407-445-2414 info@wrmllc.com
As digital threats grow, will cyber insurance take off?

As digital threats grow, will cyber insurance take off?

Jan 9, 2019 | Cybersecurity

Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.

Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 – and received payouts totaling $1.5 trillion. But just $2.5 billion – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was $27.9 million0.04 percent of the total insurance premiums paid in the country that year.

From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.

Who is buying cyber insurance?

Certain types of companies tend to have – or not have – cyber insurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.

For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.

Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 percent of the total cyber insurance market. In the U.S. and elsewhere, most products are targeted at rich people. Insurers such as AIGChubbHartford Steam Boiler and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.

The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home InsuranceBurns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.

Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimized by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyberthreats.

Emerging dangers

Another cybercrime that’s becoming increasingly common is called ransomware – in which malicious software takes over a person’s computer and encrypts his or her data. Then the program demands the victim pay a ransom – often in bitcoin or other cryptocurrencies – to get the data decrypted.

Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.

Smart home technologies may be vulnerable to hackers. mangpor2004/Shutterstock.com

As smart home systems become more popular – as well as various technologies to monitor and help coordinate local government services – they’ll provide more potential entry points for hackers. An average home insured by AIG has 20 Wi-Fi-enabled devices. Replacing a hijacked home’s entire smart lighting system, smart entertainment center, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using internet-connected streetlights, water meters, electric cars and traffic controls. Those are opportunities for insurance companies to step in.

Some current challenges

Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.

In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.

As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.

Author: Nir Kshetri
Source: The Conversation

Who You Gonna Call? Nonprofit Addresses Nonprofit Cybersecurity

Who You Gonna Call? Nonprofit Addresses Nonprofit Cybersecurity

Jul 20, 2018 | Informative, RIsk Management News

What would you do if your nonprofit had over 500 W2 tax forms stolen electronically and put up for sale on the dark web?

This nightmare happened to one unnamed nonprofit, and their solution was to contact the National Cybersecurity Center, a nonprofit founded in 2016 by Colorado Governor John Hickenlooper. The NCC’s mission is to provide collaborative cybersecurity services and training. Their goals are to provide education, training, and response services. According to CEO Ed Rios, almost 90 percent of the attacks reported to the center have been mitigated.

What happened to those W2s? The NCC determined that the records were obtained via an email scam. To help with prevention, the NCC offered training to the nonprofit on identifying and avoiding such attacks in the future.

Rios stated that approximately 75 percent of attacks result from user error. Commonly known as PICNIC: Problem In Chair, Not In Computer, this term is popular with IT help desk employees to describe the non-IT workforce’s propensity to click first and ask questions later.

There are three pillars of the NCC’s work:

  1. The Rapid Response Center is a dedicated facility with experts, vendors, and partners to serve as a trusted resource during a time of security breaches. Their plan is to be the “one-stop shop” when immediate assistance is needed to solve an attack. The RRC is reached via 877-90-CYBER. Currently only available during business hours, the plan is to offer 24/7 assistance in the future.
  2. The Cyber Institute takes a think-tank approach to exploring emerging tactics and trends, encryption, and protocols available to better protect our electronic assets. Examples include cyber law, cyber budgeting, cyber communications, and other activities that a small or medium nonprofit or business needs to understand, both now and as technology evolves.
  3. The Cyber Research, Education and Training Center partners with K-12 and higher education to drive research and development and to provide cyber workforce preparation and education.

Statistics reveal that a single breach can cost up to $9 million for complete resolution, says Rios. Referring to the management level, he said, “50 percent don’t really know enough to even have a discussion.”

Regarding the cybersecurity workforce shortages, Rios further explained that cybersecurity skills can often be taught at the “tactical level” as opposed to the formal education perspective with degrees in computer science. As nonprofits face an increase in cybersecurity and other online threats, it behooves them to be aware of the dangers and the resources available to mitigate them.

Source: The Nonprofit Quarterly

Author: Jeanne Allen