Q: Should companies be as concerned about their privacy and intellectual property as they are regarding exposures for physical property and equipment? If so, why?
Stransky: Yes, particularly as laws around the world evolve, purchasing cyber insurance will become even more essential. Today, breach notification is required in all 50 states, and the associated costs of notification (forensics, credit monitoring, setting up a call center, and so forth) are insurable. In May 2018, the European Union’s General Data Protection Regulation (GDPR) took effect and requires even stricter notification if data on European citizens is lost or stolen. If a small business suffers a breach and doesn’t have cyber insurance, it’s very likely that the company will go out of business due to the costs associated with the breach.
Pai: If a company doesn’t have a policy already, I would highly encourage every business out there to consider cyber insurance coverage. Our society has become dependent on computers. Even a smartphone today has more storage and compute resources than the most powerful supercomputers of only 20 years ago. It’s difficult to imagine an industry not dependent on its IT resources. Small businesses are particularly vulnerable because they lack the staff and expertise to prevent and recover from cyber incidents.
Q: Is there such a thing as “cyber organized crime,” or are hackers mainly “lone wolf’ individuals?
Pai: Absolutely, from my perspective, organized cybercrime exists. Social engineering and technical hacking go completely hand in hand for cybercrime. Petty criminals and gangs that have dealt in drugs, kidnappings, and have very likely realized they could take their talents to the cyber world for greater reward with less risk of getting caught. It appears to be quickly becoming the hottest crime industry.
Stransky: Sure, there are likely individuals sitting in their basements who hack for the glory and pride. We have seen reports that nations are involved in state-sponsored hacking. And yes, organized crime groups are also quite prevalent.
Q: Are hacking and/or data breaches covered by conventional property/casualty policies?
Stransky: Many in the industry refer to “silent cyber”—the possibility of having to pay out cyber-related losses under non-cyber policies. As we sometimes see in a non-cyber context, in the aftermath of an event, if an insured has a loss they may try to “find” coverage under various policies, even where not expressly addressed. In the cyber context, they may try to “find” coverage for cyber losses under their traditional non-cyber policies, such as (but not limited to) Errors & Omissions (E&O), Directors & Officers (D&O), Commercial Crime, or Commercial General Liability (CGL).
Pai: Many conventional P&C policies were designed before the advent of cyber risk. Just as Verisk/ISO does, insurers need to go back and evaluate how cyber risk may affect the provisions in policies they have out there.
Q: How serious should companies be concerned about the exposure of their business partners?
Pai: Very seriously. From a cyber perspective, organizations should consider vendors part of their extended ecosystem. It’s key to provide incentives to your vendors to ensure good cyber posture. The Target hack showed us how cyber criminals first hacked into an HVAC vendor and then, when the vendor connected into the Target firewall, moved laterally through to the point-of-sale infrastructure from where they stole millions of records.
Q: Many businesses are moving their computing to the cloud. How vulnerable is the cloud to hacking?
Stransky: The big or most likely issue for the cloud isn’t about being hacked. Of greater concern is the potential business interruption that could occur if the cloud goes down. We saw Amazon Web Services’ multi-hour failure in February 2017 from a simple typo that an AWS employee made when trying to resolve a billing problem. Think about what a coordinated group of attackers could achieve. A failure by any one of several major cloud providers with large enough market share could lead to severe economic and insurance losses.