By JONATHAN BERR, who has written for national media outlets for more than 15 years
Cyber risks have gone from obscure to top of mind in just the last few years. Aon Risk Solutions, for example, estimates that before 2008, it sold 1.5 policies for every 10 prospects interested in coverage against cyberattacks. Now, companies sell those policies to 4.5 out of 10 prospects, according to Kevin Kalinich, Aon's global practice leader for network risk insurance.
"We think it's a promising trend," he said.
However, these policies are proving to be a tough sell. A 2011 survey of risk managers by Towers Watson found that 73 percent of respondents had not purchased network liability policies. Most of those who bought the coverage bought between $10 million and $50 million in limits. Experts say more companies should buy these policies, particularly if Congress raises risk standards.
Regardless, companies continue their lax approach to cyber risks.
"I think we're seeing a lot of companies in the market right now that have a false sense of security and an overreliance on their own IT organization," said Larry Racioppo of the executive liability group in Towers Watson's brokerage business, in a press release. "Risk managers need to take a broader look at how they can manage the risks associated with cyberattacks from a corporate, financial and reputational standpoint."
Many companies do not purchase the coverage because they are under the mistaken belief that they are covered against hacking by their general liability policies. In fact, the opposite is true and insurance companies are seeking judgments from courts against their clients to declare these policies do not apply to cyberattacks, Kalinich said. These rulings are sought when there is a dispute between two parties about the terms of an insurance policy.
Data from the Department of Homeland Security shows that there were 86 attacks on networks that run critical infrastructure and factories in the five-month period between October 2011 and February 2012, up from 11 a year earlier.
Hacking incidents at retailer TJX and at Heartland Payment Systems in 2009 were well publicized and caused many companies to increase their spending on computer security. Concern has heightened lately because of the attacks done by the cybervigilante group that calls itself "Anonymous." The group has targeted the Vatican among others.
Risk managers, however, need to view this data in context, experts said. "We don't think there has been an increase in attacks," Kalinich said, adding that companies are reporting more attacks because the law requires them to.
Insurance companies who underwrite network risk are also demanding that companies increase their vigilance against cyberattacks. Insurers will add exclusions to companies' insurance policies for things such as unencrypted laptops. Owners of gaming, social network and pornography sites are paying increased costs because the actuarial data shows they are more likely to get attacked than others.
"The coverage is getting more differentiated," said Kalinich
Further complicating matters are two Congressional bills on network security standards. One bill, the Cyber Security Act of 2012, seeks to tighten security standards on so-called critical infrastructure. Critics argue that the act is vague on what is meant by "critical," and that the bill lacks sufficient legal protections for the insured entities. Companies are keeping a close eye on the debate over the bill.
"What if the infrastructure meets the Act's performance standards, and an attack happens anyway?" asks Gus P. Coldebella, former acting general counsel with the Homeland Security Department, in a recent blog post for The Hill. "Unwisely, the Act allows private-party damages claims against infrastructure owners, and though it purports to limit punitive damages, the limitation is weak."
The Cyber Security Act is sponsored by Senators Joe Lieberman, (I-Conn.), Susan Collins, (R-Maine), Jay Rockefeller, (D-W.Va.) and Dianne Feinstein, (D-Calif.) A rival bill introduced by Sen. John McCain (R-Ariz.) has raised the concerns of civil liberties groups because it "could dramatically expand the domestic reach of U.S. intelligence agencies," Reuters said.
March 27, 2012
Copyright 2012© LRP Publications