Cyber Risk Discovers Insurance Infrastructure
It seems like we get alerted of another data breach or other cyber incident every week. These incidents have gone beyond what we expect. It’s more than the retailer or the online store. We are seeing hospitals, cities, and more becoming victims of cyber incidents. The latest one that has come across my screen came from what you might think of as an unlikely place, the National Association of Insurance Commissioners (NAIC).
I get it. Your first thought is what in the world would hackers want with NAIC data? If insurance is boring by nature (which it isn’t, but some people think so), insurance data has got to be even more boring, and worth a whole lot less than personally identifying information that someone might get somewhere else. That’s where we have to change our first assumption. Sometimes a cyber incident isn’t about how much can someone make from the data they receive. Sometimes it’s about how widely can we disrupt the operations of a business, a sector of businesses, or the larger economy.
Cyber risk is operational risk
We tend to think about cyber issues in the vein of how much information was taken, what will it be used for, and how does it really impact me. But there’s more going when the cyber incident happens. Immediately following any cyber incident, the victim takes their system down, making it difficult, if not impossible for them to do their business. Think about this in the context of the NAIC. What is their business?
The NAIC is an organization of all of the insurance commissioners of all of the jurisdictions in the United States, no matter what their actual title is, or if they are elected or appointed to that office. Their business is nothing less than the general regulatory climate in the US. They come up with model laws for the states to consider to address new and evolving risk. They aggregate certain data throughout the insurance industry. They are instrumental in other organizations’ ability to rate insurance companies, and feed data to credit rating bureaus.
When their system was breached, all of that work was halted. Organizations like AM Best weren’t able to rely on NAIC data to update any ratings they might have been working on. Kroll Bond Rating Agency (KBRA), which issues bond ratings related to certain investments insurance companies purchase, suspended their data feed to NAIC until everything surrounding the breach can be understood and mitigated. Investment ratings are a part of regulating the financial solvency of insurance companies, a major part of the work that insurance departments do.
Not all “sensitive data” are PII
We have heard from NAIC that they do not believe that payment data, or other non-public rating data was breached. They believe that the breach was limited to publicly available financial reporting information and potentially outdated logs and their system configuration information. In this case, it doesn’t appear that the criminals were looking for personally identifiable information. They were looking for sensitive business data, which the NAIC has in abundance.
That’s the thing about cyber strikes. They aren’t just looking for the social security numbers, payment information, or other kinds of data that we associate with these breaches. They’re after more varied information, and this risk will continue to evolve as more systems are more interconnected. The criminals are looking for vulnerabilities for more reasons than just what quick money they can immediately get.
Sometimes, the breach is the point. The data that they are after is knowing and letting other people know that they can breach that particular system. Sometimes the breach is about practicing and building their resume of systems that they have breached. Like it or not, there is an entire economy built on cybercrime.
And then there’s the long tail
The disruption of operations is also part of the point. By now, you’ve likely heard about ransomware strikes where the criminals lockdown systems or data until they are paid a ransom for an unlock key. After a few years of this risk growing, responses have shifted from pay the ransom quickly to reset and restore old backups. In the NAIC breach, the criminals didn’t lock down the system, but the NAIC had to so that they could assess what happened, figure out how to strengthen their systems, and get their partners convinced that the system is secure enough to continue to interact with it.
Here’s where we pivot a little to talk about coverages. What starts out as a cyber incident that may (or may not) be covered by a cyber policy quickly turns into a business income incident that is even less likely to be covered by any insurance policy. It’s certainly not covered by their Business Income and Extra Expense policy. That’s where the business’s troubles become compounded.
Without proper coverage, the business ends up shutting down because their systems had to be shut down because of a cyber incident and they never recovered because they had multiple financial impacts when someone got into their system and didn’t even touch the kind of data that we normally think about.
Topics
Cyber
Interested in Cyber?
Get automatic alerts for this topic.