The Truth about Commercial Cyber-Risk Insurance
January 29, 2020
Let's give credit where credit is due. Most small and midmarket businesses have gone the extra mile to ward against cyber attacks. They've hired the best of the best information technology staff to fight the business's digital battles, using cloud-based firewall weaponry to counteract malicious attacks. They've protected their proprietary information with impenetrable spyware, complete with analytic reporting—the kind of armor necessary to stand guard against sophisticated hackers.
Yet, many businesses grapple with the fact that despite their best efforts, their systems have been breached; their attempts to avoid a financial and public relations nightmare have been rendered ineffective, null, and void. Victims in the corporate sphere are coming to terms that their "protected" consumer information has been exposed and that their recovery will be no less than brutal. A ruined company reputation, money loss, and business interruption are just a sample of the typical aftermath of a cyber war gone bad.
Many of these same businesses have opted for (or at least have looked into) commercial cyber-security insurance—a proverbial lifeline that would seemingly hold the promise of a smooth rebound after a cyber attack. But there are problems associated with commercial cyber-risk insurance that should be addressed, especially by midmarket businesses with leveraged digital channels.
Here, we'll discuss the specific issues associated with the burgeoning commercial cyber-risk insurance market. We'll also highlight the ways in which a captive insurance company could help business owners mitigate cyber risk in a cost-effective and practical way.
In short, we will dispel the myth that commercial cyber coverages alone can help business owners face these immense cyber-risk exposures and help readers understand how alternative risk planning can empower them to fight their next digital battle with confidence.
The Plague of Exclusions
It is generally known that hackers are out there gaining steam, finding new ways to infiltrate our digital frameworks. Most of us try to preempt cyber attacks by leveraging security software, updating and swapping it out as cyber threats evolve.
But hackers have become smarter and more ingenious in their attempts to steal sensitive or proprietary information and dupe unknowing participants into handing over their bank account information.
The real estate industry, for example, has been reeling from cyber attackers who've been hacking into agents' email accounts.1 Hackers have been posing as Realtors and asking property buyers via email to wire funds, which include down payments and other fees, to their brokerages a day in advance.2 Property buyers who are scheduled to close on their properties believe the email they've received is legitimate. In their minds, it wouldn't be out of the ordinary for their Realtor, someone whom they've trusted for months with the purchase of their property, to ask for payment right around the time they are scheduled to close on a property.
Unfortunately, property buyers who've fallen victim to the scam have already lost thousands. The Federal Bureau of Investigation's Internet Crime Complaint Center reported 11,300 victims of real estate or rental fraud and more than $149 million in losses in 2018, as cited in "The Four Most Common Mortgage and Real Estate Scams and How To Stop Them," by Deborah Kearns, Bankrate, May 28, 2019. Real estate brokerages haven't had it any easier—they've often been left on the hook in court for damages—clients have felt that brokerages should have done a better job at securing agents' email accounts. Many Realtors who have been affected are now required to follow strict procedures set by their brokerages to prevent recurrences, such as requiring clients to sign a form stating that they understand that an agent would never ask for a payment via email at any time.
But these procedures are not enough to keep the real estate industry out of harm's way in the event of a cyber attack. Even if brokerages invest in heavyweight security software and buy commercial cyber insurance, losses may still have an impact on their operations.
Exclusions plague a business's ability to financially recover from losses, and in the volatile cyber-insurance industry, these exclusions vary from policy to policy.
In general, losses stemming from failure to install software updates or security patches, claims brought by the government such as the Office of the Attorney General, and vicarious liability for data entrusted to a third-party vendor are not covered by a conventional policy.3
Coverage limits also play a role in the inadequacy of cyber-risk insurance.
"Many of the policies, with premiums ranging from $6,000 to $37,000, limit coverage to just $1 million, which in today's world rarely comes close to covering the total expenses," stated CSO in "Cyber Insurance: Worth It, but Beware of the Exclusions," by Taylor Armerding, October 20, 2014.
A cyber-insurance policy, also referred to as cyber-risk insurance or cyber-liability insurance coverage, is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. As reported by technology-focused information provider CIO (Chief Information Officer) in "What Is Cyber Insurance and Why You Need It," by Kim Lindros and Ed Tittel, May 4, 2016, there is no standard for underwriting cyber-insurance policies. Additionally, cyber risks frequently change, and organizations do not always report breaches' full impact because they do not want the negative publicity and loss of customers' trust, the CIO article explained. Therefore, there is limited data for underwriters to determine the attacks' financial impact, CIO reported.
This fact, coupled with gaps in coverage, cannot adequately address all possible cyber risks. It is why a supplemental risk management strategy, such as forming a captive, is crucial to midmarket businesses in their effort to mitigate risks. A captive insurance company can provide broader, more comprehensive coverages and prefund losses. Under the 831(b) tax election, financial benefits can also be leveraged, such as dividends, secured loans from the captive to the operating company, and a 0 percent federal income tax on the captive's underwriting profits.
Getting over the Sticker Shock of Cyber Liability
The cyber insurance world is continually transforming, and there's a high level of variability regarding what coverages are available to businesses. Coverage depends on the industry, the severity of risk (determined by an underwriter), whether or not the integration of mechanical tools and the Internet is leveraged (referred to as the "Internet of Things"), how large a business is, and other factors. In general, this variability has given commercial cyber-risk providers license to charge high prices for cyber-risk coverage.
One client running food and fuel retail stores said he was quoted $1mm deductible, $1mm in limits, and $1mm in premium costs by a major provider—exorbitant numbers by most insurance standards. Given: the client runs a large company having high exposure. However, the $3mm grand total was a shot in the dark, as no one knows what the actual exposure was going to be. In general, insurance providers can be conservative in their pricing or, as mentioned in this case, can overshoot.
This ambiguity is also demonstrated by a story out of Mountain View, California: cyber-security company Tanium is alleged to have possibly exposed a customer hospital's sensitive data for 3 years by giving live product demonstrations using its customer's internal network.4
The hospital, El Camino Hospital, claims that it never gave Tanium permission to use its network for product demonstrations of Tanium's network security software.5 The 443-bed hospital6 said no patient information was breached during the demonstrations Tanium performed from 2012 to 2015. They started 2 years after the software was first installed.7, 8
The hospital could have been exposed to a hack; videos from the product demonstrations showed server and computer names, employee information, and the hospital's security weaknesses.9 Finally, in 2017, Tanium admitted to using the hospital data.10
Bottom line, cyber-risk insurance is essentially a catch-22—coverage is absolutely necessary, but the sticker shock and policy exclusions may give midmarket business owners pause.
Supplemental cyber-risk insurance by way of a captive is a cost-effective way to counteract coverage limitations. Captive coverages fill gaps in coverage, plus, the total cost of insurance is lower. Captive coverages are, in fact, a value-add, whereby more cyber-related risks can be addressed.
Fighting Back with Captive Insurance
Although most businesses have done their due diligence in the fight against cyber attacks, loss events do happen. Forming a captive insurance company can help business owners up the ante and take their risk management program to the next level. Coverages through a captive can address losses stemming from identity theft, reputational risk, lawsuits, business interruption, and more. It's the proverbial armor necessary to combat cyber threats. To enter the fight in any other way could mean defeat.
- Source: Realtor phone interview.
- "Realtors: Beware of Cyber Scams Targeting Home Buyers," by Nancy Sarnoff, Houston Chronicle, September 19, 2018.
- "Cyber Insurance: Worth It, but Beware of the Exclusions," by Taylor Armerding, CSO, October 20, 2014.
- "Tanium CEO Admits Using Real Hospital Data in Sales Demos," by Sean Gallagher, Ars Technica, April 20, 2017.
- Ibid.
- "Facts & Information," El Camino Health website.
- "Tanium CEO Admits Using Real Hospital Data in Sales Demos," by Sean Gallagher, Ars Technica, April 20, 2017.
- "Cybersecurity Startup Tanium Exposed California Hospital's Network in Demos without Permission," by Rolfe Winkler, The Wall Street Journal, April 19, 2017.
- "Tanium CEO Admits Using Real Hospital Data in Sales Demos," by Sean Gallagher, Ars Technica, April 20, 2017.
- Ibid.
January 29, 2020