The cyber liability insurance market is likelyto morph in the near future as a result of the massive Equifax databreach, according to some industry executives.

|

It's too soon to tell just how many millions or even billions ofdollars insurers may have to shell out as a result of thissummer’s Equifax breach, which the company says impacted143 million people in the United States, Canada and the UnitedKingdom. But cybersecurity and insurance professionals say theimpact from this event will be lasting.

|

Historic cyber attack

Equifax revealed the cybersecurity breach on Thurs., Sept. 7,2017. The company said it discovered the attack, in whichhackers compromised a website application in order to gain accessto private consumer information, in July 2017.

|

"This is clearly a disappointing event for our company, and onethat strikes at the heart of who we are and what we do. I apologizeto consumers and our business customers for the concern andfrustration this causes," Equifax CEO Richard F. Smith said in apress release. "We pride ourselves on being a leader in managingand protecting data, and we are conducting a thorough review of ouroverall security operations. We also are focused on consumerprotection and have developed a comprehensive portfolio of servicesto support all U.S. consumers, regardless of whether they wereimpacted by this incident."

|

The company directed consumers to a dedicatedwebsite, www.equifaxsecurity2017.com,where individuals can investigate their potential exposure. Thesite also outlines a 5-step plan for how Equifax intends to bulk upits cybersecurity efforts.

|

Although Equifax carries cybersecurity, crime, generalliability, property and business interruption insurance,these policiesare likely insufficient to cover the company’s expenses related tothis breach.

|

Consider that Anthem agreed in June to pay $115 million tosettle class-action lawsuits stemming from its 2015 cyber breachthat may have affected nearly 80 million customers, and the pricetag on Target’s 2016 cyber breach is expected to top $450 millionby year’s end, accordingto Forbes. (Target reportedly carried $100 million incybersecurity coverage.)

|

Cyber insurance industry representatives say that the Equifaxcyber insurance program is carried by Marsh, with Beazley as theprimary carrier. Representatives from Beazley did not reply toemails requesting comment for this story.

|

Cyber liability wake-up call

Michael Born is vice president and account executive of theCyber Technology Practice atLockton Companies, based in Kansas City, Missouri. He said thisweek that many of his colleagues "have been waiting for this shoeto drop," or the arrival of a massive cyber breach such as this onethat has the likelihood of furthering the cybersecurity and cyberinsurance markets.

|

"Cyber insurance is a very soft market," Born said. "There are alot of new players, coverage is broadening, pricing is going down,and underwriting is getting a little looser … But I think you maysee that change."

|

Born said there are generally two stages in recovering from anycyber breach. The first stage is the initial impact of thebreach and the subsequent identity theft monitoring. This is theprocess in which Equifax is currently involved.

|

"The next part is a longer tale," Born said, "and that’s theliability portion."

|

Growing class actions

There will certainly be regulatory investigationsand class action lawsuits. These suits may comefrom consumers impacted directly as well as Equifax businessclients who relied on the company to safeguard employee data.

|

"We could see (cyber insurance) pricing change and underwritinggetting more stringent within the next couple of months," Bornsaid.

|

Cybersecurity executive Sidd Gavirneni concurred.

|

"Other recent attacks have had an impact on pricing for sure,"said Gavirneni, CEO and co-founder of Zeguro, a SanFrancisco-based cyber insurance MGA that providescybersecurity services. "The scale of the Equifaxbreach will lead to a higher demand for cyber insurance. Theusers whose data has been compromised will take this fear to workand to the businesses they run. Also, underwriters now have moredata to base pricing on."

|

The Equifax breach, he added, is a chance for agents and brokersto illustrate just how catastrophic a cyber breach can be forbusiness. This will be a chance to "provide customers with insightsinto why and how the Equifax breach happened, and help themunderstand the cyber risks their businesses face," Gavirneni said."Only then can they understand the real need for cyberinsurance."

|

Policy pricing impact

David Derigiotis is corporate vice president of the ProfessionalLiability Center of Excellence at Burns & Wilcox, a major NorthAmerican insurance wholesaler. He said the Equifax breach "will bethe largest, most financially draining cyberattack the world hasever seen impacting a single organization," and that the costsassociated with the event are likely to skyrocket.

|

"This data breach should drive continued cyber insurance growthwithin the P&C industry, causing organizations of all sizes toreevaluate their insurance and cybersecurity strategy," Derigiotissaid.

|

He was, however, skeptical about the idea that the Equifaxbreach will impact policy pricing.

|

"It is not just one insurance company covering the loss, it is atower of insurance companies involved providing financialventilation," he said. "There is so much interest in this spacethat there are any number of other insurance carriers to step inand provide coverage. A tremendous amount of capacity is availablefor Cyber Liability policies right now."

|

The greater lesson may be that no company, no matter how largeor sophisticated, is immune to a cyber breach.

|

"Knowing large-scale organizations have a difficult timerebounding from data breaches, smaller companies will not have achance," after a breach, and will not likely be able to sustainsuch an attack, Derigiotis said. "Brokers and agents can use(Equifax) as an example on how to better address cyber risks,including having the necessary resources and insurance coverage tosurvive an attack,"

|

IT hygiene

Dan Burke, vice president and Cyber Product Head at Hiscox USA,said any business that handles sensitive customer information onpart with the type of information that hackers accessed fromEquifax (names, social Security numbers, birth dates, addresses,driver’s license numbers and credit card information) must now bewell-aware of the important of information securityhygiene.

|

"Hackers are incredibly crafty at finding cyber security anddata vulnerabilities," Burke said. "To keep hackers at bay,businesses should aim to supplement technology protections bycreating a ‘human firewall,’ meaning all employees are trained andhave an awareness of the potential warning signs of an attack. It’smuch easier to hack people than the technology. Have the strategy,resources and processes in place before a hack occurs, in order toidentify a breach early and get back to business as quickly aspossible. This is still a major concern – for more than halfof US business, it will take two or more days to return to businessas usual after a large breach.”

|

Three other top cyber insurance carriers contacted for thisstory — Zurich North America, Travelers and Chubb— declined to comment.

|

Human resource issues

Tracey Malcolm, the Global Future of Work Leader for Toronto’sWillis Towers Watson, said the Equifax breach could spurorganizations to build cybersecurity into employee functions at every level.

|

"We are seeing organizations really have to get real about whatis the readiness of their cybersecurity workforce," Malcolm said."We’re seeing a shift in acquisition strategy” with morecorporations interested in both executives and employees whopossess a hybrid of business acumen and cybersecuritytraining."

|

Willis Towers Watson’s Cyber Pulse Survey conducted ealier thisyear found that while three out of four U.S. businesses believetheir organizations are safeguarded against a cybersecurity breach,there remains a disparity between feelings of preparedness and theincreasing number of cybersecurity incidents. To that end:

  • 79% of U.S. employees believes they have insufficientunderstanding of cybersecurity risks;
  • 45% spent 30 minutes or less on cybersecurity training during2016; and
  • 25% of U.S. employees received no cybersecurity trainingwhatsoever in 2016.

"As the world has seen with the proliferation of phishing scams,most recently highlighted by the global WannaCry ransomware attack,the opening of just one suspicious email containing a harmful linkor attachment can lead to a companywide event," Anthony Dagostino,head of global Cyber Risk at Willis Towers Watson, said in a pressrelease about the Cyber Pulse Survey. "However, there appears to bea disconnect between executive priorities around data protectionand the need to invest in a cyber savvy workforce through training,incentives and talent management strategies."

Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.

  • Critical BenefitsPRO information including cutting edge post-reform success strategies, access to educational webcasts and videos, resources from industry leaders, and informative Newsletters.
  • Exclusive discounts on ALM, BenefitsPRO magazine and BenefitsPRO.com events
  • Access to other award-winning ALM websites including ThinkAdvisor.com and Law.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Elana Ashanti Jefferson

Elana Ashanti Jefferson serves as ALM's PropertyCasualty360 Group Chief Editor. She is a veteran journalist and communications professional. Reach her by sending an e-mail to [email protected].