You have probably noticed the gradual increase in the number of ads over the past two years selling “cyber insurance,” or insurance that covers a hack. The market for this kind of insurance has been growing.
According to a 2017 Deloitte report on cyber insurance, the market is currently $1.5 to $3 billion dollars in the United States and will grow to over $20 billion by 2025. In our opinion, that is a conservative estimate which should be higher, based on the growth and size of breaches we have been seeing.
In a May 2017 survey from the Council of Insurance Agents and Brokers, only 32% of US businesses had some type of cyber insurance. Many of those do not have full coverage.
As a courtesy to our customers, we are going to briefly discuss the current state of cyber insurance and provide some data and a few anecdotes to help you make a decision on whether to purchase coverage. I have included sources at the end of this post.
Wordfence and our team do not sell cyber insurance. This is report is informational and as a courtesy to our customers.
Cyber Insurance Overview
Cyber insurance is a relatively new market, and it is challenging for both customers and for insurers.
The challenge for insurers is that they do not have much historical data they can use to price risk. In addition, they face the problem that cyber attacks keep evolving. There also is a risk that insurers will have to pay out for a large number of breaches simultaneously. Insurers may have difficulty understanding what to cover in a highly technical and rapidly evolving field.
Buyers of insurance, who are mostly non-technical, may have trouble understanding risks and their insurance options. Buyers may also find that the risks associated with a cyber breach cover a wide range of policy types. Policies lack standardization, and most countries lack a body of legal precedent to help predict outcomes when there is a dispute.
Some of the kinds of loss a company may experience during a cyber breach are:
- Direct monetary loss through electronic theft.
- Losses due to extortion from DDoS blackmail or ransomware.
- Costs of mitigating and investigating the incident.
- Losses due to downtime.
- Losses from damage to data and systems, and the costs associated with restoring systems back to normal.
- Costs of remediation, including the cost to improve security and prevent a similar breach going forward.
- The cost of customer breach notification, including legal costs and public relations.
- Expenses of customer compensation, including credit monitoring, service-level agreement penalties, refunds and contractual breaches.
- Costs of liability associated with the breach, including legal costs.
Policies to cover such diverse risks are complex, which presents a challenge to insurers who have trouble pricing the risk, and a challenge to consumers who could have trouble understanding the coverage.
Cyber Insurance Policies Don’t Always Pay
The past few years have seen several high-profile examples of cyber insurers refusing to pay out, and the issue has usually ended up in court.
Insurer Does Not Cover BitPay’s Theft of $1.8M in BitCoin
Bitcoin payment processor BitPay had purchased cyber insurance from Massachusetts Bay Insurance Company (MBIC). In December 2014, they were hacked when an attacker spearphished their Chief Financial Officer.
The attacker used the hacked email account to spoof emails to the CEO and tricked BitPay into transferring 5000 bitcoins into their wallet. The bitcoins were worth $1,850,000, and they were transferred in three separate transactions over two days.
MBC did not pay out on BitPay’s cyber insurance policy, so BitPay sued MBC. In court documents, MBC claimed:
The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. “Direct” means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured.
The dispute was settled in May of last year, two years later. The terms were not disclosed.
Cyber Breach Costs P.F. Chang’s $1.9 Million in Assessments. Insurer Doesn’t Pay.
In 2014, Federal Insurance Company, a division of Chubb, sold a policy to P.F. Chang’s parent company that they said was “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology dependent world.”
In June 2014, hackers stole 60,000 customer credit card numbers from P.F. Chang’s point-of-sale system and posted them on the Internet.
Federal paid P.F. Chang’s more than $1.7 million for losses associated with the breach. They did not pay out on an additional $1.9 million in fees and assessments imposed by MasterCard.
P.F. Chang’s sued Federal to recover the assessment charges. They lost – and are currently appealing that ruling.
Should You Buy Cyber Insurance?
Cyber insurance is a new product for the insurance industry in a field that is rapidly evolving. It presents unique challenges for buyers and insurers.
As a small company, your best approach is to avoid a breach in the first place. That means investing in systems that secure your applications and networks, and investing in people and services to support those systems.
For example, if you use WordPress as a publishing platform, investing in a firewall like Wordfence Premium can dramatically reduce the risk of a breach. You can also have our team perform a security audit on all your WordPress installations to further reduce risk.
If you are a small business with a low budget, cyber breach insurance may not be for you at this time, because it may simply be too complex or expensive. As the industry matures, products will become more reasonably priced as insurers can price risk better.
If you are considering cyber insurance, we recommend the following:
- Use a reputable insurer who has been in the cyber insurance industry for several years. The industry is new, so a history of three to five years may be enough. If your insurer entered the market within the past few months, you may be helping them iron out bugs in their product.
- Gain a clear understanding of exactly what the insurance policy covers. Check our list of possible costs associated with a breach in this post for reference (above).
- Chat with your insurer and talk through breach scenarios with them to clearly understand what is covered and what is not. Make sure your insurance contract agrees with the answers you get from your insurer.
- Check if your insurer has any history of not paying claims. Search Google News.
- Review your cyber insurance policy every six months. Make sure you still have the coverage you need and that your organization has not rolled out new technology that is not covered.
- During your semi-annual review, make sure new attack types are covered by your policy.
- Ensure that you are fully aware of your obligations. Your insurer will require that you implement policies, procedures and technologies to remain covered. If you do not comply with these contractual obligations, you will no longer be covered. Ensure you are in compliance.
Conclusion and Sources
While this post is not directly related to WordPress security, I wanted to share our thoughts on cyber insurance because it is an emerging field that our small business customers will want to keep abreast of.
I used several sources for this post. They were:
- Demystifying cyber insurance coverage – by Sam Friedman, Adam Thomas at Deloitte.
- The Pitfalls of Cyber Insurance on Dark Reading.
- Health system’s data breach insurance claims get challenged on Healthcare It News
- Cyber insurance rejects claim after BitPay lost $1.8 million in phishing attack on CSO Online.
- P.F. Chang’s Cyber Insurance Decision on Arent Fox
As always, we welcome you to share your thoughts and experiences regarding cyber insurance in the comments below.
Mark Maunder – Wordfence Founder/CEO