Hacking blitz drives cyberinsurance demand

Powered by SC Magazine
 

Corporates take cover for data breach liabilities.

The recent string of sensational hacker attacks is driving companies to seek "cyberinsurance" worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.

Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion -- and in some cases, they are also accepting deductibles in the tens of millions of dollars.

Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like "sorry letters" to customers.

"When you have a catastrophic type of data breach then yes ... the phones ring off the hook," said Kevin Kalinich, co-national managing director of the professional risk group at insurance broker Aon.

In the past few weeks, the US Senate, the International Monetary Fund, defense contractor Lockheed Martin, banking concern Citigroup, technology giant Google and consumer electronics group Sony are among those who have disclosed hacker attacks of various kinds.

In the days after Sony disclosed it had more than 100 million customer accounts compromised, the company said its insurance would help cover the costs of fixing its systems and providing identity theft services to account holders.

That helped drum up business for the still-growing segment of the industry, and the demand has only intensified since a more recent breach at Citigroup, which security experts said was the largest direct attack on a US bank to date.

Some insurers say this is the moment the industry has been waiting for as the tide of bad news becomes so overwhelming that customers have no choice but to seek coverage. On Tuesday, Travelers became the latest insurer to launch a package of policies covering various fraud and expense liabilities.

Aon's Kalinich said fewer than five percent of data breaches lead to costs of more than US$20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk.

Large customers are going to extremes, taking out coverage for data breach liabilities of as much as US$200 million, while also taking US$25 million deductibles to keep their premiums down.

 

Good risk

As with any kind of insurance, data breach policies carry all sorts of exclusions that put the onus on the company.

Some, for example, exclude coverage for any incident that involves an unencrypted laptop. In other cases, insurers say, coverage can be voided if regular software updates are not downloaded or if employees do not change their passwords periodically.

"Insurers are all looking for good risks, whether it is a fire insurance company that wants a building that is sprinklered and doesn't have oily rags laying around - this is the equivalent in the IT area. They want good systems, they want good protection, they want good risk," said Don Glazier, a principal at Integro Insurance Brokers in Chicago.

Given that the average data breach cost US$7.2 million last year, according to a March study from the Ponemon Institute, hundreds of millions of dollars of cover may seem extreme. But with the scale and scope of hacking attacks growing daily, some companies can not be cautious enough.

Of course, the risk they face is a moving target, both for them and for the insurance companies. After 10 years of writing policies, industry experts say a consensus is building on what "cyberinsurance" covers.

Generally, such policies now cover third-party liability, like suits filed by customers whose accounts have been hacked; direct costs like notification letters sent to affected customers; and, increasingly, fines and penalties associated with data breaches.

What is missing from the equation, however, is standards. Insurers can try to standardize the risk from hacking attacks, but cyberinsurance is still not auto insurance, where carriers can make their customers wear seat belts as a condition of a policy.

"One day the industry will actually be so robust that ... we'll have the leverage to actually create standards," said Tracey Vispoli, a senior vice president at insurer Chubb. "We're not there yet but that to me is a win to the industry."

 

Consumer burden

Consumers are increasingly finding themselves less protected and more liable as well. Courts are siding with vendors and not their customers in some cases when it comes to the misuse of data.

In late May, a US magistrate judge in Maine recommended the district court throw out a lawsuit filed against a bank by one of its customers, a construction company.

The customer had suffered a series of unauthorized withdrawals from its account after some employees' computers were infected with a virus that captured their banking information. The company sued the bank on the grounds that the bank's systems should have caught the clearly unusual pattern.

Lawyers who litigate cyberrisk say in the current environment, many companies are only looking out for themselves, not for their customers or suppliers.

"Most companies are looking more for first party (coverage), they're worried more about their own systems," said Richard Bortnick, an attorney with Cozen O'Connor and the publisher of the digital law blog CyberInquirer.

"Not all companies deem it necessary to provide notification of a cyberbreach or incident for reasons of reputation and other marketing-related bases," he said.

(Reporting by Ben Berkowitz, Editing by Martin Howell)


Hacking blitz drives cyberinsurance demand
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1445

Vote