Hurricane Andrew 1992
Data breach forecasters predicted that a month-long outage on the Amazon Cloud would be the cyber equivalent of Hurricane Andrew, pictured here at its peak strength on Aug. 23, 1992. Wikicommons

The suspected North Korean hackers who penetrated Sony’s computer networks last year could have cost the movie studio $100 million in losses. Instead, Sony only had to pay out about one-third of that. That’s because Sony had purchased cyberinsurance, a growing but little understood segment of the multibillion-dollar global insurance market that is changing how companies approach data security.

Sony is not alone. Almost all Fortune 500 companies now hold cyberinsurance policies from a range of players, including American International Group, Liberty Mutual and Travelers. In fact, the cyber insurance industry is expected to grow from about $2 billion this year to $10 billion by 2020, according to ABI Research. Policy holders are typically indemnified against claims arising from cyberattacks, and the policies often require insured companies to follow best practices, such as frequently changing passwords, compartmentalizing data and scheduling regular phishing tests.

“It’s going to explode,” Michael Kaiser, executive director of the National Cybersecurity Alliance, said of the industry. “The same way people need to have liability for all things in their workplace, they’re going to need cyberinsurance as well.”

Nine out of 10 board directors and officers at publicly traded companies believe businesses should be held liable if they fail to make “reasonable efforts” to secure customer data, a survey released Thursday by Veracode showed. What constitutes “reasonable efforts” depends on each situation, according to provisions previously laid out by the Federal Trade Commission, but it’s already clear that clients will need to meet certain requirements in order to receive a full payout.

Disaster Modeling

Hackers are the new hurricanes -- at least from an underwriter's perspective. Carriers are trying to predict clients’ financial losses based on the same model they’ve used for generations to forecast the damage from natural disasters.

AIR Worldwide is a risk-modeling firm that works on behalf of more than 400 insurance and reinsurance companies to guess how much their clients will lose annually based on the probability of a major data breach. Just like they can reasonably estimate the damages from a hurricane slamming into the Jersey Shore, they can brace for a cyberattack that cripples a municipal electrical grid.

“For the property side, we’d look at if you have hail resistant roofing, meaning less damage,” said Scott Stransky, principal scientist at AIR Worldwide. “For the cyber side, maybe your stolen records are encrypted, and now they don’t really have value to hackers. On the other side, maybe you have a lot of employees who tend to go on social media a lot more than employees in similar companies…you’re going to open up more social media attacks.”

One possible scenario AIR’s Stransky compared to the cyber equivalent of Hurricane Andrew, which killed 65 people and resulted in $26 billion in damages (1992 dollars), would be a monthlong attack on the Amazon Cloud.

“If it were to be taken down, and it is a trophy target for hackers, you can imagine tens of thousands of companies having downtime all at once,” he said “Hurricane Andrew was a powerful hurricane that destroyed houses all along a small location. It’s a huge aggregation risk; small banks to large retailers from the U.S. and Germany and China and from all over the place would all suffer business interruption.”

Most cyberinsurance policies cover business interruption.

Reducing Breach Fallout

Cyberinsurance policies have grown by 30 percent each year since 2013 at Beazley, an international insurer, according to U.K. focus group leader and underwriter Paul Bantick. “If you’re a large company in the U.S., you’ve either bought an insurance policy, or you’ve looked at one,” he said. “And now middle market and smaller organizations are realizing they have exposure.”

Policies can cover an array of business costs, from regular security updates to notifying affected customers and cleaning up (or at least mitigating) the inevitable public relations disaster. But many plans also cover cyberextortion, when businesses have no choice but to pay a ransom in the thousands of dollars to regain access to their data, and new strains of malware that are now more prevalent than ever.

“Five years ago we were talking about lost laptops, lost backups and rogue employees,” said Bantick, adding that now cyberextortion is fairly common.

Sony Pictures had a $60 million cyberinsurance policy with Marsh Insurance before the company was shredded by the hack that was later blamed on North Korea, leaked documents show. The data breach fell “well within the bounds of insurance” and the cost “shouldn’t be anything disruptive to our budget,” CEO Michael Lynton told Reuters in January. Various experts have pegged the loss at $100 million, and Sony said in March it would need to pay $35 million out-of-pocket to restore its financial and IT systems.

Your Insurance Company Is Hiring Hackers (Almost)

Carriers aren’t waiting to get behind a company’s firewall before deciding to offer insurance. Instead, they’re contracting companies that can examine how long a malware strain or distributed denial-of-service attack torments an applicant. Watching the company’s reaction helps the would-be insurer assess the applicant’s cybersecurity, and thus the financial risk of enrolling that company.

“If you see a particular botnet on a network on one day and then it’s gone the next day that means the company was infected but they dealt with it effectively,” said Ira Scharf, general manager for worldwide insurance at BitSight Technologies, which works with AIG, Ace, OneBeacon, and a range of others . “Other times we see on a network a particular virus, and it’s there one day and it persist for 50 or 60 days, and then you know the company doesn’t have the sophisticated procedures in place to detect or mitigate the problem.”

BitSight has a database of at least 33,000 companies and tests for things like SSL certificates, spam activity, anti-phishing measures and thousands of other factors. (The company says it does not perform penetration tests or intrusive software measures popular among hackers and intelligence agencies.)

If You Know About It, You Better Fix It

Target’s 2013 data breach cost the company $248 million, only $90 million of which was offset by an insurance policy. That could be because the malicious software lurking on point-of-sale registers at every location in the U.S. was a known threat months before the breach was discovered. Then Home Depot reported $43 million in expenses when it was hit with a similar strain of malware that hit Target, and insurance covered only $15 million.

Companies like T-Mobile will also need to take it upon themselves to ensure that partners like Experian, where a data breach gave up personal information on 15 million T-Mobile customers, are adequately prepared. Third-party vendors often serve as the source of an attack on a much larger, better-prepared organization by providing attackers with an entry point.

“Cybersecurity is much more complex than something like fire safety, where you can do an inspection and check for the proper equipment,” said Chris Wysopal, co-founder and chief technology officer at Veracode. “If you’re a truck delivering something to a business, there’s a certain standard of due care. And now organizations are going to start pushing back on supply chains if their software providers or third party vendors are liable.

The bottom line: Insurance against cyberattacks is becoming the rule -- rather than the exception -- in corporate America. Credit the hackers with starting a new growth industry.

RELATED STORIES