A Network Liability Puzzle

Are insurers facing a losing battle on the cyberinsurance front? In the last year, hackers scored some big victories, pulling off a number of high-profile attacks. Think Sony, Epsilon, Citibank, the Pentagon, Lockheed Martin and RSA just to name a few.

By Patricia Vowinkel

In the cases of Sony and Epsilon, for instance, the records of millions of customers were compromised. Sony has spent about $171 million related to the data breach involving its PlayStation Network and other online properties and is looking to its insurers to help pay for the losses.

It's hard to know, however, the effect of all of this on the insurance industry as the industry does not break out insured losses for cyber or network security coverages. It is unclear whether all of the companies and organizations that suffered data breaches even had cyberinsurance coverage. But there most likely will be some pretty big insured losses out there somewhere.

Cyber Liability 2.0 (05/07/13)
Adding Depth to Data Systems (06/01/13)
Social Engineering Targets (06/01/13)
SEC Addresses Facebook, Twitter Use (06/01/13)
Technology (06/01/13)

Rick Betterley, who is president of Betterley Risk Consultants in Sterling, Mass., and is a specialist in network risk issues, has given the question of insurability of network risk some thought and he worries that underwriters, no matter how good, are going to be outgunned.

He makes three points.

1. The attacks are evolving, incessant and are generated outside the companies.

Imagine for a minute that an arsonist was standing outside your home every day looking for an opportunity to burn your house to the ground. Most insurers probably wouldn't insure your home.

In some ways, network breaches may not be much different. Computer crime is a big business and the black hats are using automated botnets to help them achieve their objectives.

2. Insurers have to rely on the insured to manage its network defense and insurers have limited ways of measuring just how good those defenses are. How can an insurer know whether a prospective insured is a good risk?

3. Losses can accumulate quickly. Accumulation is what Betterley calls the "pink elephant in the living room." It's one thing to cover a loss for one company that suffers a breach. But what if a hacker finds a weakness in a widely used defense and breaches the defenses of hundreds if not thousands of companies?

At the moment, this dynamic hasn't discouraged insurers from offering network security policies. There are some 29 sources of insurance that make up the core of the network risk insurance market, according to the June 2011 Cyber/Privacy/Media Liability Survey from the Betterley Report.

Risk Analytics, based in Overland Park, Kan., is one company that is well aware of the challenges facing the cyberliability market and has developed some innovative solutions.

The company has been working to find ways to make companies better security risks, to improve their "cyberwellness."

In a discussion about whether network risk could remain an insurable risk, Brian Branner, managing director of Insurance Operations at Risk Analytics said, "If you ask any underwriter out there, they really don't know what they're insuring.

Underwriters have a fundamental problem of quantifying and qualifying risk."

While insurers may have an increasingly hard time assessing risks and avoiding big losses, risk management innovations that are in the pipeline may help make a difference.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years. She can be reached at riskletters@lrp.com.

December 1, 2011

Newsletter Sign-up