Originally published on CyberInquirer
The occurrence and frequency of cyber breaches are not as transparent as one might expect. Or hope, for that matter. To the contrary, the FBI's chief cyber crimes investigator recently admitted that "thousands" of cyber crimes have gone unreported due to companies' fears about the impact of adverse publicity on their reputations and bottom lines.
According to Shawn Henry, assistant director of the FBI's Cyber Division, hackers regularly access computer security systems and steal millions of dollars and credit card numbers without such incidents ever being publicly reported. Indeed, Mr. Henry has acknowledged that "[o]f the thousands of cases that we've investigated, the public knows about a handful...There are million-dollar cases that nobody knows about."
And the problem is not limited to Fortune 500 and other large companies such as TJX and Heartland, which have voluntarily disclosed cyber intrusions. Indeed, the incidence of cyber attacks on such companies is growing marginally or even shrinking, as these entities implement more complex security systems. The more frequent target has become medium-sized and small companies which do not have the resources or perhaps the ability or interest to enhance their cyber protections. The same goes for private citizens whose personal wealth and, equally troublesome, personal secrets may be at risk as their personally identifiable information is wrongfully retrieved and then used to access their bank and other investment accounts. Needless to say, no one wants to admit they've been hit or that their resources have been stolen. The stigma alone is a major deterrent to such public disclosures. ("Hey Joe... guess what... I was just robbed of $10 million!! And, they learned that I've been cheating on my spouse for the past ten years... How about that!!!").
For cyber insurers, a prospective policyholder's unwillingness to disclose such intrusions can be a major problem, both from an underwriting and claims perspective. As always, the key is proper detailed due diligence up-front. Underwriters can not take for granted that they would or should know about an intrusion at a potential account. They must ask the right questions, require the proper warranties, and "pull back the curtain" to ensure that the risks they take on are just that – risks – rather than cyber intrusions waiting to happen. "Penny-wise, pound foolish" is particularly apt. Spend the time and money to vet your proposed accounts. The cost of a claim or related coverage litigation will dwarf the expense of a thorough underwriting investigation. Unlike the availability of insurance, that is a guarantee.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
