The saying “crime doesn’t pay” is intended to caution would-be criminals that the reward is not worth the risk. And for the most part, it’s true: The average act of grand larceny in 2013 netted about $1,260, according to the FBI. Conviction of grand larceny is punishable by up to five years in prison; with time off, most are out in 24 months.
That’s about $1.75 per day, which is really hardly worth it. With over one million larceny-theft arrests and a 93% conviction rate, it seems criminals subscribe to another idiom — that “hope springs eternal.” The lure of easy money and a belief in beating the odds have always been the driving forces behind acts of larceny.
Traditionally, larceny has been a hands-on crime: A thief shows up at a store or a bank with a gun and demands cash, and usually gets caught and ends up in prison. By contrast, non-traditional cyber criminals only rarely get caught — and when they do, they face a conviction rate of just 30%, which in most cases doesn’t result in jail time.
Understanding the Cyber Security Threat
In his opening statement to the Senate Judiciary Committee in 2011, the FBI’s assistant director of its cyber division laid out the cyber security threats facing the government and business. He advised the committee, “The threat has reached the point that given enough time, motivation, and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet.”
The threat is far more expansive than the nightly news portrays with their breathless reporting of data breaches and potential identity theft. Reported identity theft schemes represented only 9.8% of cyber crimes in 2010. While the percentage has increased, it is still only a small fraction of cyber crimes against individuals and businesses.
The Many Faces of Cyber Crime
Like predators in the wild, cyber criminals rely on stealth to accomplish their tasks. But unlike wild animals, evidence of a cyber predator is not always immediately visible.
The reason is that not all cyber thieves steal tangible assets like cash, nor do all their crimes result in a quickly identifiable set of reactions like identity theft. Theft of intellectual property, such as trade secrets, often goes undetected until the effects are felt on a business’s bottom line. The theft of design specifications can result in not only loss of revenue, but loss of life, through the distribution of unsafe counterfeit products such as pharmaceuticals.
The need for stealth combined with technical know-how has created a new class of criminal software programmers who use their skills to create networks of compromised computers. They then use these networks to launch attacks and conduct a host of criminal schemes, from stealing funds to ransoming systems and manipulating supply chains. Botnets steal processing resources from businesses and, when detected, lead investigators to a dead end.
Some enterprising criminal programmers have added to the threat pool by building and selling botnet kits to less technically sophisticated criminals to exploit an ever widening circle of networks.
As these kits and become more widely available, the threat to less lucrative small businesses increases thanks to criminal saturation. As with any business, cyber criminals are always on the lookout for new markets that are vulnerable to exploitation.
What is Cyber Insurance?
Cyber insurance, like cyber crime, is a catchall term that covers an array of threats.
Cyber insurance policies are offered in different configurations protecting against range of risks. Since this branch of business insurance is less than 10 years old and the types of cyber threats are constantly evolving, there are no insurance industry wide standards of protection.
Coverage varies, a lot — not just from one insurer to another, but, in some cases, one policy to another from the same insurance company. Even the name of the coverage may differ from one company to another. Whether it’s called ‘cyber-threat’ or ‘cyber-liability’ or some other variation, coverage may include some or all of the following threats.
In general, this refers to the unauthorized acquisition of digital information by third parties.
Data is any information that is stored on a computer or digital device, including personally identifiable customer information, financial data, trade secrets, manufacturing specifications, or other proprietary or confidential data. Policies may reimburse for:
- Expenses associated with managing the breach
- Cost to investigate the cause or source of the breach
- Repairing the vulnerability
- Informing affected parties
- Increased call management costs
- Credit checks and monitoring for affected customers
- Legal costs, including fines and court costs
Multimedia or Media Liability
This protects against damages that result from the loss or compromise of third party information stored on your computers. This protection would cover liability for the recent celebrity photo hacking or the loss of other confidential client information. The coverage would pay for:
- Invasion of privacy damages
- Copyright or trademark infringement
- Unfair competition or conspiracy
- Defamation and emotional distress
- Breach of confidentiality agreements
- Negligent transmission of malicious code or computer viruses
Protects your business against losses resulting from cyber extortion, which is the threat to inflict harm or damage to digital systems. Coverage usually includes money paid to end the threat and the cost of investigating the cause of the threat.
Network Security Liability
Sometimes known as cyber or network privacy insurance, this coverage protects your business from a range of attacks that breach your network security. The damage from these attacks may not always include loss of data, but rather affect your ability to operate and include:
- Computer viruses and other malicious code
- Cyber terrorism
- Denial of service attacks
- Business interruption
- Data tampering
This is not a comprehensive list of available coverage because many policies are tailored to meet the needs of individual customers. There is also some overlap between cyber protections and other traditional forms of business insurance; however, an increasing number of insurance companies are adding cyber exclusions to other business insurance products in an effort to curtail their own losses.
Considering Cyber Insurance
Preparing to shop for cyber insurance should begin with internal information gathering, including a risk assessment that identifies what needs protection. For example, a patent attorney might not collect and store large amounts of customer credit card and other personal information, but would have large stores of trade secrets.
Determining what might be of interest to thieves is only part of the equation. Having an understanding of how the stolen information would be used — and the costs that would result if a breach occurred — are other components.
Unlike other types of business insurance, many cyber insurance providers underwrite each policy individually. That means you will be asked to not only tell the insurer what coverage you want, but to say what steps you have already taken to prevent a loss. Just as your auto insurance requires that your vehicle pass a state safety inspection, you will likely be asked to submit to a security audit to determine your insurability.
Preparing to meet the requirements of potential insurance carriers should include a thorough review of your business’s digital policies, procedures and protocols.
Your goal in reviewing each of these shouldn’t only be to acquire insurance, but to better secure your digital assets. After all, insurance may cover all of the financial costs of a breach, but it can not restore customer trust in the integrity of your security.
Shopping for Cyber Coverage
The most important part of shopping for cyber insurance for your business is understanding that shopping by price is a never a good idea.
There are several reasons why price should be at the bottom of your list requirement, not the least of which is that, unlike other types of business insurance, a cyber claim will often mean having a close working relationship with your insurance carrier for an extended period of time. That is because an important part of cyber insurance is helping you manage the aftermath, which is why having an insurance company you are comfortable with is so important.
Your first step should be finding a broker with experience dealing with cyber insurance. An experienced broker will be able to guide you to companies that have greater experience with your industry and therefore will be better able to not only process your claims, but help you better secure your assets and avoid ever having to make a claim.
Their experience in dealing with risks similar to yours can go a long way to affording you valuable insights into better security; you’ll benefit from other businesses’s experiences.
An experienced cyber insurance broker will also be able to help you determine where your existing coverage will overlap with your new coverage and assist you in tailoring your new insurance for maximum protection.
The Claims Process
Settling cyber insurance claims can be a much more subjective process than processing a claim for fire-damaged equipment. Carefully review each of the provisions within prospective policies for definitions of what are considered reasonable expenses for defense of litigation and how breach remediation is handled.
Are you comfortable with the level of control the insurer will expect to assume in response to a claim? Who will determine the content and means of client communication regarding stolen data? What are your rights to request changes to claims procedures to meet your concerns?
The Bottom Line
Cyber threats are constantly evolving as criminals and other bad actors continually work to stay ahead of the security curve. No matter how complete your cyber insurance plan is, you should always consider it a backstop that is only there in case all else fails. The most valuable protection against cyber crimes is to educate yourself.