Barbara Shecter | Financial Post
That basic yet key ingredient is all but missing in the growing business of cyber insurance, in which business is booming as the list of hacking incidents from Target to Ashley Madison grows. Add to the mix the ever-changing nature of hacks and different levels of security sophistication among companies, and the challenges mount alongside the opportunities.
“There are many unknowns,” said Nick Galletto, cyber risk services leader for the Americas at Deloitte.
Hacks such as the one that hit adultery website Ashley Madison can give an idea of the cost of the fallout of such an event. But that doesn’t come close to providing the depth of data insurers use to create and measure the underwriting standards when they sell protection against house fires, break-ins and car accidents.
Paul Schiavone, regional head of financial lines in North America at the corporate and specialty division of Allianz Group, said the global insurer is writing cyber insurance policies and is excited about the new line of business.
But he acknowledges the relative lack of data makes it difficult to know if the policies are properly calibrated to the risk when it comes to cyber insurance. “It’s difficult for the insurance industry to even price it,” Schiavone said in an interview.
Still, despite the unknowns, companies including his are anxious to be in the game.
“It’s exciting — that doesn’t happen often in insurance,” Schiavone said.
Terri Mason, who heads up Allianz’s professional indemnity and cyber risk business in Canada, said all insurance underwriting is a blend of science, based on actuarial experience, and art, based on assessing less tangible risk-worthiness. But in cyber insurance, it’s “a little bit more of an art at this point because it is so new and we don’t have that historical data that we do in other types of insurance coverage,” she said.
As a result, insurers will generally charge higher deductibles than they would be for other forms of corporate insurance, so the insurer to offset the risk something unanticipated is lurking.
“I think the cyber market will … look quite different in five or 10 years,” she said, comparing it to the early days of widespread insurance for corporate directors and officers insurance, which gained popularity a couple of decades ago. “Right now we’re all still sort of finding our way and learning as we go.”
Cyber insurance dates back to “Y2K” when it was believed the turn of the century might wreak havoc on computer systems and data storage around the world. But those who track the industry said it has grown substantially in the past couple of years along with the list of corporate and government hacks siphoning off private information to disrupt business or extract financial gain.
For now, many insurance policies primarily cover the costs of business interruption, data destruction, and extortion in cases where malware known as “ransomware” freezes workers out of their own company’s systems unless the company pays the hacker.
But coverage is expanding, with some policies now including extra protection for events such as a regulatory claim stemming from data loss or a breach of standards, according to a recent report from Allianz.
Insurers may also cover breaches related to technology belonging to a third party, but this is limited because of the potential accumulation of risk borne by the insurer, and it would only be offered after a detailed risk analysis, often conducted by a third party, the report said.
Deloitte’s Galletto said headline-making breaches at such companies as Sony, Home Depot, and JP Morgan Chase are masking a more serious and potentially more costly form of cyber attack that is just coming to light, bringing with it greater challenges for both companies and their insurers.
Known in the industry as advanced persistent threats, or APTs, these insidious breaches actually dwarf the headline-makers, Galletto said.
“Most organizations are completely unaware that APTs are present in their environments and potentially siphoning their critical data,” he said. He described the tactics as “low and slow” and therefore difficult to detect using traditional methods.
In one case, he said, a company was outbid in the late stages of a planned acquisition because an APT hack had slowly siphoned off key information to a competitor, undetected.
“The crisis management response required to investigate, contain, eradicate, and recover from an APT is significantly greater than a disruption of service or loss of equipment,” said Galletto.
“This makes it difficult for organizations and insurance companies to know how to plan ahead and how to cover costs that they could never predict.”