Cyber Attacks: What Are They?
Broadly speaking, cyber attacks are socially or politically motivated attacks carried out through the Internet, targeting individuals, corporations, governments, or the general population.[1] They can be categorized into two types: attacks where the goal is to disable the computer or “knock it offline,” and attacks where the goal is to access a computer’s data and gain administrative privileges.[2] Cyber attacks are carried out in a number of ways, including by spreading malicious programs (“malware”), sending “phishing” emails, creating fake websites, exposing vulnerabilities in software, and gaining unauthorized access to a database to steal information.[3] Once a computer or network is accessed, common attacks include installing “ransomware” (malicious programs that encrypt files) and demanding payment to restore the files, installing “crypto-mining software” that appropriates a victim’s crypto-currency without detection, and accessing data and using it for monetary or political gain.[4]
The Growth Of Cyber Attacks & Their Financial Impacts
As the world continues to advance technologically, the number of cyber attacks have increased at an alarming rate.[5] A study done by Accenture and the Ponemon Institute, which researched 355 companies in 16 different industries, revealed that in the past five years security breaches have increased by 67%, with an 11% increase in 2018 alone.[6] The 2019 Official Annual Cybercrime Report predicts that this year businesses will fall victim to ransomware attacks every 14 seconds.[7] In January 2019 alone, nearly 1.8 billion user records were leaked due to cyber attacks, representing personal information and passwords for approximately 772 million people.[8] Since 2013, companies such as Yahoo!, Marriot, MySpace, Under Armour, Equifax, Ebay, Target, and LinkedIn have each suffered data breaches of at least 100 million user accounts, with Yahoo! being the highest, at 3.5 billion accounts.[9] Smaller companies are also being affected, as 61% of data breaches in 2017 happened to businesses with fewer than 1,000 employees.[10]
Costs incurred by victims of cyber attacks have increased exponentially. The average cost of a single cyber attack now exceeds $1 million, and the average cost of a malware attack is $2.4 million.[11] Total damages for cyber crime are projected to reach $6 trillion annually by 2021.[12] In a report by the Global Application & Network Security, 78% of businesses reported that they experienced a cyber attack that either caused service degradation or a complete network outage.[13] These network interferences can have significant negative impacts on a company’s balance sheet, which present in the form of business interruption losses due to employees’ inability to perform work.[14]
Coverage For Cyber Attacks: Affirmative vs. Silent Cyber Coverage
Billionaire investor Warren Buffet claims that cyber attacks are the biggest threat to humankind, even more so than nuclear weapons.[15] With that said, the question naturally arises: can companies obtain insurance coverage for cyber-related losses? The answer is yes, but how an insured obtains such coverage is where the issue gets complicated.
Cyber insurance comes in two forms: affirmative cyber liability coverage and non-affirmative or “silent” cyber coverage.[16]
Affirmative cyber coverage is for cyber perils delineated either in a stand-alone network security and privacy policy or in an endorsement covering data breach or network security failure/attack costs.[17] In the first-party context, coverage is typically for costs associated with security breach responses, business interruption, cyber extortion/ransomware payments, and the replacement, restoration, or re-creation of damaged or lost data.[18] In the third-party context, coverage is provided by way of privacy and network security liability policies, and policies that respond to privacy regulatory defense costs.[19]
Non-affirmative, or “silent,” cyber coverage refers to cyber losses stemming from traditional property and liability policies.[20] Insureds argue that their policies provide “silent” coverage in different ways, depending on the particular language. For example, cyber cover may exist even when a policy does not expressly grant it, when an “all risk” policy does not specifically exclude it, or when an exclusion is ambiguous.[21] As the danger of cyber attacks continues to grow and develop, so too does the uncertainty surrounding “silent” cyber coverage, leaving the potential for many insureds and other victims of cyber attacks to seek coverage under a variety of different policies.[22]
The Lloyd’s Mandate: Addressing Silent Cyber Uncertainty
In January 2019, the Prudential Regulation Authority (PRA) – the U.K.’s largest financial services regulatory authority – conducted a survey of insurance firms and industry associations to address the uncertainties surrounding silent cyber coverage.[23] The survey showed there were “areas where firms can do more to ensure prudent management of cyber risk exposures,” and the PRA made it clear that it expected insurers to have action plans targeted at reducing their exposure in this regard.[24]
Following the PRA’s guidance, Lloyd’s of London, the world’s oldest insurance market, issued a new mandate earlier this year, stating that “Lloyd’s view is that it is in the best interests of customers, brokers, and syndicates for all policies to be clear on whether coverage is provided for losses caused by a cyber event. This clarity should be provided by either excluding coverage or by providing affirmative coverage in the (re)insurance policy.”[25] This is to become effective in three phases: (1) first-party property, (2) liability, and (3) treaty reinsurance.[26] All first-party property policies issued after January 1, 2020 (regardless of whether they are written on an “All Risk” or “Named Perils” basis) must contain language that is explicit as to whether coverage for cyber risks exists or is excluded.[27]
For liability policies and reinsurance treaties, a market working group comprised of representatives from Lloyd’s will be established to consider how the required clarity can best be implemented for liability lines of business.[28] The group is expected to report back to Lloyd’s before the end of 2019, and Lloyd’s will use this feedback to inform the public of their plans for the future phases.[29] Specific details about phases two and three are expected to be provided in early 2020.[30]
Moving Forward: Will Other Insurers Follow Lloyd’s Lead?
Now that Lloyd’s has taken the first step in attempting to eliminate the uncertainty created by ‘silent” cyber coverage, the spotlight is on other insurers, both domestic and abroad, to see whether they will join in. The trade group International Underwriting Association of London has drafted exclusionary wording that carriers can add to their policies to shield themselves from liability on losses from cyber attacks.[31] Interestingly, according to a study done by Willis Towers Watson, insurers providing property coverage are 26% less concerned about paying for unintentional cyber claims in 2019 than they were last year.[32] This change could stem from many different factors, including the Lloyd’s mandate, as well as insureds investing more capital in security measures to prevent cyber attacks from happening in the first place.[33]
As Lloyd’s and other carriers begin to underwrite policies that expressly exclude coverage for cyber losses, the industry may experience a shift to more insureds purchasing policies providing affirmative cyber coverage. Today, 68% of U.S. businesses have not purchased any form of cyber liability or data-breach coverage, showing that businesses are not procuring cyber insurance at a rate that matches the risks they face.[34] Clearly, the threat of cyber attacks on businesses continues to evolve, and Lloyd’s has taken the first step in evolving with that threat. It will be interesting to see if and how other insurers, reinsurers, and insureds follow suit.
————————
[1] https://www.nec.com/en/global/solutions/safety/info_management/cyberattack.html
[2] https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-recent-examples-show-disturbing-trends.html
[3] https://www.csoonline.com/article/3237324/what-is-a-cyber-attack-recent-examples-show-disturbing-trends.html; https://www.nec.com/en/global/solutions/safety/info_management/cyberattack.html
[4] https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
[5] https://www.checkpoint.com/definition/cyber-attack/
[6] https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
[7] https://www.cpomagazine.com/cyber-security/11-eye-opening-cyber-security-statistics-for-2019/
[8] https://thebestvpn.com/cyber-security-statistics-2019/
[9] https://www.cpomagazine.com/cyber-security/11-eye-opening-cyber-security-statistics-for-2019/
[10] https://www.varonis.com/blog/cybersecurity-statistics/
[11] https://www.securitymagazine.com/articles/89734-average-cost-of-cyberattack-now-exceeds-1-million; https://www.varonis.com/blog/cybersecurity-statistics/
[12] https://www.varonis.com/blog/cybersecurity-statistics/; https://www.cpomagazine.com/cyber-security/11-eye-opening-cyber-security-statistics-for-2019/
[13] https://www.securitymagazine.com/articles/89734-average-cost-of-cyberattack-now-exceeds-1-million
[14] https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html
[15] https://thebestvpn.com/cyber-security-statistics-2019/
[16] https://www.gccapitalideas.com/2018/11/20/affirmative-versus-silent-cyber-an-overview/
[17] file:///C:/Users/tyler/Downloads/Affirm%20vs%20Silent%20Cyber%20Briefing%20FINAL%20(2).pdf
[18] file:///C:/Users/tyler/Downloads/Affirm%20vs%20Silent%20Cyber%20Briefing%20FINAL%20(2).pdf
[19] file:///C:/Users/tyler/Downloads/Affirm%20vs%20Silent%20Cyber%20Briefing%20FINAL%20(2).pdf
[20] https://www.insurancebusinessmag.com/us/guides/what-is-silent-cyber-risk-117150.aspx
[21] file:///C:/Users/tyler/Downloads/Affirm%20vs%20Silent%20Cyber%20Briefing%20FINAL%20(2).pdf
[22] file:///C:/Users/tyler/Downloads/Affirm%20vs%20Silent%20Cyber%20Briefing%20FINAL%20(2).pdf
[23] https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results
[24] https://www.ciab.com/resources/lloyds-moves-to-address-silent-cyber-risk/
[25] https://www.ciab.com/resources/lloyds-moves-to-address-silent-cyber-risk/
[26] https://www.ciab.com/resources/lloyds-moves-to-address-silent-cyber-risk/
[27] https://www.ciab.com/download/19427/
[28] https://www.ciab.com/download/19427/
[29] https://www.ciab.com/download/19427/
[30] https://www.ciab.com/download/19427/
[31] https://www.law360.com/articles/1193779/silent-cyber-cover-risk-drops-for-insurers-after-2018-high
[32] https://www.law360.com/articles/1193779/silent-cyber-cover-risk-drops-for-insurers-after-2018-high
[33] https://www.willistowerswatson.com/en-CA/Insights/2019/08/silent-cyber-risk-concerns-decline-after-2018-spike
[34] https://cybersecurityventures.com/cybersecurity-almanac-2019/