Cyber insurance grows amid troubles abroad


Last year, vital information from 76 million households and 7 million small businesses was hacked from JPMorgan & Chase, the North Koreans allegedly breached Sony Pictures, and reported cyber attacks against Target, Neiman Marcus, Coca Cola, Home Depot and other companies cost banks an estimated $1 billion in damages.

In fact, the number of international cyber security incidents climbed 48 percent in 2014 to an estimated 42.8 million annually, according to a recent report by PricewaterhouseCoopers LLP.

“It’s a dragnet, and any company can be swooped into that dragnet based upon the protocol and profile set up by the attacker,” said Doug DePeppe, a partner with Aspire IP Law Group. “It’s evident that everybody is at risk.”

New product: Internet protection

As the threat of attacks spreads through the commercial world, many companies are considering a breed of insurance coverage designed to mitigate the costly, image-wrecking damage perpetrated by cyber terrorists.

The protection — often billed as cyber liability insurance coverage — is designed to protect companies large and small against the loss of sensitive data, digital assets and their reputations that often occurs in the event of business interruption, network damage or a data breach.

“It’s a matter of when, not if,” said Jill Webb, vice president of CB Insurance in Colorado Springs.

Cyber coverage is being billed as a way to fill the gap between the inability to predict and prevent attacks and the need to protect sensitive data.

Depending on the needs of the company, protection can be tailored to cover privacy breaches, cyber extortion, the loss of data and even a damaged corporate image (although no company is 100-percent covered, according to Webb).

Protection is offered by many large insurance carriers through local brokerage firms including CB Insurance, a Central Bancorp affiliate in downtown Colorado Springs. The brokerages act as middlemen between clients and carriers such as Philadelphia and Travelers.

Since demand for coverage began to swell with the growing threat, all Webb’s client conversations include a discussion on the topic and over half those companies opt to buy protection, she said.

“Now we can share real-life examples, because it has happened and does happen right here in Colorado Springs,” she said. “It’s becoming a lot more real to them. They’re seeing it happen to their friends, their neighbors and the businesses next door.”

Protection against cyber crime is unlike traditional coverage, DePeppe said, because in this case companies are planning for an outright assault.

“It’s not like a fire risk. There are adversaries on the other side,” he said. “It’s more like kidnapping and ransom insurance.”

What companies are paying for is essentially damage control and cleanup. In the event of a breach, insurance could cover costs related to customer notification, credit monitoring and public relations services.

“It’s a different kind of risk than with your typical general liability coverage,” DePeppe said.


“It’s evident that everybody is at risk.”

–Doug DePeppe

[/pullquote]During the application process, carriers analyze and assess companies to determine risks, the most common of which Webb said are related to notification costs — companies are required by state law to inform customers in case of a significant breach — as well as standard safety practices such as firewall usage, employee education and other simple security measures. For this reason, many clients who purchase coverage claim just purchasing it has increased their odds against a major attack.

A February report by Ponemon Institute, an organization that tracks trends associated with cyber security, showed 62 percent of its respondents found their companies better prepared to deal with attacks after they purchased cyber coverage, but only a third of companies are investing in the protection.

“I don’t think that a lot of companies know they’re not covered,” DePeppe said.

DePeppe, who specializes in public-private partnerships and reducing the risk of cyber threats, said cyber security is something that is not covered by traditional insurance coverage.

“There are a lot of different types of risk when we talk about cyber security,” DePeppe said. “Typically, if they think they are covered for a variety of cyber risks, they’re most often not, unless they have separate insurance coverage specifically for those risks.”

Rates are based partially on the company’s loss history, the industry in which they operate and their required coverage. The increasing frequency of attacks is making it harder to attain protection because of increased risk.

“We’re seeing the insurability criteria heightened, and the ability to get insurance has become more challenging,” DePeppe said. “If you as a company don’t have certain goals related to cyber-security practices in place, you very well may not obtain insurance for it.”

The Betterley Report, which polled 27 of the world’s leading insurance carriers, indicated that the industries which invest the most in cyber security protocols — information technology, finance and health care — are also the most regulated, and are common in the Pikes Peak region.

“This area, because of exposure to industries that are highly regulated — for instance, defense contracting, health care, energy — those sectors have a lot of compliance requirements that are driving their attention to cyber security,” DePeppe said. “There possibly is a recognition of the risk, given the types of sectors we tend to be in.”

Small business sector a target

Aside from health care and finance, the small business sector has also become a target because independently owned firms “just don’t have those controls in place,” Webb said.

The federal government is now asking that companies be forthcoming in an attempt to further understand, predict and prevent cyber warfare against the private sector.

The U.S. Department of Defense announced Feb. 11 the creation of a new Cyber Threat Intelligence Center designed to “fill these gaps, analyzing and integrating information already collected under existing authorities, and is intended to enable centers that already perform cyber functions to do their jobs more effectively,” according to a DoD news release.

President Obama’s budget has also committed $14 billion to “protect critical infrastructure, government networks and other systems,” according to the release.

Similar to the DoD’s counterterrorism protocols, the feds have said feedback will enable them to react faster and more effectively in response to major attacks — and, ideally, bring down those responsible.

A few days after the Center’s creation, the 2015 Cyber Threat Sharing Act (Senate Bill 456), with language aimed at increasing the flow of attack information between federal employees and the private sector, was submitted to Congress.

These have been seen as steps toward standardizing the response protocol in case of attacks and ensuring an effective method of reporting, despite privacy concerns that could lead to damaged company reputations.

“We’re probably ahead of most cities our size in terms of education and getting prepared,” Webb said. “It’s not going away, in fact it will only increase.”