Graffiti across from the Supreme Court in Manila, Philippines. Photo by Elizabeth Jenkins from September 2013 courtesy of Flickr Creative Commons.
When Target’s consumer data on more than 100 million customers was hacked, the attack was estimated to cost the company $61 million. But after a return from its cyber liability insurance protection, the publicly traded retailer put the net loss at closer to $17 million. Still a big loss, but a far smaller one.
One we’ll hear more about, as academics are having trouble keeping track of how quickly the losses in productivity, intellectual property and other areas are mounting as the growth of cyber attacks on business quickens.
Since 2005, cyber attacks have grown by more than 300 percent, according to the Identity Theft Resource Center, and the total jumped by a third from 2012 to 2013. It has thrust the idea of digital theft protection into business meetings across the country — because small businesses are getting hit hard too.
Even before this hit wider understanding, one local insurance broker spun out his own cyber liability agency Morris Risk Management from his father’s 50-year-old Huntingdon Valley insurance business.
Austin Morris Jr., smiley and fit, with the firm handshake of a hobbyist outdoorsman, has taken to attending Philly tech events over the last year, quietly learning about the data-hungry businesses that are an anchor of the region’s innovation economy.
“Like with any new threat, there’s a lot of resistance to thinking about how dangerous it can be,” Morris said over lunch last month. Most general liability insurance policies won’t have any clauses about a loss of IP due to a cyber attack, hacking or staff error, he said. That would have to come out of pocket and could easily bankrupt a company, he said.
He isn’t the only one saying so.
“Cybercrime is the biggest criminal activity in the world and it only continues to grow,” said Rick Phillips, the vice president for ‘Compute Solutions’ at Weidenhammer, the 200-person strong IT consulting firm headquarted in Reading and with a half-dozen satellite offices including one in Wayne. The firm works with clients on cybersecurity and related threats.
Of course, there’s a counter to the growing cybersecurity industry: that it’s built on fear mongering.
Tell enough people that their business is at risk enough times because of dark, unknowable forces and you’ll no doubt build a new industry. Still, likely some standard for cyber protection is going to shake out, just like certain retail shops have become accustomed to security guards and armored car pick ups. It’s a hedge on what may never come, but the threat isn’t all snake oil.
"Cybercrime is the biggest criminal activity in the world"
What is becoming clear is that the growing vulnerability of technology businesses that have very few other traditional risks is with a breach in security. Morris is betting that what he’s selling will become a necessary addition to any business protection strategy for a modern venture.
That’s why cybersecurity is growing, from the anti-spam software sector to government consultants to, yes, insurance brokers. IT firms like Weidenhammer do agree cyber insurance will likely become more common.
“Standard property policies don’t cover data loss or the cost of recovery. Cyber policies can cover the cost of downtime and recovery efforts and essentially help mitigate the profit losses that security breaches can bring upon you,” said Phillips, the Weidenhammer VP, in a statement for Technical.ly Philly. “Cyber insurance may be a consideration just to cover the cost of notification of breach to your customer and suppliers – even if your non-disclosure agreements don’t state notification is required. You want to protect your brand and reputation and that comes at an expense to the bottom line should an event occur.”
Like with any other form of insurance, business owners estimate the level of protection they’ll need — to clean up a breach, repair any branding, cover loss of contracts and the like — and pay a premium for that protection. The rates, then, vary widely, Morris said.
Morris, who is an old hand in cybersecurity issues, having built a career as an IT executive for large regional businesses that spend a lot of time worrying about those risks, recites a popular story among those in his field.
“There are two kinds of businesses today,” he said. “Those who have had a cyber attack, and those who don’t know they’ve had one yet.”