TRENDS IN CYBER INSURANCE AND CYBERCRIMES
Expect the cybercrime landscape to constantly shift
By Ellie Feldman
One of the unique aspects and challenges of cyber liability is the rapid evolution of the risk and coverage required. Above all else, it’s vitally important to regularly check in and follow trends in cybercrime, coverage and industries affected.
With that in mind, there are seven crucial current and future cyber drivers and things to know about trends in cybersecurity.
Ransomware isn’t going anywhere and will probably increase.
The rise in volume and severity of ransomware attacks appears to be continuing an upward trajectory. With the proliferation of cheap and easy ransomware starter kits—yes, this is a real thing a hacker of practically any skill level can purchase in order to carry out large-scale ransomware attacks—it has never been easier for cyber criminals to attack small businesses, which often have fewer and less-sophisticated safeguards than Fortune 500 companies.
To combat the rise in ransomware, clients need to be vigilant about updating software, running regular malware checks and providing a steady stream of employee education on how to reduce the risk.
Who is actually responsible for your data in the cloud?
Cloud storage has been a dream come true for most companies, enabling them to reduce costs, increase data storage and modernize legacy technologies. Yet, from a cyber criminal’s point of view, the cloud is a giant data aggregator, or rather a single point of attack that can yield data from a host of entities they previously would have had to penetrate one by one. When more attacks become successful at targeting these data giants, who bears the burden and the cost? Is it the company that “owns” the data and pays for the service? Or is it the cloud storage provider?
The answer can be complicated and can depend on several factors. These include the contract with the cloud service provider, prevailing laws in the country where data is actually stored and the nature of the data.
For example, ownership of cloud data may depend on whether that data was first created elsewhere and then stored on the cloud, or if it was originally created on the cloud platform, subject to the terms of the contract in question. As such, the liability for that data isn’t simply transferred from one entity to another, rather the liability expands and can encompass the cloud vendor, its customers and its customers’ customers.
Thankfully, a good cyber policy can help alleviate the confusion and concern about data ownership by defining a “computer system” to include third-party networks. Therefore, the policy will respond regardless of where the data was stored and/or stolen, providing additional benefits, such as reimbursement for lost business, business disruptions, and professional services, including legal and PR crisis management.
What about the Internet of Things (IoT) and the new wave of cyber risks?
IoT encompasses everything in your house (or business) that is connected to the Internet. Think about all the appliances and home devices connected to apps on your phone or other WiFi. This is more than just the Amazon Echo or Google Home you got for the holidays.
Think about security alarms with video feeds, robot vacuums, refrigerators, toothbrushes that sync with your phone; those devices are all interconnected and thus subject to hackers. What happens when one of those devices is eventually hacked? Or worse, what happens when someone figures out how to harness all that open security to use your devices to wreak havoc on others, such as denial-of-service attacks that can cripple entire sections of the Internet?
The reason people talk about IoT so much and are watching it so closely is that, for probably the first time, security people know the risk (individual devices with bad security) but can only speculate in what form or how bad the cyber security backlash might be.
There is also another aspect of the IoT that troubles cyber security experts: bodily injury and property damage. Emerging technologies such as driverless cars and robotic home appliances pose the risk of causing actual physical harm to someone or something if hacked. For example, in 2015, hackers demonstrated for journalistic purposes the ability to kill a Jeep Cherokee’s engine while WIRED reporter Andy Greenberg was driving it down the highway.
When reviewing cyber insurance policies, make sure to consider the IoT and how these convenient devices can be turned against individuals or an entire business.
Your data is out there, for better or worse.
Last year, after news of the Equifax breach broke, most individuals rightly began to assume that large amounts of their personal data had probably been compromised. That is a good assumption to make. And even if you have never used Facebook, at least 13 major national retailers have been hacked since January 2017, from Arby’s to Saks Fifth Avenue. With that much private data already circulating, it makes it that much easier for cyber criminals to attack.
Think of it this way: 10 years ago, when someone tried to get all of your private data they might have needed to collect your name, address, email, bank or credit card info, Social Security numbers, answers to security questions, passwords, or some combination thereof. Now think about how much of this data is probably already available online. The previously most-protected data point, the Social Security number, is the one that is most likely to be available.
I was recently told that my email address and various passwords were on the “dark web” at least five times. That’s five different breaches with likely different personal data about me, but all apparently linked together with my email address. How much more data would a cyber criminal need to have a lasting impact?
Therefore, maintaining cyber insurance—even when a business is arguably low tech—can be the best defense when a cyber criminal can potentially leverage your or your customers’ personal data for just about anything, at anytime, anywhere in the world.
Concerns over supply chain and vendor liability are growing.
The option to use outside software or specialists, such as payment processors or HR software, to make companies run more efficiently has spawned a new form of the age-old dilemma: supply chain management. If a company relies on these outside entities to make money in any form, those vendors become a large part of the cyber risk profile of the company. The cloud vendor example mentioned above is just one piece of this larger vendor liability puzzle.
Concerns are growing over the risk to companies when it is the vendor that is the victim of a cyber breach, or it is the vendor that causes the breach itself. Contractual language and better cyber liability policies are starting to address this risk, but the concerns are valid. As the business service supply chain continues to evolve, grow and mature, these vendor relationships are becoming increasingly complicated, while also expanding the liability for both small and large cyber breaches for businesses of all sizes.
The European Union (EU) cyber enforcers are coming to North America.
New legislation called GDPR (General Data Protection Regulation) went into effect in May, and it affects any company that has digital data interaction with any EU citizen, regardless of where that company resides. The law covers how data can be shared and stored, how websites interact with data in the EU, and the right of all EU citizens to control who has personal data and what they can do with it.
There has been some speculation around how to enforce this with companies that are based in the United States, but one thing seems clear: they are going to try. The penalty for noncompliance with the major tenets of GDPR is nothing to scoff at; it can be up to 4% of annual global revenue, or €20M (over $24 million in U.S. dollars), whichever number is higher.
Elsewhere around the globe, other nations such as Canada and China have begun to implement legislation closely related to that of the European Union to protect their own citizens. Each of these will have an impact on many U.S.-based businesses, including those with an international footprint, and for many that do not. How the United States will respond to large-scale data infractions like the Cambridge Analytica/Facebook debacle will continue to shape data protection regulations in the coming years.
A new hope: Cyber liability awareness is on the rise.
Despite the litany of emerging, growing and morphing cyber threats, there is a silver lining. Slowly but surely, business entities of all sizes are becoming savvier about information security. Once the domain of large retailers and online commerce companies, cyber risk awareness now permeates every industry, and business owners are taking notice.
Compounding the risk for businesses is the shifting view on data and privacy law. Originally, data was believed to “belong” to the company that collected it, but this philosophy is no longer so widely accepted. Data belongs to the individual it is collected from, and companies must respect that and keep it safe. They must not use it in ways that the person has not approved, and they must keep that person informed if anything happens to it.
As trusted advisors to these companies, insurance agents also must help them navigate the often confusing and dynamic world of cyber liability insurance. Agents must be on top of the cyber risks facing clients and how to best mitigate those risks. As cybersecurity issues continue to dominate the headlines, with seemingly no end in sight, if an agent is not selling cyber liability to a customer, someone else will.
The author
Ellie Feldman is managing director of Wingman Insurance, a software and insurance entity that provides a platform designed to let agents quote cyber and tech risks in under 60 seconds. This is the second in Ellie’s short series of articles on cyber-related issues.