13 September 2019
Chris Hedenberg

The Breach Calculator: A Useful Tool or Past Its Prime?

Breaches remain common, and financial risk is still increasing as more of the world’s information is digitized. But if your clients are looking at the headlines this year, they are likely seeing reports of attacks that involve more than the stealing and re-selling of sensitive data.

Cyber risk has become notoriously difficult to quantify. 

Gone are the days of a monolithic IT stack managed by a single department with on-premises hardware. With cloud-based IT services and new kinds of software being deployed by any and every department — not to mention the ever-increasing amount of data being stored — it’s nearly impossible for anyone person to have a handle on an organization’s entire IT footprint. Meanwhile, the tactics of cybercriminals adapt faster than IT defenses. 

In this climate, any tool that can provide some clarity for policyholders about the financial risk posed by their IT security is welcome. 

In this respect, breach calculators have become a common tool for risk managers and those working in cyber insurance. After a spate of high profile breaches in recent years, it’s clear that organizations of all types should quantify the potential costs associated with the exposure records in their control. When it comes to buying and selling insurance, breach calculators help brokers and their clients get a sense of the scale of the financial risk involved in their data, helping them make decisions about coverage.  

What does a breach calculator measure?

The direct costs of a breach stem from fines and lawsuits regarding the mishandling of data, and the costs of investigation and remediation that occur as a result of the breach. The amounts are driven by the number and type of records: more records, and more sensitive records, such as those containing personally identifiable information or health records, will drive costs higher. By putting information about these factors into a breach calculator, we can estimate how much a breach would cost any business. The cost estimates are driven by data on claims and survey results. A detailed calculator is available from Net Diligence (accessible in the Corvus Risk Management Portal for our Cyber and Tech E&O clients) and there are a number of simpler calculators available on the web.

While useful, a broker seeking to help a client understand their risk and their total financial exposure to cyber risk may find it limiting to focus on the results of a breach calculator. 

Breaches: so 2017? 

Breaches remain common, and financial risk is still increasing as more of the world’s information is digitized. But if your clients are looking at the headlines this year, they are likely seeing reports of attacks that involve more than the stealing and re-selling of sensitive data. In fact, according to one report, breach incidents were down in 2018 after years of steady growth.

In turn, Ransomware attacks have reportedly increased at hundreds of percentage points over the past year. These attacks often involve the interruption of business operations, or at least the threat of BI, to encourage a ransom payment. It’s not a new concept, but since the global-scale Petya/Notpetya attacks in 2017, cybercriminals have embraced the approach because of the immediate impact it can have for organizations of all kinds. 

While data breaches can be costly and disruptive for the organization, they don’t frequently stop an organization in its tracks, and they depend on a strong market for the sale of sensitive information for the crime to pay off. A great return is not guaranteed. Ransomware, on the other hand, provides an instant hit. 

This is where breach calculators can come up short: even if they’re accurate at predicting breach-related costs, the costs of business interruption or contingent business interruption during a ransomware attack or other form of sabotage can quickly add up. They can quickly even exceed those of a breach, depending on the type and size of business. 

Be sure your risk assessment is comprehensive

Ransomware can include a variety of nefarious activities to disrupt a business. It can knock out business-critical systems that control warehouses, factories, or logistics. It can “brick” thousands of employee laptops, rendering the employees incapable of working for days until their hardware can be replaced. To get a sense of how catastrophic these attacks can be, imagine 20,000 appointments canceled at the UK’s NHS, a large section of the Port of Los Angeles shutting down because of an attack on a single company, or an entire division of a multinational manufacturer being shuttered for days.  

These are examples that made news for their sheer scale and the brazenness of the attackers. But for millions of smaller enterprises and municipal or other governmental entities, attacks fly under the radar. They are, relatively, more destructive because these entities are unlikely to have a balance sheet that’s ready to absorb the costs or in-house expertise in handling such crises. Criminals are currently wreaking havoc on small municipal governments in the U.S, for an example. 

Brokers should be prepared to inform clients about the risks of shutdowns or ransom situations as part of a complete risk assessment. This assessment should include a scan of the organization’s footprint, as simple questions that determine risk are unlikely to yield a complete picture, given the complexity of modern IT footprints. Take particular note of what dependencies the business has on third parties — the contingent business interruption risk — what impact to operations might occur in the case of a critical vendor being attacked, rather than the client’s organization itself? 

Use a breach calculator to determine the risk exposure of their data, but don’t overlook the costs that the client would bear if their operations were completely shut down for days on end. Traditional Business Interruption worksheets are a good place to start.  And of course, be sure that cyber insurance policies you recommend include coverage for Business Interruption and Contingent Business Interruption.

So are breach calculators past their prime? Not as long as data breaches still occur by the hundreds every year, which doesn’t look likely to change any time soon. But they are far from the end-all, be-all of risk assessment.

 

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video