The United States is under cyber attack. From hospitals to retailers to restaurants, hackers, primarily based in Eastern Europe and Asia, are breaking into computer networks and stealing social security and phone numbers, credit card accounts, names, usernames, passwords and email addresses.
Home of the world’s largest economy, the United States also endures the largest number of attacks and yields the highest number of stolen records, according to industry reports. While government, education and health care are targets, the gold mine is the business sector with its trove of cash registers and customer profiles.
The annual global financial loss from cybercrime, as estimated by renowned security technology firm McAfee, ranges from $375 billion to $575 billion, and current research indicates that hacking will not subside. To the contrary, it’s considered a growth industry.
In terms of domestic computer breaches, 2013 was defined by the colossal holiday heist at Target, where 40 million debit and credit card numbers were stolen from cash registers. According to Risk Based Security, a threat intelligence company, breaches involving U.S. entities accounted for 48.7 percent of last year’s global total and yielded 66.5 percent of the exposed records.
This year, however, was not to be outdone. An extraordinary breach occurred at The Home Depot, which was joined by Neiman Marcus, Michaels Stores Inc., P.F. Chang’s, Jimmy John’s, Goodwill, J.P. Morgan, Dairy Queen and Community Health Systems Inc., among many others.
While the toll on the Arkansas consumer is unknown, hacking, and breaches in general, have gotten so bad that state officials have taken notice. The Attorney General’s office, for example, is trying to ascertain the effect national data breaches are having here in the state.
Though the impact in Arkansas might not be known, the portrait of the global scene has already been painted: The world is a big and nasty place, and hackers are working their way down from the big companies and into the innards of small- to mid-sized businesses.
Conventional wisdom says a company has to at least try and build a network that can repel an attack from a syndicate out of Moscow, or even one from a lone teen out of Prairie Grove. But increasingly, industry leaders are recommending a second form of protection, one that will help a company recover from a devastating attack. It’s called cyber liability insurance, and while it’s still relatively new in the marketplace, particularly here in Northwest Arkansas, it’s soon expected to go mainstream.
Everyone Is At Risk
Worldwide, as much as $2 billion in cyber insurance premiums were written last year. That in comparison to $107 billion in written premiums for auto liability in the United States alone.
In Arkansas, the first murmurings about cyber insurance seem to have come from Little Rock, where Brendan Monaghan, president of BancorpSouth Insurance Services, stands as one of the early advocates of the coverage. Through his work with clients and potential clients, and by hosting symposiums for groups from around the state, Monaghan has emerged as a key resource in the cyber insurance field.
“Everyone is at risk,” he said. “Governments are at risk due to the vast amount of data they hold. Big businesses are at risk because they are seen as whales and have databases with large amounts of customer data. Small businesses and individuals are at risk because they often have the lowest level of security measures and generally have the opinion that because they are not Target, they aren’t a target.”
Coverage comes in two categories: first-party and third-party. First-party coverage applies to the breached company and the direct expenses they incur — notifying clients, client credit monitoring, public relations, loss of business income and extortion. Third-party coverage applies to any lawsuits, penalties and settlements that might arise from the breach.
Under Arkansas law, cyber insurance is not mandatory. But a 2005 law does “encourage individuals, businesses and state agencies that acquire, own or license personal information about the citizens of the state of Arkansas to provide reasonable security for the information.”
And in the event of a breach, a company must notify the victims “in the most expedient time and manner possible and without unreasonable delay.”
The cost of cyber coverage depends on a multitude of factors including the size of the firm, its industry type, the strength of the company’s information protection management system, data type and whether the company’s IT department is in-house or outsourced.
While many boilerplate factors determine the kind of coverage a company will buy and the expense it will subsequently absorb — and though the insurance is tied to the cryptic and invisible cybercrime — a data breach can unleash a lava flow of tangible human emotions. To that end, it’s crucial that a company develop a relationship with its insurer prior to an emergency.
“We believe it’s important to understand who the service providers are going to be and meet with members of the post-breach team before a breach ever occurs,” Monaghan said. “Meeting for the first time in the heat of a breach does not provide optimal efficiency.”
Know What You’re Buying
Fayetteville attorney Jim Smith knows a thing or two about doing business. His firm, Smith Hurst PLC, specializes in transactions, not litigation, and over time, has come to represent an array of companies, many of them startups in the tech and e-commerce industries.
Born and bred on the Internet, these companies, oftentimes owned and staffed by the young and creative, are as vulnerable as any to the dangers of cybercrime. But as those companies struggle to perfect their technology, promote themselves and fight for market share, cyber insurance is not at the top of their to-do list.
“A lot of these startups don’t have any money, and in the beginning, cyber insurance is not in the budget,” Smith said. “How much is it going to cost? That’s always an issue.”
Cyber insurance might not be in the cards for a company that has yet to make its name and its fortune. But for mature companies, regardless of size, that’s not the case.
Smith said it would be wise for a company to take a close look not only at its computer network, but at its insurance policy as well. A strong network of computer safeguards never hurts, and when and if it comes time to make a claim, it’s important to know what is and is not covered.
General liability, for instance, is the workhorse of the business world, but it doesn’t cover the damage caused by cybercrime. A policy on loss of digital assets, on the other hand, does, and in the event of a breach, coverage could be the difference between the life and death of a business.
“It’s not the legal issue, but how do you come out on the other side,” Smith said. “How do you regain confidence in the public eye?”
If a company can, then it might survive, Smith said. But if it doesn’t, there’s a good chance that company will die.
With that in mind, Smith said it’s crucial that a company purchase the right policy.
“What is this cyber insurance insuring me against,” he said. “You need to know what you’re buying.”
It Won’t Happen To Me
One company in Northwest Arkansas that carries cyber liability is Walker Brothers Insurance Inc. in Springdale. A meat-and-potatoes firm that specializes in home and auto, commercial, life, health and group insurance, Walker Brothers is also an old company — founded in 1932 — with an enormous amount of sensitive information. Hence the need for cyber insurance, said company principal Mike Luttrell.
Walker Brothers also sells a suite of cyber coverage by Philadelphia Insurance Companies, which has offered stand-alone cyber policies for nearly five years.
Getting the word out about the new coverage has not necessarily been easy.
“Cyber liability is an emerging need for businesses in Northwest Arkansas,” Luttrell said. “Not everyone’s buying it right now, but we’re talking about it.”
Based on the content contained in industry reports and news stories from groups like McAfee, Verizon, Advisen, Risk Based Security, Krebs on Security, The Hacker News and PC World, the conversation needs to continue.
An October report by insurance advocate Advisen titled “Cyber Exposures of Small and Midsize Businesses — a Digital Pandemic,” offers a grim picture of the current state of cyber security.
“Gone are the days when data breaches, privacy violations, and other network security incidents were only a big business problem,” the report concludes. “Countless organizations of all sizes are now victimized daily, and in many cases with crippling effect.”
The rogue’s gallery of hackers include household names like the politically oriented Julian Assange and Anonymous, as well as lesser known criminal groups like Comment Crew out of China, and APT28 and Sandworm out of Russia. The increasingly new and sophisticated weaponry available to hackers is vast, but venerable malware like Zeus, or Zbot, and its sinister offspring, Citadel, still wreak havoc on bank accounts across the globe.
For Luttrell, it’s better to be safe than sorry. But not everyone feels that way. At least not yet.
“You tell people about [cyber attacks], but they say, ‘It won’t happen to me,’” he said.