Cybercrime is costing the global economy nearly half a trillion dollars a year, according to the insurer Allianz. It's a major threat to businesses, which are looking for ways to protect themselves. One option is cybercrime insurance.
Mark Patterson found out the hard way that firewalls and anti-virus software are no longer enough protection for a small business. Cybercrooks hacked into the email system of PATCO, Patterson's construction company in Sanford, Maine, and ordered money transfers from its bank account.
"Over the period of five consecutive nights, excluding weekends, $100,000 a night had been taken out of our checking account, and we were down about $545,000," he recalls.
Patterson's bank refused to reimburse him. He sued and finally won, but legal costs ate up most of what the bank paid. After that experience, Patterson boosted his security and bought cybercrime insurance.
But most companies aren't insured for cybercrime losses. In fact, only about one in five is. However, Chris Arehart, a vice president and cybercrime specialist at Chubb Group of Insurance Companies, says demand is now booming.
"We have interest every day on this emerging topic, and it really has taken the world by storm," Arehart says.
Traditional insurance is based on sometimes hundreds of years of historical data. They can look back, see where the losses came from, and they price accordingly. ... The (cyber) market is still very, very juvenile.
Computer Hacking And Old-Fashion Cons
Chubb has added some cybercrime elements to its commercial crime policies over the past decade, and recently it added coverage for something called social engineering fraud, which Arehart says, often combines computer hacking and an old-fashioned con.
"They may begin by researching online, using the wealth of information that we all share, to determine an appropriate mark within the company. They build up a pretext, a story that's as varied as the imagination of the criminal," he says.
Cybercriminals often penetrate a company's computer and email systems, and for a year or more watch and plan their attack. Then they strike.
One scenario might involve a fraudster impersonating a top company officer in Asia calling a lower level, U.S.-based employee. The fraudster knows the employee's boss' name — and knows the boss is away — and asks the employee to handle an urgent, emergency wire transfer.
Cybercrimes like these are growing at an alarming rate, according to the FBI. Cyberfraud insurance can help protect companies from those losses.
But it's not a silver bullet, says Garrett Droege, who runs TechAssure, an association of companies that offer cybercrime insurance. Part of the problem, he says, is that many policies don't cover the latest scams.
"Unfortunately, there's a lot of 'gotchas' in this type of policy, just because it's evolved so quickly and the insurance companies are having a hard time innovating fast enough to keep up with the risks," he says.
Risk Isn't Well Understood
A company looking for coverage, Droege says, first needs to figure out its cyberrisk profile, then put protections and protocols in place and educate its workers. In fact, companies may not even be able to buy insurance unless they have that all in place, says Arehart, with Chubb Insurance.
"We're looking for companies that have strong controls in the first place, and then strong cultural controls that would prevent this type of fraud from making it past the first phone call or the first email that hits the company's computer systems," Arehart says.
Insurers are being selective because the ultimate risk they're taking is not well understood, Droege says.
"Traditional insurance is based on sometimes hundreds of years of historical data," he says. "They can look back, see where the losses came from, and they price accordingly. Where cyber, the market's still very, very juvenile."
Because criminal hackers are so proficient and because computer systems are so central to business, some analysts predict insurers could soon face catastrophic losses. But Droege says the industry has to step up.
"We don't have a choice as an industry. We have to figure it out," he says. "If the cyberrisk is so pervasive today, think, 10, 20 years into the future, when we're even more reliant on technology. Businesses cannot afford to deal with these things by themselves."