Cyber liability warnings bring yawns at Madison-area businesses
From the pages of In Business magazine.
Judging by the insurance industry’s spotty success in selling cyber liability insurance coverage, even the constant drumbeat of news about data breaches hasn’t motivated large numbers of businesses to protect themselves with insurance in the event their information technology networks are penetrated by increasingly sophisticated and innovative hackers.
While sales of the coverage have picked up some, there is still a bit of an “it-can’t-happen-to-me” attitude in the business community, especially among small and midsized companies. But those organizations should know that as large companies upgrade their IT networks and their software applications to avoid being Target-like targets, cyber criminals can always swim downstream.
The lack of interest surprises Rex Dachenbach, senior specialty lines technical trainer for NSI, a division of West Bend Mutual Insurance Co. “I haven’t seen a dramatic increase in the requests for cyber liability coverage, which is kind of surprising because one of the articles I’ve read says that after all the big places have been hit, and everybody has tightened up their security, guess who is next? The small guy, the one with 10,000 or fewer records,” Dachenbach stated. “He is likely to be among the next round of targets, so we are kind of surprised that there hasn’t been more of a response.”
“Most of the insurance coverages, in order to get a certain amount of coverage, they will have anywhere from a four- to a 10-page application digging into security and what you have done with your systems to make them more secure.” — Keith Kaetterhenry, president, Baer Insurance Services
When it comes to purchasing the coverage, there are certain vulnerable industries at the forefront. Any retail organization that does point-of-sale and credit card transactions will have exposure, and based on their agreements with credit card companies, they’re usually responsible for breaches. In addition, there is such a growing emphasis on due diligence that accountants and attorneys are advising clients to look at cyber liability coverage.
But first, they should take stock of their IT security because it will be difficult to find affordable insurance if they haven’t paid enough attention to it. “Insurance isn’t intended to be your first line of defense,” noted Keith Kaetterhenry, president of Baer Insurance Services. “In fact, most of the insurance coverages, in order to get a certain amount of coverage, they will have anywhere from a four- to a 10-page application digging into security and what you have done with your systems to make them more secure.”
Kaetterhenry suspects that cost is the number one reason businesses are reluctant to buy coverage, but he notes pricing has come down, depending on the industry and the strength of your internal IT security. Pricing is based on a number of factors, but perhaps the biggest cost driver is the volume of sensitive data a company must protect and maintain, and smaller businesses tend not to have that issue. The application process, particularly answering all of the technology-related questions about how you are protecting your system, can be daunting, particularly for small businesses that normally outsource IT work, but the top perceived barrier is cost.
At a basic level, NSI has a $50,000 limit for expense and liability, plus $50,000 for required response expenses. The policy will provide that without any unusual underwriting, unless there are any extraordinary losses.
If the organization wants a higher limit of coverage, then NSI would want to know what kind of network security they have. “All of these types of questions come into play,” Dachenbach explained. “We have a pretty good questionnaire. If your data is pretty well secured, we will offer a higher limit in those circumstances.”
At that basic level, most NSI policies with a $50,000 limit will cost around $180 a year in premiums. By the time you get up to a $1 million limit, assuming the client has excellent security, Dachenbach says the price of annual premiums would approach $1,600 a year.
Some IT professionals believe that software applications are the most vulnerable parts of corporate networks, but they tend to be the last ones to be addressed. According to Kaetterhenry, 40% of data breaches are the result of hackers sending malware, which makes downloading apps dangerous unless the app is from an approved source.
Roughly 25% of data breaches are caused by employees who either mistakenly give out enough information for a hacker to gain access or commit fraud in stealing and misusing company information. Hackers are very good at calling to get enough information to know where to hack into a system, and employers must limit access to certain areas to protect themselves against employees who decide to do something illegal.
Insurers will be interested in knowing what you’ve done to address the human element of protecting data. “The issues are culture, education, monitoring, and controlling access to make sure people are only allowed to go into what they need to, and then monitoring that,” Kaetterhenry said. “That’s particularly true in the medical industry, where there is personal information and health care information. If the controls are not in place, employees can get access to a lot of information that, if distributed, is a serious breach.”
Insurers will also expect certain businesses — health care providers and retailers — to protect sensitive client data with encryption; they will expect best practices such as not keeping entire credit card numbers; and they might insist on vulnerability testing of IT systems, especially with respect to large clients buying coverage with multimillion-dollar liability limits.
In any event, when the right internal controls are in place, the cost of insurance goes down because insurers need some level of assurance that business clients are serious about managing risk. “Again, that applies mostly to larger customers,” Kaetterhenry says. “Smaller businesses like hardware stores or very small manufacturers, they are not buying limits that are very high.
They may not be required to do testing of that type on a regular basis, but for larger companies, particularly in the financial or health care sectors, there will be a requirement for them to be doing that on a regular basis.”
Since its introduction in the late 1990s, cyber liability insurance has become more varied and customizable. At first, it was primarily concerned with Internet sales and the loss of income associated with websites being shut down, but it has since evolved from more of a first-party coverage to one concerned with data breaches and the loss of personal information.
“If you look what coverages were available years ago and compare them to today, there’s a big difference,” stated Mike Kapfer, assistant vice president of underwriting for NSI. “Cyber liability policies vary tremendously in their scope and their amount of coverage. There are more basic coverages with smaller limits to help with the notification process, legal advice, and the IT forensics. There are more complex coverages with higher limits that will help pay for the business’s own data and equipment to be recovered and repaired. As time goes on, we will see that cyber liability coverage will become broader and what insurance companies will pay will be redefined. It’s an evolving product.”
Attorney Melinda Giftos of the Madison office of Whyte Hirschboeck Dudek noted that not all companies use cloud-hosting services or store highly sensitive, personally identifiable information. However, all companies store valuable data, so a breach could pose significant liability or risk for any employer. As a result, the components of cyber liability insurance now include coverage against third-party claims, breach remediation and notification costs, computer program and data recovery, business interruption coverage, extortion coverage, and communications and media coverage.
However, the big one is the cost of remediation on a data breach. Most state laws require notification, and Congress is working on a national data security law. In addition, some state laws mandate free credit reports and require credit card companies to bear the cost of issuing new cards. Remediation costs have grown to the point where in 2014, the average claim per record was $188 for a company that lost records. “Take that times thousands of customers, and that has become a real issue,” Kaetterhenry says.
Computer program and data-recovery coverage may not cover your clients if you have their information, Giftos noted. This type of coverage can be very expensive, depending on the nature of a business, but other options include investing in secure backup systems.
Part and parcel of this is business interruption coverage. “This is key for companies that outsource primary business functions,” Giftos explained. “Business interruption damages are often classified as consequential, which is not often the reality in a security breach situation.”
Third-party technology and vendors should be audited and insured as well. In the Target breach, hackers got in through an HVAC vendor that had access to the retailer’s network — a fact that also raises the importance of monitoring any entity that has access to your system. “They must have the same amount of insurance and controls as you do because your vulnerability is dependent on their vulnerability,” Kaetterhenry stated. “It’s an interdependent system.”
If legal agreements and IT systems present a risk, premiums could be much higher, Giftos added. This is yet another reason to have solid contractual agreements with subcontractors and hosts.
Coverage related to crisis management, public relations, and communications might also pertain to online defamation and trademark infringement coverage. With websites and social media, there is a potential not only for copyright and trademark issues but online defamation as well.
Extortion occurs infrequently, but there have been instances in which disgruntled ex-employees collaborated with a hacker to place a computer worm into the system of the former employer and then offered to solve the problem more quickly if the company paid a large sum of money.
Giftos noted that the Federal Trade Commission has shown more interest in investigating security breaches to determine whether companies are adequately protecting consumers. The topic is certainly on the radar of Federal Trade Commissioner Julie Brill, who recently noted there are two kinds of companies: those that know they’ve been hacked and those that haven’t yet found out about it. If she’s correct, there is no longer a good excuse not to have cyber liability coverage.
Richard Marty of Compel Consulting, a Madison firm that helps clients prevent catastrophic data loss, said many small business owners don’t know where their data resides or how to retrieve it, let alone insure it against loss. Even if they have sensitive data, they might think they are too small or unimportant to interest hackers, but there are inexpensive solutions available that allow businesses to both secure data and ensure redundancy. Both steps, he noted, are prerequisites to insurance.
“From the insurance company, there is a checklist they go through to make sure certain things are set up in a certain way,” Marty noted. “It’s important for small businesses to understand that they need to take certain steps within firewalls, locking down the ports and backups, in order for their liability insurance to be valid.”
SWAMPing cyber crooks
Patrick Beyer is in charge of a SWAMP, but it’s actually more regal (and important) than it sounds.
As the program manager of the Software Assurance Marketplace (SWAMP), he runs an open-source program out of the Morgridge Institute for Research that just might help business organizations thwart hackers.
With most everything becoming software-centric, and with software applications increasingly viewed as the most vulnerable parts of organizational computer systems, the marketplace seeks to give software code developers a no-cost, all-in-one solution to testing their code against current assessment tools.
Secure coding will not turn software security problems into a thing of the past, but Beyer thinks they can be significantly curtailed. “No one tool will find every vulnerability at this point, and no set of tools will find all vulnerabilities, so there is always some risk inherent in there, particularly with some of the vulnerabilities that are found every day with new versions of software coming out,” he explained. “You can only test for what you know. If there is a new vulnerability that no one has thought about, it’s hard to write a tool for it.”
The marketplace, which supports four coding languages and uses 400 software apps with known vulnerabilities, was funded by a $23.4 million Department of Homeland Security grant.
During one software assessment exercise, Beyer ran through the SWAMP an open-source medical technology software package written to process magnetic resonance imaging (MRI) scans. It detected 25,800 vulnerabilities, most of which were minor inconsistencies in language; others were labeled high priority, and one could have crashed the system.
Prior to the current software focus, most of the security research has been on the infrastructure side, and it’s paying dividends as organizations have become more adept at securing infrastructure. “Direct access through IP [address] spoofing — that was the predominant thing,” Beyer recounted. “Now it’s looking for holes in software.”
Beyer noted that large corporations have in-house software-development capabilities and can afford commercial assessment tools. For smaller shops, there are not a lot of options, other than finding an open-source tool, downloading it, and configuring it yourself. Even that’s something a lot of smaller shops don’t have the money for.
Since SWAMP is an open-source project, there are no plans to spin it off into a commercial product or venture. The intent is to provide assessment tools at no cost to users. “We have a very simple premise,” Beyer stated. “We’re trying to bring a lot of tools to a lot of people for nothing.”
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.