In the past five years, one of the largest growing financial risks businesses have had to tackle is the possibility of a cybersecurity breach. Indeed, the cyber risk landscape has not merely changed and evolved, but it has exponentially grown to be one of the primary risks that every company, every institution, and even every individual will face at some point or another.
Preliminary studies show that the number of identity fraud victims grew by 8 percent in 2017 alone, up to 16.7 million, with nearly $16.8 billion stolen from consumers in the U.S. alone. One survey showed that, in 2017, the number of companies attacked by malware, ransomware, or similar cyberattacks rose from 3 percent to 36 percent, while the number of companies that experienced an email phishing attack rose from 7 percent to 33 percent. 2017 also saw one of the largest and most significant data breaches in recent history with the Equifax data breach, impacting nearly 145.5 million Americans.
While businesses and industries across the board continue to address how best to evolve their data security and practices to, at the very least, minimize the risk of a cyberattack, the insurance industry is also evolving and working with these companies to produce and market insurance policies and products to respond to a cyber event. Historically, the focus of the insurance industry has been on creating products and policies to meet the needs of larger companies that face potentially millions of dollars in exposure in the event of a data breach or other cyber event. In the “past” (which, in the fast-paced cyber world, means within the past five to 10 years), the primary risk exposure of a cyber event has primarily involved the release of personal information, or some sort of purely monetary risk (such as a malware, ransomware or phishing attack).
However, just as companies and insurers alike have tried to evolve to respond to these historic threats and exposures, hackers and cyber criminals move fast. Just as one sector seems to have a handle on responding to potential cyber events, new threats arise. The following are a few of the issues that cybersecurity experts agree may be emerging threats and trends that businesses, individuals, and the insurance industry should be prepared for in 2018.
The insurance industry has long felt the impact of historic environmental claims, and most insurers have a well-established understanding and protocols to respond to the discovery of an environmental hazard. Traditionally, an environmental claim arises from historic practices of a manufacturer, or the sudden and accidental spill or release of chemicals or other toxins, such as at a gas station. An emerging risk, though, are for environmental claims that result from a cyber-attack. As most industries and infrastructures now rely on digital supervisory and control systems, hackers can access and overtake those systems.
This is reality, not the stuff of science fiction. In 2017, the WannaCry ransomware attack affected numerous industries, including FedEx, certain Nissan and Renault manufacturing plants, and Spain’s telecommunications system. Not long after WannaCry hit the news, another ransomware attack called Petya crippled various businesses in Europe and the U.S., including the Danish shipping firm Maersk.
The biggest industries at risk of a targeted cyberattack that could result in environmental claims are manufacturers, utility companies, and the transportation industry. Insurers and risk managers alike in these industries should be aware of the potential risk of a cyberattack, particularly one that could result in environmental bodily injury and/or property damage claims and evaluate how insurance coverage might respond to such an event.
Impacts on small, mid-sized businesses
Major companies that have been subject to a data breach — such as Sony, Target, Equifax and Anthem — make the news, and with that public attention may come the perception that only major companies and businesses are susceptible to a cyberattack. This is not the case. In fact, small and mid-sized businesses are typically most vulnerable to a possible cybersecurity breach, whether because there is a lack of attention paid to the potential risks, or a lack of technological or financial resources to insure against such an attack. However, a cyberattack on a small to mid-sized business could be crippling, and the potential exposures and losses — from a data breach to business interruption loss — could easily shut a business down.
Small to mid-sized businesses should not only evaluate or be advised of their potential risks for a cyberattack, but also should be made aware of the cyber insurance products available to them. In 2017, ISO released, for the first time, a standard cyber coverage form, called the Commercial Cyber Insurance Policy, which is particularly designed for small- to mid-sized businesses. The availability and the necessity of cyber insurance for smaller businesses will certainly change the landscape for both insureds and insurers alike.
Homeowners’ insurance and personal coverage
At the individual level, nearly everything in our homes and our daily lives can be interconnected and connected to the web, from your television, to your security system, to your HVAC and, even, your refrigerator or your car. This interconnectedness of all these things can make our lives easier, but they are also susceptible to hackers and expose individuals to risk of losses in their own homes due to a cyberattack.
Many insurance companies provide or are starting to provide some form of cyber insurance —both first-party and third-party liability — for homeowners and even automobiles. As this individual coverage becomes more common, the number of potential claims and exposures also will continue to increase.
As cybersecurity threat risks grow and evolve, the impact and importance of cyber insurance will be felt in almost every industry, and even in every area of legal practice. Attorneys representing businesses and individuals alike should be aware of their clients’ potential risk of a cyber event, and be prepared to discuss their cyber insurance needs.•
• Meghan E. Ruesch is an associate and a member of the litigation group at Lewis Wagner who primarily focuses on insurance coverage and reinsurance issues. The opinions expressed are those of the author.