grandeduc - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Why passing on cyber-risk insurance could be a big mistake

Insurance that covers data breaches and risk to consumers' personally identifiable information has been slow to catch on in the manufacturing sector. Here's why you might still need it.

A Jersey manufacturer of life science products fell for a phishing attack hook, line and sinker. But, as the company's accountant tells the story, it was the kind of scam that would have tricked almost anyone.

In spring of 2016, the manufacturer's head of human resources received an email from the CFO, asking her to open an attachment with instructions to compile a report that would include the W2 tax information of the company's 1,200 employees. Days after preparing and emailing the report, when she had not heard anything, she asked the CFO if he had received it. He replied, "What report?"

That's a story Anurag Sharma, principal of the accounting firm WithumSmith+Brown's cybersecurity practice, shares to support his pitch for why manufacturers should purchase cyber-risk insurance, also known as cyberinsurance or cyber liability insurance coverage

A hacker spoofed the CFO's email address, leading the HR executive to believe she was actually communicating with a colleague, a scam that can befall even the most tech savvy, Sharma said.

As the cyberinsurance industry wants to communicate to prospective customers, cleanup from a data breach is costly and complex, and no one is immune to an attack. The manufacturer, for example, had to hire a credit monitoring service to ensure the 1,200 employees' personally identifiable information (PII) wasn't illicitly used.

But between having faith in their cybersecurity programs -- and their employees' vigilance -- and thinking their industry isn't attractive to hackers because they don't deal with consumer PII, many manufacturers believe they don't need a cyber-risk insurance policy.

Whether they do or do not depends on whom you ask. Insurers expectedly say manufacturers should strongly consider cyber-risk insurance because, even if the manufacturers are not handling customers' PII, they're storing employee PII, vendor data and their own sensitive financial and operational information. Moreover, insurers say, manufacturers are at risk of a breach-initiated industrial shutdown.

"If there's internet connectivity, and a hacker's only goal [is] system manipulation to cause injury or damage infrastructure, that type of loss would be focused on with cyberinsurance," said Rob Rosenzweig, a vice president and the national cyber-risk practice leader at Risk Strategies Company. "Even if a manufacturer has limited internet, it has to ask, 'Is that enough for a bad actor to cause damage?'"

But Gartner analyst John Wheeler tells manufacturers that have no consumer component to their businesses that they shouldn't rush to cyberinsurance because it is, in many ways, duplicative of current coverage.

"There's a lot of hype out there with cyberinsurance," Wheeler said.

Beyond the hype, insurers are carving out cyber-specific products from their standard policies as a way to increase business and downsize their share of risk, he added.

Most companies aren't publicizing, or even privately sharing, the details behind breaches from which they've suffered, so the insurance industry lacks the information needed to set standard coverage amounts. Insurers are instead underwriting policies on a case-by-case basis, asking companies to detail their security practices, and then crafting policies -- with limits and exclusions -- to cover the gaps.

The cyberinsurance industry is immature, Wheeler said, adding that, "The policies are conservative."

Cyber-risk insurance: Duplicative or proactive?

The Risk and Insurance Management Society found that 80% of 272 surveyed companies bought a stand-alone cybersecurity policy in 2016, and almost 70% of them transferred risk of cyberexposure to a third party.

It's difficult to pinpoint how many manufacturers have cyberinsurance, but many signs indicate they lag behind customer-facing companies in securing this specialized coverage.

Insurers believe that's because many manufacturers have a relatively low number of digital channels, in contrast with consumer-focused companies, which could have as many as thousands of digital entry points. Many manufacturers have only a website and one email domain, and they believe they don't face tremendous risk, leading them to decide cyberinsurance would only duplicate general liability coverage.

According to Wheeler, -party cyber-risk insurance is designed to be a cost-recovery tool for consumer-related breaches, regulatory penalties from the mishandling of data, the cost of credit monitoring and post-breach forensic investigation, and, occasionally, payments for ransomware. But most of those areas can be covered with general liability policies. Also, third-party cyberinsurance provides limited coverage on the cost of damages incurred by an outside breach.

Rather than investing in a cyber-specific policy, Wheeler recommended that most manufacturers should strengthen their cybersecurity programs, and then closely review their general liability and property and casualty insurance for cyber-related event coverage.

But Rosenzweig urged manufacturers to think of cyberinsurance as a proactive policy that's akin to having an attorney on retainer. Cyberinsurance covers the costs of hiring the cyberexperts that manufacturers need to hire after a system compromise or the unauthorized disclosure of data.

"If you're a mid-market company, you might not have a chief breach officer, or you're outsourcing those duties," Rosenzweig said. "So it's all the more important to know what should happen when those incidents happen. There are so many moving parts to breach response."

Cyber-specific coverage also pushes risk off the balance sheet, he added.

Look under the policy's hood

Sharma of WithumSmith+Brown said upfront that the cyber-risk insurance industry is evolving and challenging.

"Each insurer handles it differently," he said. "There is no standard clause."

He recommends that manufacturers ask prospective brokers to list the cyber situations they cover, how much deductibles are and how much the insurer covers.

"Make sure the list of coverage is complete," Sharma said. "Make sure no clauses would lead to exposure for them, [causing] their claim [to] be denied."

If a manufacturer does consider cyberinsurance, Wheeler advised looking at not just product and coverage, but also under the hood. For example, insurers recognize that cyber-risk is so diffuse and complex that their policies cover breaches that specifically target an organization, but they don't cover an event that's caused by a widespread virus that hits many businesses.

Next Steps

Where the industrial internet of things vulnerabilities are

What the manufacturing sector should know about internet of things risks

What companies should know about device security

Dig Deeper on Financial compliance regulations

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are your considerations for and against purchasing cyber-risk insurance?
Albert, before looking at cyber insurance, you firstly need to ascertain and understand what financial risks you are looking to transfer before you do the deep dive.

Only after this review, are you able weigh up the next steps purchasing process. 
The considerations "for" far outweigh those "against" purchasing a well written cyber liability policy. In short, such a policy will cover your first and third party expenses and keep you from running afoul of any state notification laws which levy fines for improper/untimely reporting. It may also allow you to determine your level of security in advance of a breach, help establish an emergency plan in the event of a breach, pay for a PR firm's services as well as for forensic accounting and IT services. It may also give your customers, vendors and business partners some confidence knowing that in the event of a large breach you've transferred the risk so that your company's finances are protected and business will not be interrupted to any great degree. The argument against buying? You think that the damages from any breach will be less than the premium and deductible, and that you can identify, address and correct any damage done to your business systems. For any business that has internet connectivity, this insurance is a no-brainer.  
Mr Wheeler's advice is poor and ill-informed. Every business should look at all aspects of risk transference when evaluating an organisations business risk profile including cyber.

Indicating that many organisational policies would cover cyber is false and if they do, they are extensions to existing cover and are sub-limited and in many cases may not even respond to a cyber event due to loose definitions.

If a manufacturer is looking to purchase a cyber policy, it needs to be done by an expert in cyber, that is tailored to their specific business needs and shopped in the insurance market under an offer and acceptance approach.

Manufacturers are just as vulnerable to any cyber event, especially if they conduct business with 3rd parties, up and down stream, not to mention if they have a SCADA environment.