Reprinted from ISSA Journal, Volume 17, Issue 10, October 2019. Featured cover article.

Abstract

Cyber-Insurance is an insurance market growing in size, complexity, and price at a time when cyber-threats cause fear, uncertainty, and doubt throughout the market, and among legislators, cybersecurity advocates, and the news media. It is only recently that high profile breach claims, such as Target, 21st Century Oncology, and others have completely developed, and an understanding of the cost and benefits of cyber insurance begins to come into focus, including reputational damage, the risk of bankruptcy, and others. At this time, due to the lack of maturity in the cyber insurance market, and due to the presence of moral hazard, most organizations, especially small and medium businesses that lack any kind of cybersecurity maturity should not invest in cyberliability or cyber insurance, and instead, utilize those resources for the benefit of improving their cyber risk management mitigation and avoidance techniques.

Keywords: Cyberliability, moral hazard, cyber insurance

Introduction

Relatively new to the world of insurance is cyber insurance, sometimes called cyberliability insurance. These policies are designed to transfer risk from the insured to the insurance company in the form of monetary compensation for the company and its customers in the event of various forms of data breach. Despite the perceived usefulness of such a policy type, and primarily due to lack of maturity in the cyberinsurance market, but also due to the interconnectedness of all insureds, cyber liability insurance policies remain an unsound investment for most organizations in most markets.

Current Events

While cyber breaches are becoming so frequent in the news that they barely register to most individuals these days, the details surrounding cyber insurance are usually kept in footnotes or are addressed in detail in larger stories. Case in point, recently, noted security researcher Brian Krebs reports on The National Bank of Blacksburg’s breach that started in May 2016, most likely by Russian hackers intent on siphoning money out of the bank by socially engineering employees and gaining access to bank patrons’ account details. After the losses took place, the insurance company, Everest National Insurance Company, denied the claim and the bank subsequently filed suit against Everest. The root cause of the disagreement now working its way through the court system stems from the insured and the insurer disagreeing on root versus proximate cause and the lack of complete and helpful case law in such matters. Krebs also takes care to castigate the insurance company’s lack of standardization in policies that makes the job of purchasing policies extremely complex for most businesses (Krebs, 18).

Similarly, while the Target Corporation data breach of 2013 is by now, old news, it has taken many years for the costs borne by Target, as well as Target’s cyber-insurers, to be fully realized and the final price tag to be tallied. The current newsworthiness of this hack more stems from the final price tag and not from any technical details regarding the attack itself, as these details are well-known and by 2019 have been discussed endlessly by security researchers. Regarding the ultimate costs, and as late as mid-2017, the final settlements were entering the news and as of 2018, Target has all but ceased even utilizing the word “breach” in their annual financial statements and SEC filings. Ultimately, Target Corporation’s direct costs reached approximately $200M, with an additional $92M in costs that were borne by Target’s various cyber insurers.

In addition to the constant barrage of new breaches, and slow trickle of details regarding old breaches, government regulation continues to evolve in response to the threats. As small businesses are a “sacred cow” in American politics, special care has been paid to not just educating, protecting, and supporting American small businesses from cyber-threats, but also in assisting small businesses with the complexities of cyber-insurance. 

All told, a number of small, medium, and large businesses are more clearly understanding their threat landscape and how their cyber insurance may (or may not) protect them, and meanwhile there continues to be persuasion and motivation amongst experts towards ongoing investment in and improvements to cyber insurance for organizations of all sizes. 

History of Cyber Insurance

In 1998, the first dedicated computer crime focused insurance policy was made available by the International Computer Security Association, as part of its TruSecure service offering. Since then, a growing number of insurance providers have begun adding technology-focused insurance products to their portfolios referred to mostly under the banner of cyberliability insurance policies (Marotta, Martinelli, Nanni, Orlando, & Yautsiukhin, 2017, p. 38). These products differ from traditional insurance products in a number of important ways and are specially crafted to address exposures of insureds in the areas of breach response, cyber extortion and ransomware, network unavailability and system downtime due to intentional attack or accidental infection, intellectual property violation, and insider threat. The cyberliability market is exceedingly young. In comparison to the casualty insurance market, particularly the London syndicates with history dating back to 1686, cyber-insurance’s small, immature, and most notably untested body of policy language, legal case-law, State and federal regulation, and rapidly maturing technology that outpaces policy and legal change, cyberliability and other technology-based insurance is in for a volatile and uncertain future (Marotta, Martinelli, Nanni, Orlando, & Yautsiukhin, 2017, p. 54).

Comparison of Cyber Insurance with other Property & Casualty Policies

Cyber insurance policies are unique in the insurance space, and unlike other property and casualty policies, insurance products from differing carriers may not be directly comparable and have easily definable policies, language, or coverage types. In fact, due to the immaturity of the market, carriers differentiate themselves not just on value, trust, stability or name recognition, as in less volatile markets such as residential property, but are also free to compete on unique, or more broadly proffered coverage features, endorsements, sublimits, or value-added services.  The primary differences in coverage, however, is that, unlike basic general liability, umbrella, and other commercial policies, cyber insurance policies often blend first-party coverage (protecting the insured) with third-party coverage (to stave off lawsuits from tortfeasance from parties the insured does business with). As an example, many policies cover first-party damages arising from social engineering and phishing attacks that resemble fraud and theft coverages normally associated with property policies. 

Often, the primary coverage “tower” for cyberliability insurers providing coverage primarily to corporate customers is third-party liability coverage related to data breach (Romanosky, Ablon, Kuehn, & Jones, 2017, p. 2).  Virus and hacking attacks include business interruption coverage, plus coverages that include restoration of service, software and system consulting services, and data recovery services. In some instances, insurers will intercede on the behalf of an insured that has been attacked by encrypting ransomware and will actually pay the ransom requested by the attacker.

Inclusion of copyright and intellectual property claims on an insured’s website is also a common coverage type, resembling separate Errors & Omissions policies or endorsements. These elements tend to focus on website trademark and copyright infringement, however, and are primarily geared towards protecting the insured against spurious or offensive lawsuits designed for SLAPP, proactive trademark defense, or accidental or de minimis copyright violation as might occur on an improperly managed corporate blog or viral marketing social media page.

Some policies offer protection from fines from industry groups and the government (PCI and HIPAA, most notably), and all have unique claims processes, relying heavily on breach response teams and frequently utilizing claims-made reporting requirements, as opposed to occurrence-based policies.

Finally, some policies offer additional sublimits, such as business income recovery for downtime, reputational damage, and value-add services such as cyber risk management training, loss control and prevention services, and educational and awareness services for insureds.

Market Status

Cyber-insurance policy sales are one of the smaller sectors of the insurance market, yet the most rapidly growing (Kshetri, 2018, p. 1). Customers, primarily in the U.S., are taking up cyber insurance policies at an accelerating rate, primarily driven by State-level breach notification laws, with EMEA countries are also experiencing growth, albeit at a slower pace than U.S. based insureds (Hiscox, 2017, p. 21). Meanwhile, on the supplier side, carriers are offering products with expanding coverage sublimit categories, while pricing, availability, and market differentiation varies wildly across markets, customers, and firm sizes (OECD, 2017, p. 70).

Cyber Risk Management and Risk Transfer

This market forms a small but growing niche for insurers and an important protection mechanism for insureds that practice diligent risk management practices with deliberate decision making regarding their cyber-security posture. Utilizing ISO 31000 terminology, and in the parlance of Enterprise Risk Managers, cyber-insurance falls firmly within the “risk transfer” method of risk management and is often the last step in a risk management process before risk acceptance. The idea that some residual risk is transferred to an insurer allows insureds to focus on directly manageable risk. This picture of cyber risk for an enterprise assumes an almost idyllic view of technology risk management in a highly mature, advanced organization with more than adequate cybersecurity funding and staffing, Governing-Board level insight into cyber-risk, forward-thinking, strategic-minded staff, and a healthy culture of risk management.

However, cyberinsurance is not a panacea and the real world is rarely so optimal. With cyber being a new insurance market, it has rapidly shifted and evolved, and shows every indication of continuing to evolve more rapidly than consumers are prepared for, but not nearly as quickly as the threat landscape does. As new threats emerge, insurers scramble to address these new threats and remain competitive in an extremely dynamic market, by offering new products, sublimits, and more value-added solutions (such as risk prevention tools, training, and support), in a lag behind the emerging threats.

Analysis

One of the primary issues to contemplate within not just cyber insurance, but in all insurance, is the concern known as moral hazard. Moral hazard is the tendency for an insurance customer to relax their own risk management posture and become complacent regarding their risk, or even increase their risk, somewhat consciously, due to the fact that they no longer have to face the consequences of their actions, as they transferred some of said risk to an insurer, essentially overcorrecting in the face of the investment required to purchase the policy. Examples of moral hazard include a school-age child failing to work hard on a school project, because they know their parents will help them, even doing the project for them entirely. An insurance-related example might be if one has comprehensive coverage on their vehicle, they may be more willing to park it outside during a hail storm or neglect to lock the doors. Moral hazard stems from information asymmetry: the insurer (or the teacher, in the first example), believes you are going to take the necessary steps to protect your investment (or your grades), whereas you have less incentive to do so since you have been separated from the consequences of your actions. Insurance companies often tend to try to compensate this by requiring that a claimant pay a share of the claim, called a deductible, and of course, have other tools to reduce moral hazard, such as the threat of raising premiums or even denial of coverage for certain types of insurance, for insureds with poor loss history.

Cyber Insurance Moral Hazard

 Cyber insurance is not immune from the threat of moral hazard. According to Schwartz and Sastry, the very act of purchasing cyber insurance decreases the overall cybersecurity of not just the insureds purchasing the insurance, but because of the interdependent nature of the Internet, all nodes on the network as a whole, as those with insurance will decrease security for those that are properly protected (Schwartz & Sastry, 2014, p. 145). Schwartz & Sastry, in their models, utilized virus and malware infections, and the decrease in overall cybersecurity for the Internet as a whole is indeed similar to a loss of herd immunity in populations with sufficient individuals that eschew vaccinations for moral or religious reasons.

Schwartz and Sastry are also able to game theoretically model the results of cyber insurance in large interdependent networks (such as the Internet) where individual nodes that are breached can infect others. They specifically study the effects of the presence of cyber insurance contracts and conclude that, contrary to popular opinion, the presence of cyber insurance cannot, on its own, be used to improve network security, and is only useful as a tool for risk management (specifically, as noted above, risk transfer).

Similarly, Lang and Lui utilized game theory modeling to analyze security investment amongst disparate insureds of varying sizes, and demonstrate that while a competitive market can potentially encourage better network security amongst individual insureds, this is only without the presence of moral hazard. This mathematically implicates that the source of this degradation in overall security for all members of a network, stems ultimately from moral hazard (Yang & Lui , 2013) and not from other network or policy effects.

Solutions to Moral Hazard in Cyber Insurance

Pal and Hui were able to model reward and penalty systems in a compulsory insurance market utilizing monopolistic insurers and in a market were all insureds are risk-averse and willing to invest in self-defense. In this model, the researchers were able to demonstrate that utilizing the appropriate reward and fine calculations, the overall security of the network could increase. Note that their model is highly theoretical and exists only under an idealized compulsory insurance market: meaning that, similar to personal automobile liability insurance, those that wish to be connected to the Internet are required by law to purchase cyber liability insurance. No such market exists within the United States today, and it is difficult to imagine such laws passing that would require organizations and small businesses to carry expensive and complicated cyber insurance passing, when one considers the lack of support behind even such highly populist bills as Khalili, Naghizadeh, and Liu analyzed a more realistic model, built on the premise that in the presence of a single insurer and even without compulsory insurance, pre-screening and custom-designing insurance for the best risk insureds would eventually improve security conditions for all players. However, this was only in the presence of perfect information, essentially cutting off the root cause of moral hazard by eliminating the information asymmetry problem of the insurer (Khalili, Naghizadeh, & Liu, 2018). Realistically, however, this is somewhat achievable and is already practiced by insureds performing underwriting by reviewing policy applications that may function as basic-level cybersecurity audits.

The Case for Small & Medium Business Cyber Insurance

Proponents of cyber insurance continue to encourage organizations to jump on the cyber-insurance bandwagon, and there has been renewed focus on the impacts of unprotected systems and lack of proper cyber-insurance on small and medium businesses. Zaleski highlights particularly concerning statistics about the impacts of cybersecurity breaches on small businesses, with particular respect to showcasing the benefits from Senate bill 770 from the 115th Congress, the NIST Small Business Cybersecurity Act (alternatively titled the Mainstreet Cybersecurity Act). The Mainstreet cybersecurity Act is intended to help small and medium businesses by directing the National Institute for Standards and Technology to pay close attention to guidance and awareness that is more targeted towards small and medium businesses (Zaleski, 2017). Zaleski repeats a claim that the National Cyber Security Alliance (NCSA) found that 60% of small firms go out of business 6 months after a breach.

The Better Business Bureau found through self-reported surveys that 37% of all hacked small businesses lost money, with an average of respondents reported losses of over $79,000, and median of reported losses of $2,000.  (Fanelli, Pessanha, Gwiazdowski, Chng-Castor, & Auger, 2017, p. 16). Interestingly, the disparity between the average and median indicates large outliers in this report’s data, and indeed, as this is self-reported survey data, the losses may be misleading towards the high end. The report indicates a large breach of nearly $1M may have skewed the data. Median reported losses in the $2,000 range is consistent with payouts for the most common type of non- or semi-targeted attacks usually associated with broad campaigns of phishing (and lower-level spearphishing), ransomware infections, and other relatively untargeted or less sophisticated, less persistent threats.

Cost Benefit of Cyber Insurance

No discussion of cyber insurance is complete without understanding the premium cost to the insured, versus the coverage. The costs associated with cyber insurance premiums are dependent on the coverage selected for the insured, which essentially is defined by the amount of data the insured has, and ultimately the size of the insured itself. Typically, an insurer will rate the risk for an insured based on two primary factors. First, the impact of a loss, such as the number of PII records the insured retains multiplied by the average cost of each record, usually estimated by data type (health, financial, and credit related data being higher-value than basic contact information). Secondly, the likelihood of a loss, usually determined by a light cybersecurity, network, and controls review, details typically collected via a high-level underwriting questionnaire.

According to the OECD, prices vary wildly and depend heavily on the insurer, deductibles, size of the organization, market segment, and coverage limits. High-risk markets such as health-care are not just seeing increasing premiums due to continuously increasing coverage limits, but also seeing a decrease in supply from insurers due to high-profile breaches, resulting in insurers ending cyber insurance products, decrease in maximum available coverage, and outright refusal of insurers to cover certain risks (OECD, 2017, p. 70). In addition to these challenges, the cost themselves vary wildly, with several reports indicating that $1M in coverage can vary between $5K-50K per year depending on the size of the customer. These premiums “… for the same amount of coverage [are] three times more expensive than general liability coverage and six times more expensive than property coverage” (OECD, p. 71). In addition, OECD concludes that “… the cost per million of cyber liability insurance has increased by over 200% since Q1 2012 relative to a 17% decline in US commercial property and casualty pricing” (OECD, 2017, p. 71). 

\

Large Market-Cap Corporate Breaches and Historical Precedent for Cyber Insurance

It’s clear from large-scale breaches from Fortune 500 and Fortune 1000 insureds that cyber-liability insurance has protected shareholders from massive breaches in past years, as these organizations have been caught unprepared to manage their entire risk portfolio. Obviously, Target Stores 2012 breach is an excellent example of this and sets a high-water mark for the highest-profile, largest corporate entity to date to suffer from such an attack. While the attack itself is old news at this point and has been studied in-depth, the most pertinent discussion item for this review is the Target Stores claims development, that has taken the intervening years to only recently be fully realized, with the ultimate costs to the various insurers, and Target themselves (through their own self-insured retention, deductibles, and limits) to finally paint a complete picture of the costs.

As per Table 1, and based on publicly available settlement agreements, SEC statements, and other news, Target’s direct costs for the breach have reached a total of approximately $296.9M. Target had a total of $100M in Cyber-insurance (with a $10M Self-Insured Retention) spread out over multiple insurers, and $65M in Directors and Officers insurance coverage, allowing Target to recover $92M in their breach costs according to their own SEC filings. This brings the net total to Target’s bottom line, and ultimately, their shareholders, to just over $200M. What is not clear from these numbers is the calculations Target’s staff conducted to plan for risk transfer and analyze the cost versus benefit of the annual cyber insurance premiums versus the coverage limits that could have reduced Target’s own costs. These calculations coupled with the other controls that would have mitigated, avoided, and reduced their risks could have painted a much different financial picture for Target if plans were properly implemented ahead of time. Therefore, the ultimate lesson after 5 years from the Target breach is the disparity between the following figures: (1) the initial rhetorical cost estimate, (2) the ultimate cost of the breach itself before insurance recoveries, and (3) the disparity between the cost of the breach and the limits of coverage the insured had paid for. 

Ultimately, in the largest, most complex events for the larger insureds, it will take several years for this complete picture to form. For small and medium sized businesses, breach response and recovery, notification, and finally claims development, may be complete and put to rest in mere weeks. With the frequency of breach notifications going to customers reaching a deafening crescendo, customers may overall be ignoring or tuning out all but the largest, highest-profile breaches, and small business insureds likely only need concern themselves with the most basic of recovery activities, such as notification, credit monitoring, and recovery activities. In other words, reputational damage, including lost sales that are not the direct result of business interruption or inability to conduct business may simply not be as major of a threat as described in the rhetoric. While this is not ideal and continues to promote complacency amongst customers, insureds, and insurers, it also illustrates a feedback loop within the moral hazard itself: human nature will continue to promote ignoring prevention of future events without immediate incentive to individuals. 

Government Intervention

Most recently, the United States House of Representatives Committee on Small Business held a formal hearing with 4 experts in several fields, including an IT infrastructure/MSP firm President also representing the Small Business Association, an SVP from Zurich Insurance also representing the American Insurance Assoc., a VP from Munich Re: also representing the Reinsurance Assoc. of America, and a Principal from a Risk Advisory Services firm. The witnesses answered questions and submitted prepared statements to Congresspersons on the committee largely in support of H.R. 3170,  the Small Business Development Center Cyber Training Act of 2017, which passed the House but stalled in the Senate in the Second session of the 115th Congress. The witnesses coalesced around the idea of a need to better support small and medium businesses access to affordable and well-standardized cyber insurance under the Small Business Development Centers (SBDC’s) mission to encourage small business growth across the country. There was a great deal of discussion regarding the complexity and cost of procuring policies for SMBs, along with the need for risk analysis and risk management in these organizations, something that SMBs will find difficult due to their size, staffing, and lack of expertise or even awareness in both risk management and cybersecurity. Some of the written statements include insights and facts into a few of aspects of the slow adoption of cyber-insurance and specific concerns regarding SMBs, first-party coverage, and the cost and complexity of application and underwriting. 

Ultimately, despite the many gushing words of praise for the witnesses and proponents on both sides of the aisle, a much softer and less expensive bill advanced by the Senate, S.770, titled the NIST Small Business Cybersecurity Act (and alternatively titled the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology, or MAIN STREET, Cybersecurity Act of 2017), was signed by the President and became law in August of 2018. This law requires the National Institutes of Science and Technology to provide information and standards focused on small businesses, but offer no guidance or support regarding cyber insurance and instead is just geared towards simplifying NIST standards. 

Finally, Luis Aguilar, former U.S. SEC Commissioner recently penned a position paper weighing in on cyber-insurance for small and medium sized businesses, and shared the summarization of his research into the need for additional support of the Small and Medium business community for cybersecurity. Specifically, Mr. Aguilar supports the notion that SMB’s are a growing target for cybercriminals and calls for policy-makers to adopt policies that will encourage cyber-insurers to provide solutions designed specifically to help SMB’s (Aguilar, 2015).

Erosion of Business Value and Failure in the Aftermath of a Breach

As stated in 2.3, some policies offer coverage for reputational damage or lost sales. This coverage extends beyond business interruption and is intended to fill in the gap while a business works to repair their corporate image and address the loss of customers (Romanosky, Ablon, Kuehn, & Jones, 2017, p. 13). Some policies even provide public relations services as part of breach response, often tied in with corporate communication, call center, and notification services (Romanosky, Ablon, Kuehn, & Jones, 2017, p. 11). According to Ranking Member Nydia Velazquez (D – N.Y.) of the U.S. House of Representatives Committee on Small Business, in a July 26, 2017 hearing, “Small businesses that lose customer information when their security is breached suffer significant costs financially and in the loss of customer trust” (Congress. House. Committee on Small Business, 2017, p. 3)

To return to the Target example for a moment, and other than direct costs, then, what of Target’s reputational damage, resulting in lost sales, opportunity costs, and lowered share price? Target did post a 46% decline in sales for the same quarter one year after their breach, and a 10% drop in their share price, but their share price rebounded in February and by 2018 their fourth quarter revenue had risen above pre-breach levels.

Clearly Target’s share price, lost business, and reputational losses and those of a small business are not comparing apples to apples. However, Drinkwater questions the threat of reputational cost and loss of sales and believes the threats to be hype (Drinkwater, 2016). Likewise, Mason demonstrates through analysis of publicly available stock prices that for large-cap enterprises involved in high-profile breaches (Target, Home Depot, and Sony, to name a few), the stock price drop due to the breach is negligible and recovers quickly (Mason, 2016).

Resolution

Through this analysis, it has become clear that cyber-insurance, much like all insurance, has its place for certain organizations that practice diligent and deliberate risk management practices, and knowingly transfer some residual risk while in the process of properly protecting themselves. However, the vast majority of organizations, and especially small and medium businesses with more limited resources, may find themselves at a crossroads on whether to invest in cybersecurity improvements or to pay a cyber-insurance premium. In these cases, and in the absence of a number of factors, purchasing cyber-insurance does little to improve an individual organization’s cybersecurity posture, and even more harm to society writ large. 

Benefits even without risk transfer

An organization that carefully and continuously considers and plans for its own risk is by definition engaging in enterprise risk management. Meland, et al actually drew the conclusion that “…even for organizations that did not end up buying an insurance, there were still positive effects from the consideration process, since it brought attention and awareness of cyber security to the management level and across the organization” (Meland, Tøndel, Moe, & Seehusen, 2017, p. 99). This presents an interesting quandary with respect to organizations that are not mature enough to go through the consideration process: insurance customers that do not understand cyber-risk well will fall under one of two camps, those that purchase cyber insurance out of fear, and those that are blissfully unaware of cyber-risk in the first place. In both cases, becoming more aware of their own organization’s risk profile will only serve to mature their risk management posture and allow the organization to better mitigate and avoid risk as opposed to transfer it, except as a stop-gap measure. Table 2 illustrates a possible categorization and descriptions of the types of customers in each camp, along a simple spectrum of risk management maturity, who either choose to purchase cyber insurance or choose not to. 

Debunking the Small Business Impacts

While a smattering of business failures purporting to be either proximally or directly attributable to breaches are able to be located, the statistic of 60%, six months after a breach is directly refuted by the National Cyber Security Alliance themselves on their own website, and a legitimate source for this claim cannot be located (Beffa, 2017).

The scare-tactics towards small and medium business owners and managers are especially bad amongst other players in the market with extreme profit-motive, notably cyber-security focused IT managed services providers, or other packaged insurance and cybersecurity management firms, and not just insurers. Unsourced statistics citing bankruptcy and business failure rates for companies experiencing a breach are designed to lead business owners to believe that their business will almost certainly be insolvent in mere months in the event of a breach but are often completely without actual research or data. 21st Century Oncology, which suffered a data breach of 2.2M patients’ personal health records in 2015, and which filed for Chapter 11 bankruptcy protection in 2017, can be found cited as an example of data breaches causing business deterioration and failure (Dobran, 2017). One should note, however, that 21st Century Oncology, in their own Chapter 11 bankruptcy filings, states a host of other causes of their bankruptcy filing, including changing political factors, declining revenue per treatment and changing insurance reimbursement rates. The company has experienced other legal problems unrelated to its data breach 2015, including allegations it billed government medical programs unnecessarily, leading to a $55M out-of-court settlement. Summarily, to conclude that 21st Century Oncology is the poster-child for data breach bankruptcy risks by those selling cybersecurity services is specious, at best.

And even then, the type or market of the business may contribute to greater risk, as the Healthcare market itself, with its higher costs and risk per record, and other unique threats, laws, and regulations that may contribute to an increased impetus for cyber insurance. Though, it is once again noted that health care data protection proponents never stray from the recommendation that the purchase of cyber insurance be undertaken within the structure of a much larger and deliberate risk management culture (American Health Consultants, 2018).

21st Century Oncology also had cyber insurance through Beazley, and as part of the bankruptcy, a settlement was reached with the breach plaintiffs, which allowed for some of the policy coverage details to be revealed. 21st Century, at the time of the settlement, had $4.2M remaining coverage, including $2.4M for the regulatory sublimit (covering fines and settlements with regulatory compliance agencies such as HHS), all through Beazley Specialty Products. With $773K of cyber specific claims outstanding at the time of this filing plus outstanding regulatory settlements of no more than $2.5M, 21st Century Oncology was able to absorb their breach expenses utilizing their cyber insurance policy (In Re: 21st Century Oncology Holdings, Inc., et al., Debtors, 2017, p. 10; In re: Target Corporation Customer Data Security Breach Litigation, 2015). This puts 21stCentury in the “Stop Gappers” category and demonstrates that while their cyber insurance was sufficient for their needs at the time of this specific breach, a rather large, critical breach (along with several other unfortunate business decisions) was still allowed to happen.

Claims Adjusting and the Made Whole Doctrine

Even if the insurer were to pay out in the event of a breach (which is clearly not guaranteed, as in the case of Kreb’s analysis of the National Bank of Blacksburg), this only takes the insured back to the point where they are made whole, but does not improve their cybersecurity standing, address their vulnerabilities, or prevent future attacks. Incidentally, while the National Bank of Blacksburg believed they were purchasing insurance that would make them whole, the dispute highlights the pitfalls within cyber insurance and places the National Bank of Blacksburg somewhere between Fearfully Unaware and Uninformed and Unable.

In any third-party liability claim, the insurers responsibility is to the third-party claimant, and extends to the limit of making the third-party whole again. Even in the case of first-party coverage, the insurer is only responsible, up to the limits of the policy, to return the insured back to the point they were prior to the breach. In none of these cases will the insured’s cybersecurity posture be improved by a breach, except in the very limited sense that awareness of the risks and immediacy of the problem may be increased within management.

Large Cap Insurance Bottom-Line Impact

To return one last time to the finalized Target data breach costs, clearly $200M in lost direct costs, plus noticeable yet temporary drops in both sales and shareholder value are measurable detriments to a company’s bottom line, but these impacts have not significantly weakened Target or caused massive damage to the corporation, and clearly not risen to the $1B in costs originally predicted by some financial analysts (Webb, 2014). While it’s clear that Target’s breach was a would partially self-inflected due to poor internal controls, cybersecurity monitoring, and lack of appropriate risk management, it is also worth questioning if, in fact, these weakened postures were due to the illusion of safety because of the presence of a cyber-liability insurance policy. 

While there is no evidence to say that this occurred in this specific case, moral hazard makes it clear that purchasing insurance is no replacement for proper risk management, and it is clear in hindsight, in this case, that the amount of risk that was actually transferred was not the amount of residual risk Target was actually retaining. Target in 2013Taking all of this into account, and considering the lack of long-term reputational damage, share price, and sales, coupled with the ultimate direct costs of the Target claim, $200M spread out over several years for the world’s third-largest retailer with approximately $75B in annual sales, the overall impact on a Large-Cap enterprise of cyber-insurance in the event of a claim is relatively negligible.

Cost-Benefit Analysis

With prices of cyber insurance fluctuating wildly, exorbitant compared to other insurance products, and difficult to estimate based on specific needs, customer-size, market, and cybersecurity standpoint, customers will have an increasingly simple choice about where to invest limited cybersecurity funds, especially smaller, less well-funded companies and organizations. With average breach claim payouts being lower for small and medium businesses, and the cost of mitigation and avoidance efforts already being steep, small and medium businesses especially should avoid the increasing cost of cyber insurance and instead invest in simple cybersecurity tools, such as modern firewalls, end-user training, anti-virus, and cybersecurity professional services such as audits, configuration assistance, and monitoring.

Conclusion and the Future

To summarize, Hord Tipton, the former executive director of the ISC2 organization, has spoken out directly against cyber insurance and refused to procure cyber insurance for the ISC2 during his tenure, noting in one article that “A company should not let complacency set in just because they are insured” (Pratt, 2012, p. 25). Not only is this sentiment borne out by the lack of data supporting the purchase and implementation of cyber insurance in today’s market, but also by the risks associated with each organization’s interconnectedness. 

A number of factors can change these recommendations in coming years, such as laws causing major sea-changes in the market, such as a shift to a compulsory insurance market, or cost caps or financial assistance for certain size firms, cyber insurance is still too immature and complex to offer protection to society, and the Internet writ large. In the vast majority of cases, the costs that would normally be spent on cyber insurance should instead be invested in an organization mitigating and avoiding cyber risk, especially in the absence of a robust risk management culture. Only in the case of an organization with a mature or maturing risk management culture should risk transfer to an insurer be considered an option, and even then, be carefully considered and used almost as a last resort.

References

• Abrams, R. (2017, May 23). Target to Pay $18.5 Million to 47 States in Security Breach Settlement. Retrieved April 14, 2019, from The New York Times: https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html

• Aguilar, L. (2015, October). The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses. Cyber Security Review, pp. 41-48.

• American Health Consultants. (2018, December). Cyberinsurance now a necessity, but choose coverage wisely. Healthcare Risk Management, 40(12).

• Beffa, J. (2017, May 8). National Cyber Security Alliance Statement Regarding Incorrect Small Business Statistic. Retrieved March 03, 2019, from Stay Safe Online Powered by: Naitonal Cyber Security Alliance: https://staysafeonline.org/press-release/national-cyber-security-alliance-statement-regarding-incorrect-small-business-statistic/

• Congress. House. Committee on Small Business. (2017, July 26). Protecting small businesses from cyber attacks : The cybersecurity insurance option : Hearing before the Committee on Small Business, United States House of Representatives, One Hundred Fifteenth Congress, first session. United States.

• Dobran, B. (2017, October 19). Cyber Tragedy: 5 Stages of Business Deterioration after a Data Breach. Retrieved February 28, 2019, from phoenixNAP: https://phoenixnap.com/blog/business-deterioration-after-a-data-breach

• Drinkwater, D. (2016, January 07). Does a data breach really affect your firm’s reputation? Retrieved April 14, 2019, from CSO Online: https://www.csoonline.com/article/3019283/does-a-data-breach-really-affect-your-firm-s-reputation.html

• Fanelli, B., Pessanha, R., Gwiazdowski, A., Chng-Castor, A., & Auger, G. (2017). 2017 State of Cybersecurity Among Small Businesses in North America. Arlington, VA: Council of Better Business Bureaus.

• Hiscox. (2017). Cyber Readiness Report. Retrieved March 2019, from Hiscox: https://www.hiscox.co.uk/cyber-readiness-report/docs/cyber-readiness-report-2017.pdf

• In Re: 21st Century Oncology Holdings, Inc., et al., Debtors, 17-22770 (U.S. Bankruptcy Ct., S. Dst. of New York December 11, 2017). Retrieved from ORDER (A) APPROVING THE SETTLEMENT AGREEMENT BETWEEN THE DEBTORS AND THE DATA BREACH PLAINTIFFS AND (B) GRANTING RELATED RELIEF.

• In re: Target Corporation Customer Data Security Breach Litigation, 14-2522 (U.S. District Court, District of Minnesota May 18, 2015).

• Khalili, M. M., Naghizadeh, P., & Liu, M. (2018, September). Designing Cyber Insurance Policies: The Role of Pre-Screening and Security Interdependence. IEEE Transactions on Information Forensics and Security, 13(9), pp. 2226-2239.

• Krebs, B. (18, July 18). Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M. Retrieved February 20, 2019, from Krebs on Security: https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

• Kshetri, N. (2018, November). The Economics of Cyber-Insurance. IT Professional, 20(6), pp. 9-14.

• Malcolm, H. (2015, August 18). Target settles with Visa over data breach. Retrieved April 14, 2019, from USA Today: https://www.usatoday.com/story/money/2015/08/18/target-settles-visa-over-data-breach/31911123/

• Marotta, A., Martinelli, F., Nanni, S., Orlando, A., & Yautsiukhin, A. (2017, February 20). Cyber-insurance survey. Computer Science Review, pp. 35-61.

• Mason, S. (2016, December 27). Impact on Stock Following a Data Breach – Dec 2016. Retrieved April 14, 2019, from InfoSec Insights: http://seanmason.com/2016/12/27/impact-on-stock-following-a-data-breach-dec-2016/

• Meland, P., Tøndel, I. A., Moe, M., & Seehusen, F. (2017). Facing Uncertainty in Cyber Insurance Policies. STM: International Workshop on Security and Trust Management (pp. 89-100). Oslo, Norway: Springer International Publishing AG 2017.

• OECD. (2017). Enhancing the Role of Insurance in Cyber Risk Management. Paris: OECD Publishing.

• Ponemon Institute. (2013, August 7). Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age. Retrieved March 2019, from https://www.experian.com/innovation/thought-leadership/ponemon-study-managing-cyber-security-as-business-risk.jsp?ecd_dbres_cyber_insurance_study_ponemon_referral

• Pratt, M. K. (2012, January 12). Cyberumbrella. Computerworld, pp. 24-25.

• Romanosky, S., Ablon, L., Kuehn, A., & Jones, T. (2017). Content Analysis of Cyber Insurance Policies: How do carriers write policies and price cyber risk? RAND Corporation Justice, Infrastructure, and Environment.

• Schwartz, G. A., & Sastry, S. S. (2014). Cyber-Insurance Framework for Large Scale Interdependent Networks. Proceedings of the 3rd International Conference of High Confidence Networking Systems(pp. 145-154). Berlin: Association for Computing Machinery.

• Stempel, J., & Bose, N. (2015, December 2). Target in $39.4 million settlement with banks over data breach.Retrieved April 14, 2019, from Reuters.

• Target Corporation. (2016, March 11). Target Corporation 10-K for the fiscal year ended January 30, 2016.Retrieved from Securities & Exchange Commission Archives: https://www.sec.gov/Archives/edgar/data/27419/000002741916000043/tgt-20160130x10k.htm

• Webb, T. (2014, January 29). Analyst sees Target data breach costs topping $1 billion. Retrieved April 24, 2019, from Twin Cities Pioneer Press: https://www.twincities.com/2014/01/29/analyst-sees-target-data-breach-costs-topping-1-billion/

• Yang, Z., & Lui , J. C. (2013, December 5). Security adoption and influence of cyber-insurance markets in heterogeneous networks. Performance Evaluation, pp. 1-17.

• Zaleski, A. (2017, April 5). Congress addresses cyberwar on small business: 14 million hacked over last 12 months. Retrieved from CNBC: https://www.cnbc.com/2017/04/05/congress-addresses-cyberwar-on-small-business-14-million-hacked.html

Appendix A: Tables and Figures

Table 1: Target Breach Costs over Time with Insurance Recoveries

Table 2: Classifications of Cyber Insurance Customers vs Risk Management Maturity

1 – Kshteri reports on a survey conducted by Marsh, where 49% of respondents were unable to determine what cyber insurance they need. (Kshetri, 2018, p. 11)

2- Ponemon reports that from those that will not purchase cyber insurance, too high of a price and too many restrictions are principal reasons potential insurers decline policies. (Ponemon Institute, 2013, p. 4)