Advisen: What do you see as the greatest cyber risks today?
Tim Francis: Frankly, the greatest risks today are similar to those that we have seen over the past few years, which is to say, that companies are not protecting data to the degree that they should.
However, that really only underscores the degree of difficulty inherent in cyber security, as companies have not been idle and ignoring cyber security. To the contrary, we are largely seeing our insureds adopting better cyber security policies and procedures, but unfortunately we are also seeing those trying to gain access to data and systems adopt more sophisticated tools and techniques, as well. Whether it’s hackers attacking a retailers’ point-of-sale systems to obtain credit card and banking information to Distributed Denial-Of-Service (DDoS) attacks, or cyber extortion, yesterday’s protection methods may not be adequate against the threats of today.
Advisen: What will the greatest threats be in 5 years’ time?
Tim Francis: That’s hard to say. From an insurance standpoint, the cyber insurance market has evolved very quickly and coverage and services offerings change rapidly. That’s not surprising, given the pace of change within the technology industry and how companies adopt that technology to communicate with customers and employees and generally to run their businesses.
As just one example, it is now fairly common for companies to allow employees to use their own mobile devices for business purposes or what is referred to as Bring Your Own Device (BYOD). Given that these devices may not be as tightly protected as employer owned technology and that the sophistication and capabilities of the devices is very broad compared to the technology of just a few years ago can lead to more points of vulnerability for data or system compromise. As companies adopt new technology they need to both understand the opportunities such technology presents as well as the threats.
Advisen: Is the insurance industry doing enough to adequately address these risks?
Tim Francis: Cyber threats are continually evolving, and companies need to take a hard look at their business and commit to protecting it.
The insurance industry is moving very quickly to offer policies that evolve as fast as the threats evolve.
More education is needed to help businesses understand how to protect against this threat and transfer their risks. Initiatives like the Department of Homeland Security’s National Cyber Security Awareness Month, which is recognized in October, can help.
To help educate business owners about the growing number of cyber threats, Travelers offers various resources to the public, as well as a variety of tools for its commercial customers to help tailor their cyber protection to the specific needs of their businesses. To learn more about cyber risks, Travelers is pleased to provide many online tools, including a public portal, a website offering general tips and a separate tool, Travelers eRisk Hub, available to policyholders.
Advisen: What keeps you awake at night?
Tim Francis: The idea that companies today would go without cyber insurance—not understanding the gravity of going without coverage. Just as companies wouldn’t go without an insurance policy to protect themselves from a fire, they shouldn’t go without protecting themselves from cyber risks.
When it comes to cyber crime, criminals do not discriminate. While retailers and financial institutions gain significant media attention from data breaches, Travelers’ claims data indicates that other industries also are regularly targeted for cyber-attacks, including professional services firms and educational institutions.
And, while many of the headlines about cybercrime tend to be about attacks at large firms, The Ponemon Institute’s “2014 Cost of Data Breach Study: United States” found a company with less than 10,000 records is more likely to be hacked than a firm with more than 100,000 records.
With this in mind, companies like Travelers offer specialized cyber coverage to address a wide range of risks associated with different sizes and types of businesses.
Among the expenses a policy might cover include the cost of conducting forensic investigations and litigation expenses associated with breaches. Coverage may also include regulatory defense expenses, crisis management expenses, business interruption support, and cyber extortion and access.
Advisen: In your opinion, what is the single most important cyber risk development in the past 12 months?
Tim Francis: The impact of breaches. A solitary data breach might seem at first glance like an inconvenient, but wholly manageable, business exposure.
But, recent studies show that a single data breach typically results in about 29,000 breached records, which cost roughly $201 each. That’s a whopping $5.85 million for the cost of the average single data breach.
In addition, there are “costs” that go beyond immediate expenses that are associated with data breaches, too. The loss of customer trust and damage to a brand’s reputation are not easily accounted for initially, but they can lead to significant financial losses over time.
Working with an agent or broker who understands not only cyber threats, but the exposures related to your specific industry can mean the difference between having to spend a fortune to put your company back on the right track after a cyber incident.