Another day, another data breach. Today it was Boeing that reported a cyberattack and this comes on the back of travel booking site Orbitz being targeted by an attacker who had access to its legacy systems from October to December of 2017. Personal customer data from January 2016 until December of last year, including names, dates of birth, email and postal addresses, and payment card information, was also accessed.
All in all, Orbitz reported that close to 900,000 payment cards were affected by the hack. In an era of regular major hacks, how does this one stack up in terms of severity?
“On the scale of magnitude, 800,000 is a lot and I guess we’re becoming immune to the numbers, but it’s considered reasonably small, especially when you put it up against some of the mega breaches we saw that were in excess of 150 million,” said Adam Cottini, managing director of the cyber liability and insurance risk management practice at Arthur J. Gallagher. “However, 800,000 isn’t light either and that’s going to have some expenses associated with liability and reaching out and notifying individuals.”
Payments cards were accessed in the Expedia-owned Orbitz breach, which proves why PCI coverage is an important component of cyber insurance. Breach response is another critical part of a cyber policy.
“First, you have to have a breach response that you go through, and that coverage has always been provided in the policy,” said Cottini. “That will cover you for your legal advisory for the breach and that will cover you for your forensics investigation of the computer system, which is likely what we saw here. The folks at Orbitz experienced a breach and had a forensics investigation to try and figure out what was impacted and where the impact was.”
With all the aspects that cyber insurance has to cover today, most carriers are keeping pace with the developments in cyber risk.
“There are certain coverages that are starting to expand and you’re starting to see disparity in coverages,” said Cottini. “It’s fair to say that in the Payment Card Industry-component of this conversation, coverages are close. Not everybody has everything, but they do a pretty good as an insurance business that the communities are keeping up.”
Business interruption coverage is one area where there are gaps. Disparities exist among carriers on what products and limits they’re willing to offer clients.
More stringent cyber security regulations at home and abroad could help to reduce cyber risk exposure. Cottini is keeping an eye on the potential effects that GDPR in the UK could have on US companies. If they hold information on European residents, they will have to comply with the regulation and, soon, other state-level privacy regulations might also be updated.
“That’s going to be a very, very difficult regulatory guideline to comply with. It’s not a US-focused regulation, but there is definitely going to be a cascading impact on the regulation from Europe that’s going to reach our side,” he said. “Eventually, I think our US entities are just going to have to figure out a way to start complying with those because we’re such an intertwined world.”
In an ever-changing cyber landscape, insurance buyers are becoming more attune to the risks.
“Across the board, I’d say 99% of insurance purchasers acknowledge the risk,” explained Cottini. “The next logical question is, is it big risk? Is it something that’s impactful to my organization and we spend a tremendous amount of time in the educational side of things to explain to the clients where we see new risk, to try to analyze the exposure, and let them understand how big their exposure is.”