The COVID-19 outbreak sparked an acceleration of phishing, business email compromise and other social engineering attacks. And remote work brought new risks, especially for companies that needed to quickly make their infrastructures more robust to stay in business. CISOs and CIOs confirmed a surge in attacks in the March-through-May period last year and threat activity is still elevated, according to PwC’s Digital Trust Insights Pulse Survey. Cybercrime is expected to cost $6 trillion in damages globally in 2021 and $10.5 trillion annually by 2025.
Your enterprise’s resilience — its ability to recover from a disruption within established limits for time and costs — may depend on having adequate, reliable cyber insurance to decrease your costs and time-to-recovery after a cyber attack.
Cyber insurance, in one form or another, has been around since the 1990s. And now, as a result of attack-driven financial losses in 2019 and 2020, there is greater demand than supply. The global cyber insurance market will be valued at an estimated $22.5 billion by 2030, up from $4.3 billion in 2018, according to a report by Index Market Research. Fifty-eight percent of the 5,569 cyber professionals surveyed for the Hiscox Cyber Readiness Report said that they purchased cyber insurance — as a standalone or an add-on — in 2020, compared to 41 percent in 2019. The proliferation of insurers and the increase in numbers and severity of attacks prompted the New York State Department of Financial Services to be the first US regulator to publish guidance for cyber insurers on Feb. 4.
But all cyber insurance policies are not created equal. Some will cover the costs of your ransomware — some won’t. Not all will pay your regulatory fines. Many won’t pay for improvements after a hack that could protect you from another attack. Worst case, if the culprit is spyware installed by a foreign nation? You could wind up in court trying to recoup your costs — and even then, you might lose.
And having the wrong kind or amount of coverage could be even worse than having none at all. A false sense of security could ultimately end up costing your organization more — or cause you to lose your business altogether.
If you’re a C-suite executive, you know that if your enterprise gets breached, the buck stops with you — or goes all the way up to the CEO. And the board also has responsibility with its oversight role of management. What kind of coverage is right for your business, and how can you and your teams know if you have chosen wisely?
This question may seem elementary, but it’s critical to ask.
So often in business, intra-company communication leaves a lot to be desired. Your cybersecurity and IT professionals, as well as the executives managing and overseeing them, may have no idea whether such a policy exists — even as they file a claim.
Frequently, there’s an assumption that an existing property damage or business continuity policy will cover an incident even if the policy is “silent” on cybersecurity issues. If, unbeknownst to you, cyber intrusions are not covered, you could end up footing the entire bill for a breach or attack — or engaging in a costly court battle for payment. In the US, the average total cost of a data breach was $8.6 million in 2020, more than twice the global average, according to the 2020 Cost of a Data Breach Report. The cost for breaches of more than 50 million records increased from an average of $350 million in 2018 to $392 million in 2020.
In 2020, the top 10 biggest ransomware attacks cost victims nearly $213 million to investigate, rebuild networks and restore backups, pay the ransom and put preventative measures in place to avoid future incidents. Even worse, ransomware payments totaling as much as 7 or 8 figures are now being extorted multiple times with multiple payments stemming from one attack.
Who’s in charge of selecting and buying cybersecurity liability insurance for your firm? The CIO? CISO? Your risk manager? General counsel?
And in the event of a cyber attack, whose job is it to file the claim and see it through the processing?
Establishing accountability helps confirm that the tasks of managing and mitigating cyber risk are completed properly and in a timely manner. Before you can formulate a cybersecurity risk management strategy — critical to operational and digital resilience — you should establish robust procedures and playbooks for incident readiness.
Critical infrastructure organizations — including banks, utility companies, healthcare providers, technology firms, manufacturers and state and local governments — are today’s primary cyber attack targets and may need more coverage than businesses such as retailers. Often, these industry targets have discrete industry and regulatory requirements that must be met, which ups the ante even further.
But how much insurance does your organization need? To help determine the right answer, you need to quantify your cybersecurity risk. More mature organizations such as financial institutions have already done this. But those that need it the most often have analyzed their risks the least. And companies in other less-regulated industries, including education and manufacturing, tend to be under-insured for cybersecurity liability.
Sometimes an incident becomes a wake-up call for an industry. After the debilitating NotPetya attack, the maritime industry began to improve its cybersecurity. Threat information sharing has improved and, as a result, cyber insurance products emerged.
Quantifying risk now can prevent headaches and potentially catastrophic losses for small and midsize companies later on. Admittedly, placing a dollar sign on your cyber risk isn’t easy. It’s a young field with few specialists.
What are the exclusions on your policy? Find that out now! Don’t wait until your systems are held hostage, only to discover that your cyber insurance policy excludes ransomware payments, for instance.
Most policies will reimburse you for network security, hiring legal counsel and paying a forensics vendor. Often, they will pay the costs of restoring data and bringing your operations back online.
What about the cost of a root cause investigation? That may not be covered.
And what about the cost of breach notifications? If you’ve had 100,000 credit card numbers stolen, the cost of notifying the cardholders could be prohibitive.
Does your policy cover public relations and communications? The right messaging can be critical in preventing reputational loss and restoring goodwill with stakeholders.
Will your insurance pay the cost of providing credit monitoring and ID restoration to customers whose personally identifiable information (PII) was stolen?
If you’re hit by ransomware, will your policy pay the costs of negotiating with the attacker and paying the ransom? Does your policy cover extreme business interruption, including losses from cancellations of flights or missed shipments or delayed production? Some, but not all, will include data breach coverage, business interruption cost reimbursement, cyber extortion defense, forensic support and legal support.
If an advanced persistent threat (APT) infiltrates your system in a nation-state attack, will your insurance fund your recovery or will it write off the incident as an “act of war”? (This was tested in the wake of the NotPetya attack.) This question should no longer be hypothetical with the predicted increase in sophistication of APTs.
And what if your organization incurs fines for violating the European Union’s General Data Protection Regulation (GDPR), the NYDFS Cybersecurity Regulation, the California Consumer Privacy Act (CCPA) or some other cybersecurity or privacy regulation? How much, if anything, will your insurance company pay?
A caveat: If your enterprise gets hit by malicious actors because your security wasn’t adequately robust, your insurance policy probably won’t pay for you to strengthen your systems to avoid another attack. But that doesn’t mean you shouldn’t take this precaution.
Insurance companies are accustomed to responding to natural disasters, overseas riots, loan defaults and other risks and threats. However, they may not fully comprehend the threats posed by phishing, social engineering and malware and the dangers they pose to your enterprise.
Do insurance providers grasp the privacy and security requirements that HIPAA imposes on the healthcare industry, as well as the privacy and security concerns caused by a regulatory push for sharing patient data? Do they understand the importance of the FFIEC’s (Federal Financial Institutions Examination Council) or Bank of England’s guidance on operational and digital resilience in financial services?
Your cybersecurity liability policy should be flexible enough to adapt to malicious actors’ tactics. It should also let your organization adapt and change as your business and technology needs grow without having to augment your policy.
At the same time, your team should actively review your cyber policy every time it’s up for renewal. If you don’t feel equipped to determine whether your policy is sufficient, get help — either from an in-house team, outside legal counsel or an experienced and qualified consultant.
The responsibility for protecting the organization’s systems, network and assets sits at the very top: The CEO owns the risk. The role of the CISO, CIO and CRO is to make the CEO understand how much risk he or she would carry by failing to secure adequate cyber insurance. The board should also discuss and be comfortable with the cyber risk appetite as part of its oversight role of management’s activities.
This article first appeared in the PwC Cyber and Privacy Innovation Institute.
Cybersecurity and Privacy solutions
Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US
Joseph Nocera
Cyber & Tech Risk Solution Leader, Cybersecurity, Risk & Regulatory, PwC US
Shawn Lonergan
Partner, Technology & Operational Resilience, PwC US
John Boles
Principal, Cybersecurity and Privacy, PwC US