Warning: Cyberinsurance Policies Have Their Own Vulnerabilities
Bank regulators plan to release their self-assessment tool later this quarter to gauge institutions' cyber readiness, but many see it as sign of more prescriptive measures down the road.
Banks can be compliant with cybersecurity guidelines and still remain vulnerable to massive liabilities. One case in point: many financial institutions carry mandatory insurance policies that could leave them on the hook for six-figure losses from corporate account takeovers.
As cybercriminals demonstrate their deep knowledge of banks' fraud and security rules, some institutions are deploying software that analyzes customers' and other entities' behavior for abnormalities.
Cyberinsurance policies are in hot demand thanks to the increasing sophistication of hackers, the mounting toll on executives and directors and regulators' dwindling patience.
Yet as banks consider new and expanded coverage against cybersecurity risks, they need to examine the fine print.
"With cyberbreaches becoming alarmingly common and increasingly severe, the demand for standalone cyberpolicies is dramatically rising," researchers for Willis Group Holdings, the world's third-largest insurance broker by revenue, wrote in their spring "Marketplace Realities" report. Data security is one of the five insurance lines for which it expects to see increases in 2015; the others are employee benefits, political risks, fidelity and kidnapping and ransom.
The cyberinsurance market has already seen a 50% year-over-year increase in applications for the first three months of 2015, according to insurer Lloyd's of London.
Most large banks carry cyberinsurance coverage, but smaller banks have felt less of a need for it until recently.
David Cox, partner with Washington law firm Kilpatrick Townsend & Stockton, says his firm's smaller bank clients have all been buying cybercoverage recently.
He gave three reasons: their insurance advisors, brokers and carriers are telling them it's necessary, with some carriers taking the position that cyberattacks are not covered under traditional policies; high-profile data breaches like those at Target and Home Depot are making them more aware of the risks; and regulators are pressing banks to put internal controls in place to deal with data breaches and to at least consider special insurance.
Deputy U.S. Treasury Secretary Sarah Bloom Raskin expressed frustration at the slow adoption among community banks in February.
"Cyberinsurance take-up rates at smaller companies [with revenue less than $1 billion] have not grown," she said. "It creates a gap between coverage of large institutions and small."
At AIG, one of the largest U.S. cyberinsurance providers, about 18% of that type of coverage is written for financial services firms. While that percentage has been steady since the 1990s, banks have been steadily increasing their coverage every year, according to Tracie Grella, head of global professional liability at AIG.
"Financial institutions and retailers recognize the risk they have from the amount of personal and confidential information they maintain," she said. "The large banks will buy the most coverage available, they're demanding the most capacity, and they're helping the market by buying that capacity."
AIG's cyberinsurance covers four major areas: liability and damages, extortion, and loss of business and incident response. That last category covers the aftermath of a cyberattack: the hiring of project consultants, lawyers and public relations firms, as well as the providing of credit monitoring.
AIG's policies would cover attorney fees, the cost of notifying customers, and credit monitoring in the event of a breach. It might also cover a class action and damages claims.
Limitations of Cyberinsurance
How much insurance companies will actually pay out on their policies in the event of a major cybersecurity incident is something of a question mark.
"Insurance companies aren't in the business of paying claims they don't make money if all they do is pay claims," Cox observed. "They'll look with scrutiny as breaches get bigger and hit larger limits. That's good business sense."
Specific cybercoverage policies have been tested little in the courts, he noted. "At this point, we haven't yet seen one where there's been a big battle," he said.
And there is no such thing yet as standard cyberinsurance, Cox said. "It's volatile in the scope of coverage, the limits offered, and how robust the underwriting is," he said.
Cyberinsurance "is still a case of buyer beware," said Steve Durbin, managing director of the Information Security Forum, a London-based nonprofit organization that provides research and resources to banks and other companies. "You need to understand what you're buying. If you're an immature buyer, you probably need to get professional advice on it."
Durbin recently overheard a conversation between a buyer and two cyberinsurance salesmen in which the potential buyer sounded impressed. "You could imagine [the buyer] was going to go back to his board and say, 'I found the silver bullet, it's only going to cost us X million,' " Durbin said. The customer asked the salesmen if they would cover his company for hacking. "They said, 'Yes, no problem at all. Which part of the world would you like to be covered from? Is it Chinese hackers you're concerned about or Russian hackers?' " The buyer said he would get back to them.
Buying Chinese hacker insurance means the customer would have to prove to the insurance company that the attack originated in China, which is nearly impossible.
"That's an example of an insurance company saying, 'We'll give you whatever you want, but when it comes time to make the claim, there's a whole pile of small print,' " Durbin said.
AIG has no limitations of this kind, Grella said. Its standard cyber insurance policy does exclude bodily injury or property damage due to cyberattack, but the company offers a separate policy that offers that type of coverage.
Another exclusion to AIG's coverage is first-party trade secrets. "It's very difficult to underwrite that for the insurance market," Grella said. "Placing a value on that is very challenging." A third exclusion is the transfer of money. A fraudulent wire transfer made in a cyberattack would not be covered by a cyberinsurance policy. It could, however, be covered in a crime policy, she said.
In its underwriting process, AIG vets cyberinsurance customers by asking them how they use encryption, whether they practice their cybersecurity response plans, how they use security technology, how they monitor it and how prepared they are.
"We also look at the structure of the organization who's responsible for security? Who do they have access to? How engaged is the CEO? How engaged is the board?" Grella said. "We try to get an understanding of the culture of the organization and how seriously they take cybersecurity."
AIG recently invested in K2 Intelligence, a corporate investigations firm. Through this relationship, K2 will look more deeply into customers' cyberrisk-mitigation efforts. "We'll look at what the state of play is, the plans they have in place, how they're going to respond," said Robert Brenner, executive vice president and global head of cyberdefense services for K2 Intelligence.
Durbin says it is important that insurance companies make efforts like this to understand their customers' resilience to cyberthreats.
"It isn't sufficient to say, 'Yes, they have a tick in the box for PCI DSS or ISO,'" he said in reference to two types of security standards. "You need to get under that. I'd like to see insurance companies being more rigorous in the benchmarking they do and assessment of the client."
As banks consider cyberinsurance policies, Cox recommends that they look closely at policy limits sub-limits as well as aggregate limits. They should also scrutinize how the policy would work for breaches that occur with third parties such as IT vendors.
And banks need to be careful to not rely too heavily on cyberinsurance, Durbin said.
He used car ownership as an analogy. "You can take out motor insurance, [but] that doesn't mean to say that you don't put fuel and oil in it, and check the tires," he said. "You still have responsibility. My concern is there are companies out there who have taken cyberinsurance policies, and are now breathing a sigh of relief 'We don't need to invest any more in that security. If it all comes tumbling down, at least we've got this policy to save us.' "