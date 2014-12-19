| NEW YORK
NEW YORK Dec 19 Even as the Sony Corp
cyber attack laid bare the kinds of vulnerabilities that
typically drive companies to buy insurance policies, the lack of
a risk model for insurers means such protection is not always
easy to get.
Unlike earthquakes, tornadoes or even terrorism, there are
no existing models to calculate how much a so-called "cyber
hurricane," cutting across a swath of companies, could cost.
Without that, insurers cannot be sure how much risk they can
afford to underwrite.
At least two risk modeling companies, RMS and AIR Worldwide,
are trying to solve that puzzle, building a model that can help
gauge how much havoc - in dollars and cents - such cyber
breaches can cause.
"Everybody's being attacked at this point," said Scott
Stransky, manager and principal scientist at AIR Worldwide.
"We're hoping to change that game."
While high-profile attacks at retailers such as Target Corp
and Home Depot Inc this year have spooked
consumers, the devastating cyber attack on Sony hammered home
that plenty of damage can be done beyond stolen credit card
numbers.
"Sony has become a watershed event," said Kevin Kalinich,
global practice leader for cyber/network risk at Aon, a
consultancy and insurance brokerage.
The insurance industry has been banging the drum about the
breadth of cyber risk for 10 to 15 years, Kalinich said.
"Finally we've gotten their attention."
In a 2014 study, the Ponemon Institute and IBM found that
the average total cost of a breach in the United States was $5.9
million.
Major attacks can cost far more. The Sony attack could cost
as much as $100 million, according to one estimate. In August
retailer Target reported gross expenses of $148 million related
to a December 2013 breach.
A 2014 McAfee study estimated cybercrime cost the global
economy anywhere from $375 billion to $575 billion annually.
The United States is largely a mature insurance market, with
coverage for cars, homes and other risks common. But cyber is a
new frontier for insurance companies looking to grow. While
estimates vary widely for how many U.S companies carry policies
for such risks, the data suggests room for growth.
A 2013 survey from insurance industry data company Advisen
and insurer Zurich found 52 percent of companies say they
purchase at least some cyber liability coverage.
However, a Fortune 1000 survey that same year from insurance
broker Willis found a far lower number, at only 6 percent,
though Willis noted cyber coverage is likely under-reported.
Part of the problem with figuring out who's protected
against a breach is the same as figuring out how to protect them
in the first place: No one wants to talk about having been
hacked.
It's unlike, say, with typhoons, for which there is readily
available data stretching back decades. There is no such record
for cyber attacks, and data is the lifeblood of modeling.
"Getting the historical data for cyber is a huge challenge,"
AIR's Stransky said. The firm is developing a model that it
hopes to bring to market within "much sooner" than five years,
although he would not say how much sooner.
Another speed bump: The constantly evolving nature of cyber
attacks. Because hackers are constantly devising new ways to get
into systems - from basic social engineering like guessing
simplistic passwords to sophisticated viruses - any risk model
must be dynamic.
A completed model could potentially do something no one
seems able to figure out: understand what a cyber event might
look like across not just one company, but, as with a
large-scale weather event, across many companies or industries.
That possibility comes ever closer to reality. A breach at a
major cloud provider, for example, could sow disaster among
hundreds or even thousands of companies.
RMS is talking to insurers with an eye to developing a model
that can start gauging probabilities of widespread attacks as
early as next year, said Andrew Coburn, a senior vice president
with the firm.
A working model, he said, could help insurers feel more
confident in underwriting more of this kind of risk.
"They've been writing relatively low limits," he said. "It's
an issue that the insurance industry needs to grapple with."
(Reporting by Luciana Lopez; Editing by Jennifer Ablan and Dan
Grebler)