures, products will become more reasonably priced as insurers can price risk better.
If you are considering cyber insurance, we recommend the following:
- Use a reputable insurer who has been in the cyber insurance industry for several years. The industry is new, so a history of three to five years may be enough. If your insurer entered the market within the past few months, you may be helping them iron out bugs in their product.
- Gain a clear understanding of exactly what the insurance policy covers. Check our list of possible costs associated with a breach in this post for reference (above).
- Chat with your insurer and talk through breach scenarios with them to clearly understand what is covered and what is not. Make sure your insurance contract agrees with the answers you get from your insurer.
- Check if your insurer has any history of not paying claims. Search Google News.
- Review your cyber insurance policy every six months. Make sure you still have the coverage you need and that your organization has not rolled out new technology that is not covered.
- During your semi-annual review, make sure new attack types are covered by your policy.
- Ensure that you are fully aware of your obligations. Your insurer will require that you implement policies, procedures and technologies to remain covered. If you do not comply with these contractual obligations, you will no longer be covered. Ensure you are in compliance.
Conclusion and Sources
While this post is not directly related to WordPress security, I wanted to share our thoughts on cyber insurance because it is an emerging field that our small business customers will want to keep abreast of.
I used several sources for this post. They were:
- Demystifying cyber insurance coverage – by Sam Friedman, Adam Thomas at Deloitte.
- The Pitfalls of Cyber Insurance on Dark Reading.
- Health system’s data breach insurance claims get challenged on Healthcare It News
- Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack on CSO Online.
- P.F. Chang’s Cyber Insurance Decision on Arent Fox
As always, we welcome you to share your thoughts and experiences regarding cyber insurance in the comments below.
Mark Maunder – Wordfence Founder/CEO
Comments
9:15 am
I have seen cyber insurance be essential to a business not going under after a security incident. As for the 2 examples listed here, we do not have all the facts as to why they did not pay. It could be the insurance limit was met, or additional expenses were not covered under that policy. Some policies exclude costs that are not preapproved, some exclude ransom demand amounts, and I can understand the insurance carrier not paying for the MBC case, as their system was not hacked, but rather personnel did not double check a transaction and willingly handed over the money. This is why two-factor authentification is important, and that any transaction involving money should be double checked prior to handing over money. When dealing with the changing world of cyber crime, cyber insurance can keep a business from going under when they have the proper policy and security procedures already in place.
12:29 pm
The good news is that cyber cover is evolving. The common thread in all these claims is the policy conditions that resulted in denials can now be negotiated out of current forms.
PF Chang's involved a contractual exclusion no longer found in well designed cyber cover.
MBIC policy issue was partly due to sloppy brokering since the crime insurance and cyber must be synchronized. Coverage improvements in cyber forms should prevent such future denials.
Cottage Healthcare v CNA is a result of a policy condition regarding minimum cyber security maintenance. Cyber policies in current market should not contain such conditions.
1:29 pm
There is a lot of misinformation in the Cyber Insurance space. As an example, the Cottage Health System claim was declined because the coverage was purchased from a carrier that had at the time an inferior coverage and a broker or brokers that did not do their job or it was a client that would not listen. At the time that was placed no good Cyber Insurance expert was placing Cyber coverage with CNA, and that is still the case as they had exclusionary language in their policy that was not standard or reasonable in the market.
Same issue with P.F. Chang’s and the old Chubb policy – that coverage was available at a higher premium, but they did not purchase it from the right insurance carrier. Generally, today most policies will have full limits for PCI claims – yet I see companies buy cheap policies with a very low sub-limit and if they have a breach, they will be the next one in the news pointing the finger at the carrier or their broker.
It is the same issue with a Phishing attack that was not covered. This coverage is available, but it can be expensive. I don’t know if the coverage was offered and declined due to cost or a thought that they did not have this exposure or if the carrier they went with did not offer that coverage at the time. Massachusetts Bay Insurance Company is part of Hanover – they are not a Cyber Insurance company. They do write D&O and Crime – they purchased a Crime policy. Over the last 20 years the coverage in a crime policy for theft of funds only applied to involuntary parting of funds as part of the “Fund Transfer Fraud) –and a social engineering / deception / phishing attack is a voluntary parting of funds where you are tricked into giving your money away. This is a newer coverage that may be added to a crime policy from some carriers or purchased as part of a cyber policy from other carriers.
At the end of the day Cyber is evolving in exposures and coverages, but coverage for these types evens has been available, but was not purchased for one reason or another. When these claims are covered they don’t make the news as it is expected, but when a claim is not covered it tends to get highlighted. At the end of the day if you find an expert in this area you can get the coverage you should have, but you need to be willing to pay for it – as the adage goes – you get what you pay for.