In the beginning……….
The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days there was a widely held belief that the primary concern was operational, amidst concerns about the impact of a computer virus or the actions of a “Hacker”, a new term to many of us at that time. In the US and London commercial insurance markets, despite the lack of actuarial data, a few underwriters started to devise solutions to indemnify business interruption losses and the costs to restore compromised data. Commonly known as “Hacker Insurance” it was large US banks who were the first buyers but it was not popular. The process was seen by buyers as too intrusive and expensive as insurers demanded onsite security audits as part of the underwriting process.
On July 1st 2003 everything changed as California enacted SB 1386, the world’s first data breach notification law. Industry had started to understand that the Internet would revolutionize the way that it could store and use data, in particular personal information on its customers. However, government and regulators also started to appreciate that this new opportunity could be open to significant abuse and, as the majority of US states started to enact their own data breach notification laws, the risk evolved into a privacy issue.
Over the next 10 years insurers responded by developing solutions to address the risks of handling customer, employee and patient personal information from either unauthorized disclosure or a violation of privacy. Today it is estimated that total gross written premium is in excess of $1 billion and $350,000,000 in total capacity. However, the threat is changing and the risk for many organizations is moving back to where it started, operational. We are coming full circle but this time it is different – Why?
Stuxnet and all that……
Many people will by now have heard of the Stuxnet virus. Widely regarded as the world’s first cyber weapon, in 2010 it came to light that a sophisticated attack had damaged Iranian nuclear centrifuges. Significantly this was evidence that physical damage could now be caused by a cyber attack. Stuxnet, perhaps unsurprisingly, has stolen the limelight but in many respects it has had a negative impact in helping boards understand the risk that they are facing.. There is no doubt that education and awareness are factors but many organizations simply viewed Stuxnet as a one off event with little or no relevance to their own security program.
However, the operational risks from a cyber attack today causing physical damage, business interruption and bodily injury could not be more real. According to Mandiant, a FireEye Company, 95 percent of Advanced Persistent Threats (APT’s) are caused by spear phishing, typically an individual opening an email from who they think is a trusted third party. Opening the email allows the perpetrator to install malware on to the network and then connect to a command and control server. That’s all it takes. Once in the perpetrator will move laterally across the network lookin g for what he or she wants.
The advent of APT’s are raising significant questions about the whole approach to enterprise cyber security. Many CIOs and CISOs have typically set up a defense in depth strategy protecting the perimeter with a firewall, intrusion detection systems, anti virus software, encryption and so on. However, many attackers increasingly use “zero days”, meaning previously unknown vulnerabilities, thereby rendering signature based defenses redundant.
It is APT’s, not Stuxnet, that should concern organizations. It has also started to concern governments worldwide. Commercial Espionage and Data Security and Privacy capture many headlines but sabotage, particularly on critical infrastructure industries is now a serious threat. Enterprises in Energy, Transportation, Financial, Healthcare and Manufacturing industries amongst others face the biggest operational risk challenges from a cyber attack. Some of these industries are particularly vulnerable as they utilize operational technology such as SCADA systems that are increasingly connected to corporate IT networks.
The NIST Cyber Security Framework……
Government concern has not translated into legislation forcing industry to improve its resilience and security posture. In the US President Obama issued Executive Order 13636 in 2013 tasking the National Institute of Standards and Technology (NIST) with developing a cyber security framework. The insurance industry has reacted very positively seeing a partnership emerging with government to start to address previously uninsurable risks. The industry was a key stakeholder in the creation of the framework and is now working with the Department of Homeland Security in its implementation. Other countries are looking to follow a similar approach to the US. The UK government recently announced its Cyber Essentials scheme focused more on smaller businesses rather than critical infrastructure industries.
Although voluntary many legal commentators feel that the new framework will lead to an increase in risk to boardrooms. A benchmark now exists that shareholders could reference in the event of a major cyber attack. In addition, and perhaps without realizing it, by directly engaging the insurance industry the government has done industry as a whole a great favor. Insurers are being forced to confront questions about risks and coverage that had not previously been asked and they are starting to receive some uncomfortable answers.
Am I insured?
Specialist insurance policies to address data breaches and privacy violations are well understood. Theft of corporate intellectual property from a cyber attack is also commonly known to be a risk that insurers have yet to understand how to address.
However, and particularly in the context of attacks on critical infrastructure industries, there is a great deal of ambiguity for losses involving physical damage, bodily injury or business interruption. Don’t my property or commercial general liability policies address this? At best the answer is maybe. Some policies will specifically exclude, some will provide limited coverage whilst others will be silent. Considering the nature of the threat and the potential impact on the organization silence can no longer be acceptable and affirmative language is a must.
The good news is that the industry is already starting to respond. Two insurers to date have announced a “Difference in Conditions” (DIC) approach overlaying the gaps that exist in the Property and GL forms. Another has launched a terrorism policy to also address cyber attacks. This is all positive but it is just the start. Insuring the risks is one thing but building out significant capacity to ensure coverage is worth buying is also very important.
Over the coming months and years insurers will start to work more closely with both government and the security industry. Just as enterprises are starting to mature their security approach beyond defense in depth toward an intelligence-led strategy, so insurers will partner with security firms to adapt their underwriting approach on the same basis. Understanding who is trying to attack you and what they want provides the vital intelligence that informed decision makers, including the board of directors, need.