|
 Unlike earthquakes, tornadoes or even terrorism, there are no
existing models to calculate how much a so-called "cyber hurricane,"
cutting across a swath of companies, could cost. Without that,
insurers cannot be sure how much risk they can afford to underwrite.
At least two risk modeling companies, RMS and AIR Worldwide, are
trying to solve that puzzle, building a model that can help gauge
how much havoc – in dollars and cents – such cyber breaches can
cause.
"Everybody's being attacked at this point," said Scott Stransky,
manager and principal scientist at AIR Worldwide. "We're hoping to
change that game."
While high-profile attacks at retailers such as Target Corp and Home
Depot Inc this year have spooked consumers, the devastating cyber
attack on Sony hammered home that plenty of damage can be done
beyond stolen credit card numbers.
"Sony has become a watershed event," said Kevin Kalinich, global
practice leader for cyber/network risk at Aon, a consultancy and
insurance brokerage.
The insurance industry has been banging the drum about the breadth
of cyber risk for 10 to 15 years, Kalinich said. "Finally we've
gotten their attention."
In a 2014 study, the Ponemon Institute and IBM found that the
average total cost of a breach in the United States was $5.9
million.
Major attacks can cost far more. The Sony attack could cost as much
as $100 million, according to one estimate. In August retailer
Target reported gross expenses of $148 million related to a December
2013 breach.
A 2014 McAfee study estimated cybercrime cost the global economy
anywhere from $375 billion to $575 billion annually.
The United States is largely a mature insurance market, with
coverage for cars, homes and other risks common. But cyber is a new
frontier for insurance companies looking to grow. While estimates
vary widely for how many U.S companies carry policies for such
risks, the data suggests room for growth.
A 2013 survey from insurance industry data company Advisen and
insurer Zurich found 52 percent of companies say they purchase at
least some cyber liability coverage.
However, a Fortune 1000 survey that same year from insurance broker
Willis found a far lower number, at only 6 percent, though Willis
noted cyber coverage is likely under-reported.
Part of the problem with figuring out who's protected against a
breach is the same as figuring out how to protect them in the first
place: No one wants to talk about having been hacked.
[to top of second column] |
It's unlike, say, with typhoons, for which there is readily
available data stretching back decades. There is no such record for
cyber attacks, and data is the lifeblood of modeling.
"Getting the historical data for cyber is a huge challenge," AIR's
Stransky said. The firm is developing a model that it hopes to bring
to market within "much sooner" than five years, although he would
not say how much sooner.
Another speed bump: The constantly evolving nature of cyber attacks.
Because hackers are constantly devising new ways to get into systems
– from basic social engineering like guessing simplistic passwords
to sophisticated viruses – any risk model must be dynamic.
A completed model could potentially do something no one seems able
to figure out: understand what a cyber event might look like across
not just one company, but, as with a large-scale weather event,
across many companies or industries.
That possibility comes ever closer to reality. A breach at a major
cloud provider, for example, could sow disaster among hundreds or
even thousands of companies.
RMS is talking to insurers with an eye to developing a model that
can start gauging probabilities of widespread attacks as early as
next year, said Andrew Coburn, a senior vice president with the
firm.
A working model, he said, could help insurers feel more confident in
underwriting more of this kind of risk.
"They've been writing relatively low limits," he said. "It's an
issue that the insurance industry needs to grapple with."
(Reporting by Luciana Lopez; Editing by Jennifer Ablan and Dan
Grebler)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
