The public collectively cringed when several big-name businesses were hacked between 2014 and 2015: Sony Pictures, Staples, Home Depot, JPMorgan Chase, Primera Blue Cross, and others. The media pulled no punches in providing the stark reality of what a breakdown in cyber security could do. Corporate reputations and trust were on the line. Sensitive information was exposed and as consumers, we all felt the pain. We willingly gave our credit card numbers to friendly cashiers; our social security numbers; our financials. The plain truth is that the trusted organizations caught in the crosshairs of these digital attacks underestimated just how sophisticated cyber-crime had become. The threat isn’t new--many of us might remember when TJ Maxx failed to encrypt their files in 2007, which led to a massive data hack. At least 45.7 million credit and debit card numbers were stolen.
Stories like these serve as a reminder that businesses have an obligation to pay attention to the growing cyber threat. As chains like Target and Michael’s Stores scramble to make peace with the public and reinforce digital security measures, closely-held businesses should also make the effort. If we’ve learned anything from the big data breaches in recent years, it is that risk and insurance management are critical in the fight against cyber- crime.
The Dangers of Cyber Risk on Mid-market Businesses
The media does a good job of alerting the public when a large company experiences a data breach. Ironically, the many underreported cyber hacks on small and midsize businesses are the most poignant. According to a report by Property & Casualty 360, small and middle market businesses are hit with 62% of all cyber-attacks. Phishing scams, ransomware, and other tactics take companies by surprise, as many of the “Wire-$30K-To-The-Nigerian-Prince” emails that were so prevalent in the early 2000’s are no longer being used as a primary tactic. Instead, email messages with seemingly legitimate senders/email addresses with a familiar look and feel are duping employees into clicking onto harmful links. Hackers are bypassing firewalls and taking advantage of vulnerabilities brought forth by out-of-date anti-virus software. The largest, most concerning threat to data security is that hackers are accessing data via third party vendors.
A stark example of this came early this year when the Securities and Exchange Commission indicted nine Ukraine-based hackers in a securities fraud scheme. Starting around February 2010, the hackers made as much as $100 million in illegal profits by conspiring to use information stolen from thousands of corporate press releases before their public release (Source: Reuters). By illegally accessing PR Newswire and other news organizations’ databases, the hackers were able to obtain stock information and take full advantage of market fluctuations.
Another example is the much-publicized Target hacking case, where 110 million customer credit card numbers were accessed by cyber criminals. Executives discovered that the initial intrusion into its systems was traced back to network credentials that were stolen from a third party vendor; a refrigeration, heating and air conditioning subcontractor that worked at a number of locations at Target and other top retailers (Source: Krebs on Security). Who would have thought that millions of consumer credit card numbers might be exposed by way of a data hack through its HVAC company?
Security, in and of itself, is a vital piece of the data protection puzzle; a digital suit of armor that should provide a certain level of confidence when it comes to data security. But what happens when even the most diligent IT professionals within an organization get it wrong? Knowing that a data breach might occur, how can midmarket businesses tackle risk and insurance management?
With a proliferating cyber threat, insurance companies are expanding their coverage options. Jake Olcott, Vice President of Business Development at BitSight Technologies, noted that cyber insurance is the fastest growing category in the insurance industry, accounting for almost $4 billion in premiums.
But as reported by Risk & Insurance, there is no standard form in which the insurance industry as a whole underwrites cyber coverage. Most cyber policies currently in the marketplace offer some combination of traditional liability coverage protecting against claims by third parties, and first-party coverage protecting against losses suffered by the insured. But these coverages are not a one-size-fits-all-risks solution. Insurance underwriters must determine if insureds are putting in the right security protections on the front end and determine if their vendors are also diligent in protecting consumer data. A “vendor” as it relates to cyber security refers to any 3rd party organization with which information is shared. Suppliers, distributors, shipping companies—even janitorial services could be considered vendors. As such, designing a policy that will address all 3rd party vendor cyber risks becomes difficult in the commercial markets.
It should be noted that underwriters have been proactive in figuring out how to tackle the growing 3rd party vendor cyber threat; mainly, through surveys. “How do I know their vendors are doing a good job at cyber security? Does the insured have a Chief Information Officer? Is antivirus software installed company-wide? The questions asked by underwriters are an attempt to gain visibility into the breadth and reach of cyber risk within an organization. It is a process that is still emerging.
Captives, however, are an established alternative risk planning strategy that has been adopted by middle market organizations around the globe. Policies written through a captive insurance company can ensure that broader protections from losses stemming from a variety of cyber risk exposures. Risk and insurance management is secured by tailored coverages that may be too expensive if purchased through a traditional carrier. Since cyber risk insurance is still being developed and realized across the industry, specific or “unique” cyber risks may not be covered as of yet. A captive insurance underwriter will be able to write coverages that are specifically designed for its associated operating company after a feasibility study is conducted. Captives are a more than viable option to address cyber risks right now, even as cyber-crime becomes more elaborate.
Risk and Insurance Management as the Cyber Threat Grows
The effects of a data breach can be devastating to any company, but closely-held organizations operating without the help of investors can be impacted more significantly if not properly insured.
Dmitri Alperovitch, chief technology officer of CrowdStrike, a security technology company focused on helping enterprises and governments protect their intellectual property and secrets against cyberespionage and cybercrime, noted that there is a rise in so-called “doxing.” This is a practice where stolen information is held ransom—typically, a hacker will threaten to publish sensitive information about a particular company or individual if certain terms aren’t met. Sony Pictures experienced this type of cyber theft, when North Korean hackers (dubbed “Guardians of Peace”) threatened to publish private emails, corporate secrets, executive salary information, etc. if the company released the controversial movie “The Interview.” Ultimately, the movie was shown at movie theaters across the U.S. The information was released, resulting in a corporate shutdown of the motion picture company. For several weeks, the company resorted to “pen and paper” procedures, issuing paper checks to employees and the like. The business interruption was just the beginning--Alperovitch remarks that the damage will be felt for years to come.
Sony Pictures, a subsidiary of Sony, is a profitable company, earning $8 billion in revenue annually. The entertainment giant, despite the best security measures in place was hit hard and unexpectedly—middle market companies must take a cue from its bigger brothers, as the residual effects of a data breach can bring a business to its knees.
Ultimately, risk and insurance management must be at the forefront of middle market business plans. Forming a captive insurance company can mean that a loss of services, business interruption, breach of records, breach of privacy, supply chain breakdown, commercial crime, and other risks can be funded and work in tandem with any front-end security measures that have been put in place. For example, those in the financial sector may implement two-factor authentication, chip-and-pin credit cards, and participate in information sharing and analysis centers (ISACs). Implementing dynamic keywords and documenting the information shared with 3rd party vendors are other measures that can be taken. Shared personal identifiable information should be limited.
From the Target hack, to the IRS data breach, it is clear that data security is critical to the integrity and resilience of a business. As new regulations are passed to combat malicious hacking initiatives, businesses should also play an active role in keeping sensitive information out of the hands of criminals. With coverages written through their own captive insurance company, business owners can add another level of financial assurance and be confident that their risk and insurance management strategy is sound.
To learn more about how forming a captive can help mitigate risk and fund cyber risk coverage, please call Capstone at WEB_TEL or fill out the form on the top right.