December saw a truth-is-stranger-than-fiction dramedy acted out on the world stage. A November hack on Sony Pictures Entertainment threatened to engulf not just all of Sony Corp., but companies and businesses far downstream. That has implications for all sorts of businesses, including your clients’—and yours.
At midyear, North Korea announced its displeasure with the comedy “The Interview,” which involved a plot to assassinate Kim Jong Un. Then hackers hit Sony Pictures and stole sensitive information like employees’ Social Security numbers and health records, destroyed data and kept Sony offline for days.
The hack got a lot of airtime, but just a few months ago it was JPMorgan in the news after Russian hackers gained access to the company’s systems and lurked there for three months, pulling data on customers, accounts and more.
The sophistication of the JPMorgan hack was alarming, but didn’t grab headlines like Sony, even though it was among 13 financial institutions targeted by what authorities believe were the same hackers.
More companies carry cyber insurance than terrorism coverage, but sometimes the line blurs between the two. In addition, a true furor erupted at the end of 2014 when Congress allowed the Terrorism Risk Insurance Act to expire. The act has since been renewed.
According to Kevin Kalinich, global practice leader of network risk and cyber insurance at Aon Risk Solutions, losses from cyber terrorism “can be much more than offering credit monitoring or redoing the credit card of a consumer.” Furthermore, “the results of those exposures could be much more catastrophic than notifying consumers of retail [leaks],” said Kalinich. He cited a December cyber attack at a German factory where hackers took control of a blast furnace that then could not be shut down. “What stops a malicious attack from having that kind of effect on any kind of business?” Kalinich asked.
Okay, so your advisory firm isn’t a blast furnace. But you’re downstream from banks and other financial institutions that have been, and likely will continue to be, targets. In January, Morgan Stanley fired an employee who it said stole information on thousands of its wealth management clients. The employee, allegedly looking for a buyer for the stolen information, posted details on 900 of those clients online in December; it was discovered during a routine scan.
If data were stolen with an eye toward controlling a company or the supply chain, terrorism coverage, rather than cyber coverage, may be what is needed. But finding coverage is hard.
Aaron Davis, managing director of operations and property practice at Aon Risk Solutions, said catastrophic balance sheet protection for many companies is tight. “It’s a very, very tough risk to place compared to appetite, even with TRIA in place.”
Kalinich said a cyber policy is intended to cover unauthorized privacy and security incidents, but most have exclusions for war and terrorism. In the absence of terrorism insurance, “if you shop around to different carriers,” he said, “you can negotiate to carve back the terrorism exclusion” so that the policy includes that coverage.
So how can companies, yours included, better protect themselves—particularly in the absence of terrorism insurance? Kalinich said that first, “even before you get to insurance, entities need to take inventory of their assets, [both] tangible and intangible, such as information, trade secrets, intellectual property. How could these assets be impacted? What would happen if there was a breach or shutdown or extortion? Categorize assets and prioritize [them] in value.”
Second, companies should check their existing policies for coverage. Underwriting is complicated for terrorism risk, even with a TRIA backstop. “This is an important issue that has not been addressed,” Kalinich said. “Now companies are becoming aware that cyber terrorism can affect mainstream companies.”
An enterprise risk management policy could be the answer. The issue itself is at the macro level, he said—a board of directors issue, a fiduciary issue—and there are no one-size-fits-all answers.