In the much-anticipated sequel to the beloved box office hit starring Matthew McConaughey and Sarah Jessica Parker, Failure to Launch 2: Cyber Insurance has viewers on the edge of their seats wondering “when will this end?” and “is this a terrible title for a blog or am I just super lame?” The story brings us a new landscape of an everchanging cyber threat environment and a whole new cast of worried insurers, dangerous cyber criminals, and unsure decision makers at companies big and small. Be sure to catch the movie, streaming on Netflix this Fall.
On the off chance that you’re not a cybersecurity professional, let me first explain the everchanging cyber threat environment and rise of cybersecurity insurance. Cybersecurity has changed drastically over the past 30 years. In 1988, a curious graduate student from Cornell developed a relatively simple computer worm that was able to propagate to 15,000 machines, roughly ~25% of the internet during those early years. It took 12 years, in the early 2000’s, for worms for to became mainstream, with cybercriminals effectively targeting companies and individuals with the sole purpose of disrupting them.
In 2005, things began to change, and criminals began looking at their worms as money-making ventures. Criminals would create a worm/virus, with a call back function to a central server. The worms/viruses would spread through the internet to unsuspecting individuals and computers and stay dormant until the central server gave it an action. Most notorious of these actions were ping commands, essentially a computer calling another computer asking if it was online. These worms would spread across the internet to new computers, which are called bots, and the criminal, also the one managing the central server which could give commands to the botnets, is called a bot-herder. Individuals, companies, or other entities would pay money to the bot-herder, and give it a target; the bot-herder would then command all of his bots to begin a series of ping commands to that target. The target’s computers, inundated with ping commands, would automatically divert all resources to answer the ping calls, leaving no processing power to perform their normal job duties; websites would crash, and companies were left unable to run. The industry term for this type of attack is a Distributed Denial of Service Attack (DDOS).
In 2013, the threat landscape took another turn, and we began seeing the rise of ransomware attacks. That virus that originally was installed on your computer now also was able to figure out what applications you had installed, what patches you had applied, and sent that information to a central server to figure out what vulnerabilities were available to exploit. The central server would automatically provide the virus with the attack mechanisms that are available, and the virus would begin its attack by exploiting the vulnerability and encrypting your system files. Then it would show a screen, demanding payment in return for the key to the files. Over time, criminals began realizing that while a single person may pay $300 for their family photos, a company, with hundreds of computers that has not prioritized cybersecurity, would be left with no other option than to pay the ransom.
Given the rise of targeted ransomware and other types of cyber-attacks that are directly affecting companies of all sizes and from all industries, there has been a new type of insurance offering that covers the financial losses resulting from IT and Cybersecurity related attacks; general insurance policies do not include language to cover these types of areas. Cybersecurity insurance coverage usually includes losses from data destruction, extortion, theft, hacking, and denial of service. Items typically not covered include costs associated with improving the cybersecurity posture, software and hardware upgrades, and future losses; additionally, potential regulatory fines or lawsuits stemming from failure to safe guard data are not covered.
The current global cyber insurance premium is estimated at $5B, which is a .08% of the global insurance marketplace premium of $6.3T. While I’m not expecting for this percentage to hit the double digits anytime soon, the relatively small size is a cause for concern for the future of cybersecurity insurance. Due to the COVID-19 pandemic, companies have shifted their view of cybersecurity insurance as a luxury instead of a necessity, threatening the demand of the insurance as an offering in the first place. Additionally, while the rise of cyber attacks may increase the demand, it may also threaten the supply as insurers may become more uncertain of the environment and question the actuarial analysis that was previously performed. Taking this one step further, there simply is not enough historical data to accurately predict the rate of cyber attacks based on industry or company size, like there is for traditional insurance policies such as: risk of foreclosure, risk of fire, age expectancy, etc. All of these factors lead to a conclusion that there is not enough money in cybersecurity insurance at this time, and there is no path forward to whether this type of insurance will ever become a standard, instead of a nice-to-have.
Business leaders need to have a plan in place for how they will address cyber risks. The industry is ever changing, requiring constant review of your risk management plan and ensuring that risks are appropriately mitigated. We simply cannot address all risks in-house, and often it requires a broad approach to ensure that all risks are mitigated. Similar to how you have smoke detectors in your home, blow out candles before you go to sleep, and double check that your fire extinguisher is not expired, companies are focusing on hiring more cyber professionals, diverting more resources to the cause, and ensuring that they are compliant with regulatory requirements. However, after the fire fighters have come to extinguish a fire that was lit when you were not home, you call upon your renters or home insurance to identify next steps on claiming the coverage you have against fire. Most companies do not have that final call; they’re left with financial losses from the recovery costs, operating losses, and reputational and brand damage. Maybe it’s time that companies wise up, and consider additional coverage against cyber attacks; if they act too late, the industry may just dissolve.