In this new era of globalization, where in the blink of an eye new trends emerge, reach a peak and die off, people face major difficulties in navigating the confidentiality of their personal information. Some people treat this issue with uttermost meticulousness, while others (larger share) do not mark it enough important.
In the past years, concerns over safety of personal information rose exponentially. Non-punitive measures such as tax incentives and mandatory ones like GDPR compliance regulations are simultaneously put in force to achieve higher data security from cyber risks. On their own end, enterprises also undertake critical measures to avoid data breaches. According to Grand View Research group , information security market currently is valued at USD 156.5 bln, and is expected to annually grow 10% in the coming 7 years (2020-2027). This shift was largely coerced by the lucrative returns of stealing personal information. There is at least one hacking attack in each 39 seconds (University of Maryland), making it well over 800,000 annually. Most of the data breaches feature the following elements:
|52%||Hacking||compromising computer systems, personal accounts, computer networks, or digital devices|
|33%||Social Engineering||manipulating people so they give up confidential information|
|32%||Phishing||contacting by email by someone posing as a legitimate institution to lure individuals into providing sensitive data|
|28%||Malware||a code designed to cause extensive damage to data and systems or gain access to the network (virus, trojan, spyware, ransomware)|
Marriott International Data Breaches
The world-renowned hospitality provider is notoriously famous for its multiple data breaches. The most prominent of those is the one recorded in 2018. In fact, the breach started 4 years earlier, when Marriott’s not-at-the-time daughter entity Starwood hotels chain became compromised. Unification of their systems also exposed Marriott’s database. As a result, by the time of the breach’s revelation, personal information like full names, emails, addresses, passport numbers, etc. of more than 400,000,000 records were disclosed.
Despite the attack being allegedly state sponsored, Marriott is highly criticized in its response to the breach:
- Lacking security controls
- Inadequate due diligence in its acquisitive initiatives
- The identification being after 4 years of the hack
- The time it took to disclose the breach (discovery is September, reveal in late November), etc.
While the final net indemnity paid to Marriott by its insurers is not available, the speculations significantly vary. The Insurance Insider predicts the total loss to be around USD 300 mln, by which time Marriott would have already exhausted its coverage.
Equifax Data Breach
Equifax is a credit monitoring agency in the US, which experienced a data breach in 2017. Affected customers amounted 147 mln, far less than the one of Marriott’s. However, when taking into consideration the subject of stolen information being sensitive data such as social security numbers, birth dates, driver licenses, and the absence of data redundancies (no duplicate or partial records), the Equifax breach seems much more dangerous.
The breach was a result of multiple failures, most of which were the fault of Equifax’s management. They failed to eliminate a widely known vulnerability of their server provider, who notified them about it multiple times. Moreover, they stored this highly confidential information with no protective security measures like hashing. In other words, the usernames and passwords were kept in plain text format with no encryption making it one layer easier for hackers to access it.
The claims against Equifax amounted around USD 700 mln, from which USD 300-425 mln were allocated to client restitutions and the rest or USD 275 mln were fines to the government or CFPB (Consumer Financial Protective Bureau). While Equifax had a quite comprehensive cyber insurance policy, it covered only USD 100-150 mln (by the data of Insurance Journal USD 125 mln).
Wanna Cry Ransomware Attack
Unlike the previously discussed 2 cases, Wanna Cry Attack targeted not a big well-known entity, but individuals. The hackers used published vulnerability of Microsoft, which patched it up with its latest software update. Unfortunately, many consumers refrained from updating their computers and became exposed to this attack. Affecting more than 300,000 computers worldwide, the ransomware locked out the users from their devices and demanded USD 300 worth of bitcoin to release their files (ransom). While there is no definite information, whether or not the victims received their files after paying out the ransom, but the total losses of this attack are estimated to be USD 4 bln (Cyence LLC).
The implications of Wanna Cry Ransomware Attack go well beyond the ransom. The fact that people were unable to use their computers resulted in lost income. Moreover, the operating systems of hospitals and other strategically important institutions froze and brough much more serious challenges.
Logically, one would assume that after all these attacks people would appreciate more cyber insurance and information security. In fact, not that much. Research shows that most of the brokers and insurers find that there is no significant change in the demand of cyber insurance following these attacks.
Generally, there is no standardized format of cyber insurance policies: which risks to include and which are exclusions. Meaning, there is enough room for customization and adapting to one’s needs. Therefore, both the insurer and the insured closely work together to come up with unique solution that will satisfy the latter’s needs.
Cyber insurance hardly exists in Armenia. Currently in force such policies should not exceed a couple handfuls. In other words, neither the entities nor the insurers are keen to conclude policies on information technology safety. This requirement is mainly imposed by international corporations on their Armenian subsidiaries, branches and representative offices. Additionally, the rest of cyber insurance policies in Armenia are the result of fronting arrangement. In either case, Armenian insurers bear no risk on their behalf and cede all to their reinsurance partners.
Therefore, none of insurance firms in Armenia have standardized cyber insurance products that guide the willing clients to their desired direction. If a contract is concluded its fully based on the expertise of the former’s reinsurance partners. Accordingly, there is no known data breach cases with the involvement insurance.