[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


   PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE CYBERSECURITY 
                               INSURANCE 
                                 OPTION

=======================================================================

                                HEARING

                               BEFORE THE

                      COMMITTEE ON SMALL BUSINESS
                             UNITED STATES
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              HEARING HELD
                             
                             JULY 26, 2017

                               __________

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                               

            Small Business Committee Document Number 115-032
             Available via the GPO Website: www.govinfo.gov
                   HOUSE COMMITTEE ON SMALL BUSINESS

                      STEVE CHABOT, Ohio, Chairman
                            STEVE KING, Iowa
                      BLAINE LUETKEMEYER, Missouri
                          DAVE BRAT, Virginia
             AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
                        STEVE KNIGHT, California
                        TRENT KELLY, Mississippi
                             ROD BLUM, Iowa
                         JAMES COMER, Kentucky
                 JENNIFFER GONZALEZ-COLON, Puerto Rico
                          DON BACON, Nebraska
                    BRIAN FITZPATRICK, Pennsylvania
                         ROGER MARSHALL, Kansas
                      RALPH NORMAN, South Carolina
               NYDIA VELAZQUEZ, New York, Ranking Member
                       DWIGHT EVANS, Pennsylvania
                       STEPHANIE MURPHY, Florida
                        AL LAWSON, JR., Florida
                         YVETTE CLARK, New York
                          JUDY CHU, California
                       ALMA ADAMS, North Carolina
                      ADRIANO ESPAILLAT, New York
                        BRAD SCHNEIDER, Illinois
                                 VACANT

               Kevin Fitzpatrick, Majority Staff Director
      Jan Oliver, Majority Deputy Staff Director and Chief Counsel
                     Adam Minehardt, Staff Director
                            
                            
                            C O N T E N T S

                           OPENING STATEMENTS

                                                                   Page
Hon. Steve Chabot................................................     1
Hon. Nydia Velazquez.............................................     2

                               WITNESSES

Mr. Robert Luft, President, SureFire Innovations, Cincinnati, 
  Ohio, testifying on behalf of the National Small Business 
  Association....................................................     5
Ms. Erica Davis, Senior Vice President, Head of Specialty 
  Products Errors & Omissions, Zurich Insurance, North America, 
  Washington, DC, testifying on behalf of the American Insurance 
  Association....................................................     6
Mr. Eric Cernak, Vice President, Cyber Risk Practice Leader, 
  Munich Re U.S., Hartford, CT, testifying on behalf of the 
  Reinsurance Association America (RAA)..........................     8
Mr. Daimon Geopfert, National Leader and Principal, Security and 
  Privacy Consulting, Risk Advisory Services, Southfield, MI.....     9

                                APPENDIX

Prepared Statements:
    Mr. Robert Luft, President, SureFire Innovations, Cincinnati, 
      Ohio, testifying on behalf of the National Small Business 
      Association................................................    27
    Ms. Erica Davis, Senior Vice President, Head of Specialty 
      Products Errors & Omissions, Zurich Insurance, North 
      America, Washington, DC, testifying on behalf of the 
      American Insurance Association.............................    36
    Mr. Eric Cernak, Vice President, Cyber Risk Practice Leader, 
      Munich Re U.S., Hartford, CT, testifying on behalf of the 
      Reinsurance Association America (RAA)......................    40
    Mr. Daimon Geopfert, National Leader and Principal, Security 
      and Privacy Consulting, Risk Advisory Services, Southfield, 
      MI.........................................................    48
Questions for the Record:
    None.
Answers for the Record:
    None.
Additional Material for the Record:
    AIA Statement (American Insurance Asociation)................    62
    Willis Towers Watson Statement...............................    65

 
   PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE CYBERSECURITY 
                            INSURANCE OPTION

                              ----------                              


                        WEDNESDAY, JULY 26, 2017

                  House of Representatives,
               Committee on Small Business,
                                                    Washington, DC.
    The Committee met, pursuant to call, at 11:00 a.m., in Room 
2360, Rayburn House Office Building, Hon. Steve Chabot 
[chairman of the Committee] presiding.
    Present: Representatives Chabot, Luetkemeyer, Brat, 
Radewagen, Kelly, Blum, Bacon, Fitzpatrick, Marshall, Norman, 
Velazquez, Evans, Murphy, Lawson, Clarke, Chu, Espaillat, and 
Schneider.
    Chairman CHABOT. The Committee will come to order.
    Good morning. We appreciate everybody being here.
    Cybersecurity has been one of this Committee's top 
priorities. We have held numerous hearings and worked on 
meaningful legislation to ensure small businesses have every 
possible resource to protect themselves against a cyber attack. 
Weeks ago, I, along with my friend from across the aisle, 
Representative Dwight Evans of Pennsylvania, introduced 
legislation to ensure that America's Small Business Development 
Centers have the best possible cybersecurity training so that 
they can better assist small businesses with their cyber 
strategies.
    Unfortunately, we have also heard too many firsthand 
accounts from small business owners who have been victims of 
cyber attacks. One case in particular that stands out is the 
story of a small business owner who testified before this 
Committee last year. He owned an indoor go-karting facility in 
Maine, and had a number of employees and families that depended 
on him. He told the Committee that he was struck by a phishing 
scam. He logged onto his bank account and to his utter 
disbelief his balance was zero. And that happened on a payday 
no less, so all his employees were at risk of not being paid 
that day, so he was really panic stricken. Fortunately, he 
caught it just in the nick of time and was able to stop the 
funds from being transferred, but that is usually, 
unfortunately, not the case.
    Cybersecurity experts have told this Committee about the 
growing number of cyber threats facing America's 28 million 
small businesses. In 2016 alone, the Justice Department 
recorded nearly 300,000 cybersecurity complaints. This number 
increases every year. Sixty percent of small businesses that 
fall victim to a cyber attack close up shop within 6 months, 
and the estimated average cost of a cyber attack on a small 
business is over $30,000. And that may not be a huge amount to 
a large corporate entity in the United States, but to a mom-
and-pop small business person, $30,000, that can mean why 60 
percent of small businesses go out of business within 6 months 
of being hit by a cyber attack.
    In our Committee's efforts to spotlight these serious and 
growing threats, it has become clear that we need to think 
outside the box as we work to thwart cyber attacks. Small 
businesses must also be diligent as they manage their IT 
systems and educate their staffs about the importance of 
cybersecurity. They should also be creative as they consider 
different ways to spread risk and manage their cyber 
strategies.
    One increasingly feasible solution is cybersecurity 
insurance. Many larger corporations are already exploring this 
approach to dealing with cyber attacks. It is likely that small 
businesses will follow.
    Of course, the widespread adoption of cybersecurity 
insurance policies is not without its challenges, both for 
small businesses and for the insurance providers. Small 
businesses must determine what policies and coverage options 
make sense for them and also implement basic cybersecurity best 
practices. Furthermore, the cybersecurity insurance marketplace 
is remarkably new and many of the providers still lack the 
historical data to offer appropriate plans to consumers which 
drives up the cost to policyholders. Yet, as they look to 
improve their models and cyber risk scenarios, cybersecurity 
insurance will become more viable and more accessible.
    Today, we will hear from a panel of witnesses that all have 
some level of experience with cybersecurity insurance and can 
offer an in-depth perspective on both the benefits of 
cybersecurity insurance and the challenges that still lie 
ahead. I look forward to hearing our witnesses' views on how 
small businesses can more effectively manage their cyber risk 
and possibly with the help of cybersecurity insurance.
    And I would now like to yield to the Ranking Member, Ms. 
Velazquez, for her opening statement.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    The internet has undoubtedly transformed the way small 
business operates. E-commerce empowers America's 28 million 
small businesses, giving them a unique opportunity to sell 
their products not only across the country, but around the 
world. Unfortunately, for small business owners, when it comes 
to the health of their businesses, cyber hygiene often falls to 
the back burner. The lack of preventive measures can result in 
hacks and other cyber incidents that have major and costly 
implications for small business and their ability to operate.
    The topic of this hearing is particularly timely. If Russia 
was able to use cyber attacks to penetrate our democratic 
institutions, by comparison a small business seems an easy 
target. The fact of the matter is there will continue to be 
cyber threats from those who seek to damage our national 
security, our economic security, and our political system. And 
there will continue to be criminals who seek to profit by 
stealing sensitive data held by the government or the private 
sector. Cyber criminals have realized small entities are more 
exposed than larger businesses that have dedicated, in-house IT 
personnel overseeing their systems and networks.
    In 2016 alone, more than 1.1 billion identities were 
stolen. This is worrisome, perhaps lethal, for companies that 
have a reputation of safeguarding their customers' information 
and need to maintain their credibility. Small businesses that 
lose customer information when their security is breached 
suffer significant costs financially and in the loss of 
customer trust. And once businesses get compromised, fully 
recovering from a cyber attack is extremely difficult.
    On average, small businesses that get hacked make the 
discovery more than 200 days after the attack has occurred. For 
the federal government, cybersecurity should be a priority, but 
the private sector must also stand up to the challenge and 
complement existing federal resources.
    Given the financial consequences that a cyber attack may 
have on small businesses, there is a new industry of insurance 
providers focused on providing policies to protect them; yet, 
there are a number of factors making this an expensive 
undertaking. A lack of adequate data underscores the complex 
nature of creating cyber liability policies for small firms. 
Also, the type of business that risk management procedures and 
the continually evolving threats make it difficult for the 
insurers and the small businesses.
    Today's hearing will help us look at this noble idea and 
learn what role Congress plays in streamlining such an 
important insurance product. I look forward to hearing the 
challenges small businesses face in selecting a cybersecurity 
insurance policy and the hurdles insurers must overcome to 
offer valuable and comprehensive cybersecurity insurance 
solutions. It is clear from recent events that these issues are 
not diminishing. If anything, they are growing more important. 
Cybersecurity concerns from Russia's attack on our political 
intuitions to criminal enterprises preying on small businesses 
merit our attention more than ever before.
    I would like to thank you all for being here this morning 
and I yield back, Mr. Chairman.
    Chairman CHABOT. Thank you very much. The gentlelady yields 
back.
    And if Committee members have opening statements, I would 
ask that they be submitted for the record.
    And I would now like to explain our timing rules and lights 
here. It is pretty simple. We operate under the 5 minute rule. 
There is a lighting system to assist you there. The green light 
will be on for 4 minutes. The yellow light will come on and let 
you know you have got a minute to wrap up, and then the red 
light will come on and you are supposed to stop. Most people 
do. But we will give you a little leeway. But if you could stay 
within those parameters, we would appreciate it very much.
    And I would now like to introduce our distinguished panel. 
Our first witness is Robert Luft, the Owner and President of 
SureFire Innovations, a service-disabled, veteran-owned small 
business and minority business enterprise located in my home 
district of Cincinnati, Ohio. And Mr. Luft and I actually 
talked about this a long time ago and he brought this to my 
attention. And I think that actually was how this hearing came 
into being here, so do not screw it up because you are the one 
who did it.
    SureFire Innovations specializes in providing network 
infrastructure services to companies all across the country. 
Prior to starting his company, Mr. Luft served our country for 
16 years in the Army as a combat engineer. He is testifying on 
behalf of the National Small Business Association. We thank him 
for his service to our country and we also welcome him here 
today.
    I would now like to yield to the Ranking Member to 
introduce our next witness, who I believe is a constituent and 
whose first name is Erica, which happens to be our daughter's 
name. You even spell it the same way. So, and I yield.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    It is my pleasure to introduce Ms. Erica Davis, senior vice 
president and head of Specialty Products Errors and Omissions 
at Zurich. She is also a constituent from my district in 
Brooklyn, so I am very proud.
    Prior to joining Zurich in 2009, she was a senior 
underwriting officer for technology insurance specialty at the 
Chubb Group of Insurance Companies. Ms. Davis holds a bachelor 
of arts degree from the University of Arizona. Welcome.
    Chairman CHABOT. Thank you. And our third witness will be 
Mr. Eric Cernak, Vice President and Cyber Risk Practice Leader 
at Munich Re in Hartford, Connecticut. In his role, Mr. Cernak 
provides leadership in all cyber efforts overseas, Munich Re's 
property and casualty operations, and develops strategies to 
help the company compete in the cyber marketplace. He is 
testifying today on behalf of the Reinsurance Association of 
America, RAA, and the Property Casualty Insurers Association of 
America, PCI. We thank you for testifying here this morning.
    I would now like to once again yield to the Ranking Member 
for introduction of our fourth witness.
    Ms. VELAZQUEZ. Thank you, Mr. Chairman.
    It is my pleasure to introduce Mr. Daimon Geopfert, 
national leader and principal of security and privacy 
consulting at Risk Advisory Services. He has over 20 years of 
experience in a wide array of positions, including time in the 
U.S. Air Force. Mr. Geopfert has served as the manager and lead 
technician for security assessments performed on some of the 
largest corporations and government entities in the world. He 
holds a bachelor's degree from the United States Air Force 
Academy and a master's degree in computer science from the 
University of Michigan. Welcome. Thank you for being here.
    Chairman CHABOT. Thank you. And we also thank you for your 
service, Mr. Geopfert.
    And Mr. Luft, you are welcome here and recognized for 5 
minutes.

  STATEMENTS OF ROBERT LUFT, PRESIDENT, SUREFIRE INNOVATIONS; 
ERICA DAVIS, SENIOR VICE PRESIDENT, HEAD OF SPECIALTY PRODUCTS 
   ERRORS & OMISSIONS, ZURICH INSURANCE, NORTH AMERICA; ERIC 
 CERNAK, VICE PRESIDENT, CYBER RISK PRACTICE LEADER, MUNICH RE 
U.S.; DAIMON GEOPFERT, NATIONAL LEADER AND PRINCIPAL, SECURITY 
         AND PRIVACY CONSULTING, RISK ADVISORY SERVICES

                    STATEMENT OF ROBERT LUFT

    Mr. LUFT. Good morning. Thank you, Chairman Chabot, Ranking 
Member Velazquez.
    Chairman CHABOT. You need to turn the mic on there.
    Mr. LUFT. I apologize.
    Chairman CHABOT. Yeah. You have got to turn it on.
    Mr. LUFT. Good morning. Thank you, Chairman Chabot, Ranking 
Member Velazquez, and members of the House Small Business 
Committee, for inviting me to testify today on the current 
state of cybersecurity for small companies and how cyber 
insurance can help small businesses transfer risk.
    My name is Robert Luft, and I am the owner of SureFire 
Innovations located in Cincinnati, Ohio. I am pleased to be 
here representing the National Small Business Association where 
I currently serve on the Leadership Council and the Technology 
Council.
    SureFire Innovations is a certified service-disabled, 
veteran-owned small business and minority business enterprise, 
specializing in network infrastructure, design installation of 
hardwire, wireless, security and smart city networks.
    After my military service in the Army, where I had the 
honor to serve on multiple combat deployments to Iraq during my 
16-year career, I decided that entrepreneurship was my path, 
and hence, the founding of SureFire Innovations.
    Cybercrime is growing rapidly with annual cost to the 
global economy estimated to reach over $2 trillion by 2019. 
Organizations of all sizes are at risk for cyber attacks.
    Small business represents more than 97 percent of business 
in the U.S. Alarmingly, in 2015, 43 percent of all attacks were 
directed at small business. Despite the growing awareness of 
cyber-related crimes, 77 percent of small business owners 
believe their company is not at risk for cyber attacks.
    The risk of being a target for cybercrime is high. Forty-
two percent of small businesses surveyed by the National Small 
Business Association reported being a victim of a cyber attack, 
with the average cost being $32,000 when business banking 
accounts were hacked, and $7,000 on average for small business 
overall.
    So what can we do as small businesses to address this 
issue? We can start with what I learned in the Army. Keep it 
simple. By utilizing the SBA's top 10 cybersecurity tips, this 
would provide a framework for all small businesses, even those 
who are not technologically savvy and currently have zero 
protections in place; simple measures, like installing 
antivirus software, the use of complex passwords, and backing 
up information.
    Since total elimination of threats is impossible, 
protecting against them should be a top management priority. 
Unfortunately, many small businesses do not place cyber threat 
as a top priority. This is evident by the fact that 60 percent 
of small companies go out of business within 6 months after a 
cyber attack. Small business need not only think of ways to 
mitigate cyber attacks, but also how to transfer that risk away 
from their company.
    This can be accomplished with the cyber liability insurance 
policy, which provides coverage in the event of a cyber attack. 
A typical cyber liability policy will include the following 
coverages: theft and fraud, forensic investigation, network 
business interruption, extortion, and data loss.
    What led to my purchase of a cyber liability policy is a 
subcontractor was performing services on one of my projects, 
suffered a bank account breach that resulted in the loss of 
$15,000. This was a catastrophic event. Those funds were 
required for payroll and put enormous strain on its employees. 
This event made me realize that our company was just as 
vulnerable, and despite having a cybersecurity plan, we did not 
have a cyber liability insurance policy. So in the event we 
were breached, we would not have any financial protections 
available.
    Unfortunately, we were not the exception, as 75 percent of 
small businesses do not have cyber liability coverage in place. 
Most small businesses do not have the appetite to purchase 
another insurance policy. My annual premium is $3,200. The 
level of security this provides my company does not completely 
remove all of my concerns, but it affords me the knowledge that 
if we were hacked, protective steps had been taken to address 
any potential damages to the company and my employees.
    There are enormous amounts of resources available to help 
educate small businesses on cybersecurity and the potential 
ramifications of not having the appropriate plan and policies 
in place. The issue is awareness. The more we can help inform 
small businesses on how to mitigate and transfer these risks, 
the greater the positive impact small business will have on our 
economy.
    Thank you for the opportunity to address this very pressing 
issue.
    Chairman CHABOT. Thank you very much.
    Ms. Davis, you are recognized for 5 minutes.

                    STATEMENT OF ERICA DAVIS

    Ms. DAVIS. Mr. Chairman, Ranking Member Velazquez, and 
members of the Committee, thank you for the opportunity to 
speak with you today about the private sector's role in 
providing risk management solutions to protect businesses from 
cyber risk.
    My name is Erica Davis and I lead a team of market-facing 
underwriters at Zurich North America, one of the five providers 
currently leading the North American cybersecurity insurance 
marketplace.
    Zurich has invested in identifying risks and delivering 
solutions for our customers. Zurich is a member of the American 
Insurance Association, the leading property-casualty insurance 
trade organization representing approximately 325 major 
insurers. I appreciate AIA's focus on cybersecurity.
    The cyber landscape continues to evolve, making companies 
increasingly vulnerable to the potential harm of a security or 
privacy event.
    While awareness of the threats is growing across all sizes 
of organizations, businesses are still struggling how to 
understand cyber risk. That is, the full scope of their 
exposures and how best to protect themselves. They must 
determine whether they should retain the residual risk or 
transfer it through the purchase of a cyber insurance product.
    Our approach to cybersecurity includes understanding 
attitudes to cyber risk, providing tailored coverage to meet 
our customers' needs, and working with businesses to adopt a 
mindset of resilience rather than just protection.
    Last fall, Zurich and Advisen released a survey of risk 
managers and other risk professionals. It found that 87 percent 
of respondents believe a technology interruption would have a 
moderate to significant impact on their organization. As with 
any line of insurance, risk culture is critical to underwriting 
cyber insurance. Businesses must build a culture of resilience 
and operational awareness at all levels, rather than simply 
viewing cyber risk as a technology issue.
    Insurance is just one piece of the cyber risk management 
puzzle, but the role of insurance is increasing as customers 
seek risk insights and feedback from their insurance advisors. 
It has really become more of a partnership with businesses now 
focusing on not just what happens post-event and a loss being 
paid. They value having qualified, vetted resources available 
to them, especially in their moment of crisis. And they are 
focusing more on risk-mitigation tools their insurance 
providers can provide to them.
    The business community's interconnectivity and reliance on 
technology has increased and that creates additional points of 
entry and new threat vectors. The cyber insurance and exposure 
has broadened to include potential property damage for 
something like critical infrastructure, supply chain ripple 
effects, bodily injury from autonomous vehicles, or 
cyberespionage. And the issue is only becoming more 
complicated.
    In an effort to continuously help customers and protect 
themselves from risk, Zurich began participating as a key 
industry consult in a public-private partnership by the 
University of Maryland and the National Institute of Standards 
and Technology. We are proud to be part of this initiative.
    Zurich is also collaborating with Deloitte to help improve 
a business' cyber resilience. Policyholders can complement 
Zurich's cyber insurance solution with risk management services 
through Deloitte to understand their level of cyber exposure 
and resilience.
    Underwriting of the cyber product is evolving, as are the 
risks. The insurance community is continuously working to 
understand the full scope of the exposures and what the 
controls may need to be. Each business needs to be underwritten 
differently, and as insurers, we must continue to refine our 
own understanding of those exposures. Finding solutions to the 
most complicated of cyber risks will require collaboration 
between the insurance industry, governments, academia, and 
other think tanks to establish standards, encourage 
information-sharing, build resilience, and create adequate 
global governance.
    As the market evolves, Zurich is committed to staying at 
the forefront of the cybersecurity issue, and we will continue 
to develop additional insurance solutions going forward.
    Thank you for the opportunity to testify today, and I look 
forward to answering your questions.
    Chairman CHABOT. Thank you very much.
    Mr. Cernak, you are recognized for 5 minutes.

                    STATEMENT OF ERIC CERNAK

    Mr. CERNAK. Good morning. I am Eric Cernak, vice president, 
U.S. cyber and privacy risk practice leader at Munich Re U.S., 
testifying on behalf of the Reinsurance Association of America 
and the Property Casualty Insurers Association of America.
    Munich Re and HSB provide cyber and privacy-related 
insurance and reinsurance protection for small and large 
businesses in the United States and throughout the world. HSB 
Group has an A++ and Best Financial Strength rating. We were 
one of the first companies to provide reinsurance for cyber 
risk to small businesses. In addition to reinsurance, we 
underwrite cyber risk, develop products, and work with small 
businesses to help mitigate cyber-related exposures.
    Today's hearing is an important discussion to highlight the 
success of the private sector in developing cyber insurance. It 
will help raise awareness among the small business community 
about the importance of purchasing cyber insurance as a 
preventative risk management tool and critical safety net 
should a cyber event occur.
    A 2017 Risk Management Solutions report concluded that the 
number of large magnitude data exfiltration events has grown 
substantially, and companies are increasingly investing in 
their own cybersecurity systems. However, a June report by 
broker Aon estimated that only 19 percent of small businesses 
in the United States had purchased cyber insurance compared to 
around 75 percent of certain large companies globally. More 
insurers have offered cyber insurance over time, from less than 
a dozen in the early 2000s to more than 70 in 2016. As we see 
more high-profile cyber events, small businesses are 
increasingly aware of their exposure. This has prompted the 
insurance industry to add cyber endorsements to existing small 
business insurance policies.
    A significant part of the value proposition of these cyber 
insurance policies is loss prevention services. Participants in 
a 2016 Hartford Steam Boiler survey listed vulnerability 
assessments, next-generation firewalls, IT security audits, and 
intrusion detection as the most helpful loss prevention 
services. Participants also listed reasons that they did not 
purchase cyber insurance: they did not need it, cost of 
coverage, and an application process that is too complicated 
and confusing. These results suggest that education is key to 
increasing the take-up rate of cyber insurance by small 
companies.
    The public and private sectors have a role to play in 
increasing the cyber insurance take-up rate, helping businesses 
overcome the ``it will not happen to me'' mentality, 
constructively addressing cyber vulnerabilities, and preparing 
for the aftermath of a cyber event. Cyberattacks may not be a 
matter of if, but when. It is essential for businesses, which 
are increasingly interconnected, to be prepared, protected, and 
resilient. Insurance can help with all three.
    The insurance marketplace needs to continue to refine the 
process in coverage to reduce complexity associated with the 
purchasing of cyber insurance. For example, common coverage 
form terminology could help applicants better understand what 
different policies cover.
    Insurers are also grappling with four factors in offering 
cyber insurance. As both the chairman and ranking member have 
stated, there is no significant historical loss data. Second, 
the cause of loss is generated by an active adversary that 
changes with new technology. Third, insurers are grappling with 
the evolving patchwork of State, Federal, international cyber-
related requirements. And fourth, cyber is not bound by 
geography and poses potential aggregation risk for insurers.
    As these factors evolve, Munich Re and HSB are continuously 
talking to our small business customers to better understand 
their needs. We are also monitoring the technological, 
regulatory, and society trends that could pose cyber risks.
    So what can Congress do to improve cyber protections for 
small businesses? We specifically encourage Congress and the 
administration to coordinate cybersecurity policy among Federal 
agencies and designate lead agencies to coordinate discussions 
where appropriate. It is critical that this coordination 
include State insurance regulators and that we all work 
together to avoid a conflicting patchwork of State, Federal, 
and international standards. Munich Re and HSB Group stand 
ready to work with you to protect small businesses from 
cybersecurity threats. Thank you.
    Chairman CHABOT. Thank you very much.
    Mr. Geopfert, you are recognized for 5 minutes.

                  STATEMENT OF DAIMON GEOPFERT

    Mr. GEOPFERT. Thank you, Chairman Chabot, Ranking Member 
Velazquez, and members of the Committee. Thank you for the 
opportunity to discuss the cybersecurity challenges that have 
become a constant material threat within the small business 
community.
    My name is Daimon Geopfert, and during my career I have 
performed hundreds of security assessments and cyber breach 
intrusion investigations within small businesses. I was asked 
to speak today regarding how legislation, such as H.R. 3170, 
and private sector solutions, such as cyber insurance products, 
can help organizations manage their cyber risk.
    In a study performed last year, RSM performed extensive 
data mining within a set of cyber insurance claims and found 
that 50 percent of the reported attacks were against 
organizations with $50 million in revenue or less. Attacks 
against small businesses are not an anomaly; they are the norm. 
This is the key demographic that is being targeted by hackers.
    What is needed is a venue through which small businesses 
can find simple, direct guidance on how to protect their 
environments and mitigate risk, and that also provides access 
to resources with the necessary expertise to chaperone them 
through the implementation of that guidance.
    The current legislation addresses part of this requirement 
by essentially creating cyber mentors within the Small Business 
Development Centers. These personnel could quickly become the 
frontline advisors that are so desperately needed to guide 
small businesses through the deployment of technical security 
solutions and administrative risk management techniques, such 
as acquiring cyber insurance.
    While this is a critical first step, the SBDCs hold the 
promise of a myriad of benefits that could be made available in 
the future. Again, to make material progress on this issue, we 
need to move to clear, concise, pragmatic solutions. While it 
might seem like an abnormal suggestion, what is needed is to 
emulate our peers within the hacking community. The underground 
markets excel and become exceedingly efficient at turning large 
masses of unskilled, technically challenged individuals into 
groups of, while not elite, at least effective cyber attackers. 
We lack that equivalent process on the defensive side in which 
we can rapidly take a large number of small businesses and have 
them become at least efficient and effective at basic 
cybersecurity.
    While it sounds relatively simple, reference environments, 
as they are known, are not common in the small business 
community, which often leads to organizations cobbling together 
their security architecture and governance based on their 
individual interpretations of best practice.
    Similar to the methods of our adversaries, small and middle 
markets need a dedicated hub where they can find simple, 
realistic guidance on how to deploy security solutions that are 
complete and effective at a basic level. This would then need 
to be paired with programs dedicated to delivering to security 
training directly to the IT and management members of those 
small businesses as most of these organizations simply cannot 
acquire the necessary security talent on the open market.
    The SBDCs could play a critical role in the process of 
working with government entities, private sector consultants, 
and vendors to create standardized models and security 
training. It should be mentioned that an additional benefit of 
deploying such common models is that it would then allow the 
SBDCs to address the need for actionable cyber threat 
intelligence that could be easily consumed and put to use by 
small businesses. If common reference environments are made 
available to small businesses, many of these entities would be 
highly interested in deploying these frameworks if they knew 
they can consume and utilize threat intelligence in a plug-and-
play manner. It should be noted that this support was included 
in the prior H.R. 5064 legislation that passed this Committee 
last year, but then later expired in the Senate.
    At this point, the foundations would be laid for a base-
level accreditation program for small businesses in which they 
can demonstrate that they have achieved basic cyber controls 
and processes. The SBDCs would be a natural fit to oversee this 
program and could then coordinate between newly accredited 
small businesses and insurance carriers to facilitate the 
acquisition of cyber insurance. These suggestions create a 
process that naturally flow from a set of standardized security 
templates, through the training and the deployment of those 
templates, through the accreditation that the controls were 
deployed properly, through the coordination with the cyber 
insurance market to offset the residual risk. This process in 
its entirety represents the most requested types of support by 
small business executives encapsulated in a clear, concise, and 
pragmatic approach. It would materially improve the current 
security status of approximately 50 percent of the U.S. 
economy.
    The final point I would suggest would be to use the SBDCs 
as a coordination point between small businesses and a 
designated, responsive law enforcement entity. Currently, when 
a small business is compromised, they can contact their local 
police departments, which are often willing to help, but 
technically unable to do so, or they can contact the FBI or 
Secret Service that are technically able to help, but typically 
do not have the bandwidth to do so.
    This situation has created a mindset within the small 
business community that when it comes to cyber matters, they 
have essentially been abandoned to the Wild West where the rule 
of law does not apply. Legislation that addresses the points I 
have described above would greatly improve the security and 
longevity of the U.S. small and middle market businesses.
    Mr. Chairman, this concludes my statement, and I look 
forward to further questions.
    Chairman CHABOT. Thank you very much. And I will yield 
myself 5 minutes.
    Mr. Luft, I will go to you first. Could you tell us what 
process you went through in determining what cyber insurance 
coverage you ultimately ended up with? And are there any 
recommendations that you would make to other small businesses 
who might be considering, first of all, whether or not they 
should get insurance coverage? And then secondly, you know, who 
they should get it from? I am not saying what company, but just 
kind of the process.
    Mr. LUFT. Well, it was my first assumption that cyber 
insurance should just be as simple as any type of insurance, so 
I reached out to my existing insurance provider. What I quickly 
found out is that is not the case. He was not familiar with a 
lot of policies. So once I saw some hesitancy on his end, I 
sought some additional resources and found an agent that was 
exclusive to cyber insurance. That would be my first suggestion 
to any small business.
    And one of the first things that a company needs to look 
for when they are looking at that, there are some standard 
coverages in there: the extortion coverage, data loss. So the 
company could assume that those things are going to be included 
in a policy.
    But one thing that they need to ask for is retroactivity. 
When you first initially buy that policy, it is going to become 
effective that inception date, but anything that may have 
happened previously, it would behoove that small business to 
ask for maybe a year of retroactivity, just in case there is 
something lurking there in their network, to ensure that they 
are safe.
    Chairman CHABOT. Thank you very much.
    Ms. Davis, let me go to you next. You mentioned in your 
testimony that not all causes of loss are covered by a 
particular insurance policy. Could you provide the Committee 
with an example of what would be an uninsured loss and how 
small businesses can protect themselves from that type of 
liability?
    Ms. DAVIS. Sure. So the exposures that arise from cyber 
threat continues to evolve and there are certain elements of 
loss that at this point are not transferable to an insurance 
policy. There is work being done by the insurance community to 
try and develop insurance solutions for some of those losses, 
but my advice to small businesses really echoes some of the 
comments that we have heard already, and that is just providing 
additional education to those businesses, so things like this 
hearing today really bring awareness to the topic. But where 
assistance is needed is helping them connect the dots.
    I think small businesses today have an understanding of 
what the exposures are and what risks they may bring to the 
business, but they are struggling with the ``how.'' What sort 
of action items they can implement to make their operation more 
resilient and secure. So it really does come down to businesses 
understanding the risk and protecting themselves from it, which 
is really done through risk mapping. Smaller businesses need to 
understand what downtime could mean to their organization.
    Also, the sensitive data that they are holding, what sort 
of costs they may incur if that data is compromised, and I 
think that qualitative aspect is an area and it is an 
opportunity where the insurance community can assist with some 
of that process.
    The other point that I will mention is just in terms of 
connecting the dots and bringing action items to them, it is 
about understanding if employee training is only being offered 
by roughly 80 percent of organizations now, that does not 
translate to the fact that we have seen a growing number of 
threats really come out of exploitation of that human element, 
of that big vulnerability. And 50 percent of respondents to 
that Advisen Zurich survey noted that humans or their employees 
unintentionally infecting their network was a top concern. So 
just helping bring together those pieces.
    Chairman CHABOT. Thank you. I have got less than a minute 
to go and I have got two witnesses. I am going to throw this 
question up and it is kind of maybe an impossible question, so 
if either one of you want to answer this. If a business has X-
amount of insurance where they are covering fire and a whole 
range of things and now they have got to consider cybersecurity 
insurance, and let us say they are going to go with the 
insurance company they have now, how much more typically could 
they expect to pay for this that they are not paying without it 
right now? Percentage-wise, are we talking an additional 10 
percent, 25 percent? And I know that is a tough question. It 
would depend on how big the company is. What would your 
estimate be if you have one?
    Mr. CERNAK. That is an excellent question, and as you point 
out, it is going to depend on the class of business that they 
are in, the amount of data that they have, what coverages they 
are actually looking for. And there are two approaches to cyber 
insurance in the marketplace today. One is a standalone policy, 
which is probably going to cost you thousands of dollars.
    Chairman CHABOT. Yeah. I would guess that would be probably 
more. So let us say you went with the company that you have now 
and they did have the expertise, unlike what Mr. Luft had said 
he experienced, I mean, ballpark, what range are we probably 
talking about? Either one of you want to venture this?
    Mr. GEOPFERT. Again, that is hard to formulate because 
every one of the organizations, when we work with them--and I 
am not on the insurance side; I am on the breach investigation 
side, so I see the flip side of it--every one of the 
organizations, the question is going to come down to what does 
your network look like? How much data do you have? How does the 
data pass through? Do you pass through credit card payments to 
a third party? Depending on how they answer that, you can have 
two organizations that are the same size in the same industry 
that have put together their networks differently. They are 
going to pay vastly different amounts for insurance.
    Chairman CHABOT. I told you it was an impossible question.
    Do either one of the first two witnesses want to take a 
quick stab at it, ballpark?
    Ms. DAVIS. So there are a number of factors that contribute 
to that. So coverages, but also limits and retention. So it 
really depends on what an organization's risk tolerance is. 
Somebody may say to themselves, ``I feel as though I can retain 
this risk. I am not at high risk of this sort of event 
occurring,'' and they may be purchasing a $1 million limit with 
a $250,000 retention purely to satisfy a contractual 
requirement; somebody else may opt for hundreds of billions in 
coverage. So those are some of the influencers.
    Chairman CHABOT. Mr. Luft, you are from Cincinnati. I 
expect you to give me an answer.
    Mr. LUFT. So, Chairman, I can talk specifically about what 
is happening with my company. And so for my liability policy, 
covering our installation, for a million-dollar policy that is 
about $4,000. When I bought that standalone cyber insurance 
policy, that was $3,200, so roughly about 80 percent.
    Chairman CHABOT. Good. Thank you very much. I appreciate 
it.
    My time is expired. I apologize for going a little bit 
over.
    The Ranking Member is recognized for 5 minutes.
    Ms. VELAZQUEZ. Thank you.
    Mr. Cernak, I believe that you stated that it is not if 
small businesses are at risk, the question is when is it going 
to happen. So we need to operate under the assumption that 
aggressors are already inside our networks. With that said, 
what alternatives do small businesses have once they become 
aware an aggressor already has access to that information and 
technology?
    Mr. CERNAK. Sure. Yeah, once you have identified that 
someone may be within your four walls, I think it is incumbent 
and imperative that you get somebody, like my colleague here to 
the right, that could come in and identify exactly what is 
wrong. And not to stop at the first answer. We have seen 
instances where ransomware is extremely popular now. A lot of 
businesses are being impacted by ransomware, and it is a very 
visible attack. But what the criminals are doing on the other 
side of that is they are loading additional software in the 
back end so that once you rectify the very visible issue, and 
you may think your problem is solved and go back to managing 
your business, there is this other software that is going to 
start exfiltrating data down the road. So you really need to 
get a professional in to do a thorough analysis and your 
insurance company can help you identify those people.
    Ms. VELAZQUEZ. Mr. Geopfert?
    Mr. GEOPFERT. The part I am going to hit is this actually 
delineates quite a difference between the small business market 
and even the mid-market in that both of those groups are going 
to struggle preventing the breach. It is very difficult in 
today's day and age with the types of exploits and malware to 
keep them out. The more complex the organization, quite often 
they will notice that they are breached earlier. And even if 
the attacker did get in, quite often they have stood up 
security monitoring of the tools that can let us retrace the 
steps of the attacker so we can reconstruct what did the 
attacker do in the environment, how long were they there, what 
did they take, what did they touch?
    In the small markets, quite often they are not even that 
mature. The attackers can get in. By the time the organization 
finds out that an attacker is in, when we show up there is no 
evidence or the small business has already destroyed the 
evidence in their initial response. They have overwritten it.
    And so when we are talking about the damages for small 
businesses, a big part of their problem is they always have to 
assume the worst-case scenario. Because they either did not 
have the evidence or they destroyed it, we have to assume the 
attacker essentially reached everything and legal precedence 
says they have to do mass notification, whereas in the larger 
environments it might be the same attacker who did the same 
thing, we can constrain. We can put bounds around what the 
breach actually was. So it inordinately impacts the smaller 
environments simply because they are less able to reconstruct 
what the issue was even if they could not stop the attack.
    Ms. VELAZQUEZ. Thank you.
    Ms. Davis, cyber insurance is in its infancy as an 
insurance product. How has it evolved since its inception to 
meet the demands of small firms and the needs of neutralizing 
relentless cyber attackers?
    Ms. DAVIS. So the roots of the product were really in the 
technology, you know. And as some of the first-party costs to 
an organization, the immediate costs after a breach began to 
evolve with notification standards and credit monitoring, et 
cetera, the policy was built out to include those first-party 
coverages. And what we are finding now is that financial 
institutions, healthcare organizations, those early adopters in 
heavily regulated segments are really more driven towards that 
personal information and healthcare information.
    Next, we have a three-tail organization, and what we are 
finding now is that the coverages have evolved to really 
address the interdependencies that we are seeing across the 
supply chain. And so business interruption, loss of income, 
extra expense that an organization would have to pay in the 
event of downtime is becoming a key driver in the coverage 
discussion.
    Ms. VELAZQUEZ. And can you explain how the process to 
create policies is complicated by various state and federal 
laws and a disjointed federal cybersecurity effort?
    Ms. DAVIS. Sure. So we talked about some of the first steps 
when an organization realizes that they have been compromised, 
and certainly, forensics is a big piece of that to understand 
what went wrong and why and how many, you know, the extent of 
the information that was compromised. I would argue that very 
early on in that process there also needs to be legal 
representation, attorney breach coaches who are helping to 
prioritize those notifications and needs to individuals who 
were impacted. And the challenges that creates is really each 
and every State, at this point an attorney general is handling 
those topics differently. What is considered legal compliance 
and what timeframe individuals need to be notified? How they 
need to be notified, does it have to be through USPS? Is email 
sufficient? And so the costs, the legal costs for small 
businesses really add up in that process, and so 
standardization of those requirements would help bring down the 
costs associated with it.
    Ms. VELAZQUEZ. Thank you.
    Chairman CHABOT. Thank you. The gentlelady's time is 
expired.
    Ms. VELAZQUEZ. I yield back.
    Chairman CHABOT. Thank you.
    The gentleman from Missouri, Mr. Luetkemeyer, who is the 
Vice Chairman of this Committee, is recognized for 5 minutes.
    Mr. LUETKEMEYER. Thank you, Mr. Chairman. This is a subject 
that we are talking about today that 10 years ago it would not 
even be on our radar, and yet today, here we are. And so it is 
kind of scary from the standpoint of what are we going to be 
talking about 10 years from now that is not on our radar today? 
And so that is how fast our society and evolution of all these 
things is happening. That is just an aside.
    Mr. Cernak, you represent a reinsurance company, and we are 
talking about cyber today and your company provides cyber 
insurance. Why are you a reinsurance company that reinsures 
insurance companies here today talking about cyber?
    Mr. CERNAK. Thank you for the question. And it is a great 
question.
    I think the role that reinsurers play in this realm is to 
help make more coverage available to the end consumers, the 
small businesses, by enabling other property and casualty 
insurance companies to put products out in the marketplace, and 
not only provide those carriers with the capacity, but also the 
technical knowledge to provide a sustainable product that they 
can feel comfortable bringing to their insured customers. And 
so beyond the dollars that a reinsurer can provide to these P&C 
carriers, it is also the claims expertise, the service provider 
networks, the forms development, and the rate development. You 
need all of those things to create a compelling product, and by 
doing that we help other carriers introduce products in the 
marketplace, thus helping the end insureds.
    Mr. LUETKEMEYER. Very good.
    Evaluating the risk here is really difficult, and I know 
Mr. Luft made a comment in his opening statement that 43 
percent of the attacks are on small businesses. My staff has 
got a number here of businesses under $300 million in value, 50 
percent of cyber attacks are on those businesses. This tells me 
we have got a very vulnerable group of folks here that probably 
do not have the expertise to deal with it. And so how do we 
protect them? So that is where insurance comes in.
    So I guess my concern is not necessarily, I know we have 
talked a little about the business interruption, basically 
coverages that you guys are involved in, but to me the biggest 
risk for a small business is the liability exposure. And 
liability exposure is such that if I am in the lending business 
and I am lending to a small business and I see that they are 
very highly leveraged and I see that they deal with lots of 
personal information, to me there is an exposure there that 
could really harm that credit. Therefore, that whole line of 
credit is in danger. Therefore, it is going to hurt me as a 
financial institution.
    And I can see that at some point the regulators are going 
to get involved in this and start asking and requiring for 
cyber insurance for certain lines of business that deal with 
more information.
    So if Mr. Cernak or Ms. Davis would like to take this, it 
looks to me like small businesses are the low-hanging fruit for 
the bad guys to go after and I think in some cases, I was 
talking to some folks a while ago, that it can even be the back 
door to bigger business, which means you have an even bigger 
liability risk. So would you like to talk about that just for a 
second, how you want to approach that particular part of the 
coverage?
    Mr. CERNAK. Sure. And I think you are right on with that 
assessment that we are starting to see small businesses be that 
back door into the larger businesses, and we are starting to 
see the larger businesses require contractually that these 
smaller businesses carry some level of cyber insurance. The 
struggle there is oftentimes they may or may not have an 
arbitrary dollar amount in terms of the limit they want 
carried, and they also do a fairly poor job of identifying the 
exact coverages they want those folks to carry.
    Your comment relative to the lending industry in 
particular, I don't think I have seen that as of yet, but I 
think it is a valid concern.
    Mr. LUETKEMEYER. Go ahead, Ms. Davis. Would you like to 
comment?
    Ms. DAVIS. I totally agree. And thank you for the question. 
Absolutely, we are seeing that back-channeling take place where 
it does feel as though the larger organizations are locked and 
loaded when it comes to their information security measures, 
but that supply chain that we reference has become a huge 
vulnerability, especially in the manufacturing space and when 
we think through items like corporate confidential information.
    Mr. LUETKEMEYER. I think Mr. Luft made a comment a while 
ago with regards to a question I think one of our other folks 
made. And the comment was made with regards to covering things 
that may have happened prior to the coverage being effective. 
And so my question is, does your policies, are there policies 
out there that will take care of things that you put in place 
that were not accurate or that exposed you not only before, but 
what happens if you put something in place, you let the policy 
drop or go to a different carrier, do you have tail coverage or 
something as well with this? Can you kind of explain the before 
and after coverages here if there is such a thing?
    Ms. DAVIS. Yeah. So it is an important development in the 
cyber insurance space, the idea of prior acts. And the reason 
why it came about is because of the statistic that 
Congresswoman Velazquez noted of 200 days potentially where a 
perpetrator has been in the network and we found the nature of 
the threats has changed as attackers used to enter a network, 
grab as much information as they can, and then get out, and now 
they tend to lurk and try to stay under the radar, grabbing 
small bits of information at a time. So that coverage is 
available in the marketplace, and typically, we do find that 
affordable coverage to that effect is available as customers 
change carriers as needed.
    Chairman CHABOT. The gentleman's time has expired.
    The gentlelady from New York, Ms. Clarke, is recognized for 
5 minutes.
    Ms. CLARKE. I thank you, Mr. Chairman. And I thank our 
ranking member. I want to also thank our witnesses for your 
expert testimony today. This is very important information. I 
think the average small business is really at a disadvantage in 
this day and age, not really conscious of the intrusion of 
those who would want to either extort them or use them as a 
tool for penetrating even larger enterprises. So I want to 
thank you once again for your insights.
    Ms. Davis, I did want to find out from you how does your 
company tailor insurance policies? Is it for each client? Is 
there a ``one size fits all'' package? Can you give us some 
insights into that?
    Ms. DAVIS. Sure. So it is helpful to understand the 
underwriting process when answering this question, so let me 
start with that. Organizations would typically complete one to 
two underwriting applications and those are submitted to 
various carriers by an insurance broker. It was noted earlier 
to really partner with a broker who has expertise in this space 
since it is such an evolving area. And those applications have 
questions on them. Some are reflective or inclusive of controls 
kind of noted through the NIST framework; others are outside of 
that. So there would be various applications and levels of 
information that are provided at the time of the application 
process.
    But what the customers request, what an insured requests is 
really driven again by more of their risk tolerance, why they 
are purchasing the policy. Are they looking at it as more of a 
contractual requirement? Or are they looking for a more robust, 
cutting-edge solution? So, and a lot of that will influence the 
price as well.
    Ms. CLARKE. So it is more of a tailored process based on 
the questionnaires that the individuals fill out?
    Ms. DAVIS. That is correct.
    Ms. CLARKE. And how widespread would you say this sort of 
practice within insurance, how widespread has that become to 
your knowledge?
    Ms. DAVIS. The tailoring of solutions?
    Ms. CLARKE. No, I am sorry. This sort of insurance practice 
for small business getting cybersecurity insurance?
    Ms. DAVIS. So just so I understand, you are asking how 
widespread is it that the small businesses----
    Ms. CLARKE. Within the industry of insurance, your company 
is one that has been identified. Have other insurers begun 
moving into this space?
    Ms. DAVIS. Yes, absolutely. There is a growing recognition 
that small businesses are looking and actively seeking to raise 
their risk awareness, and insurance is one piece of that 
puzzle. It should not be the entire solution, but we are seeing 
increases in small- to medium-sized organizations actively 
seeking out insurance policies for cyber.
    Ms. CLARKE. Yeah, because sort of most brick-and-mortar 
type of businesses have insurance, right?
    Ms. DAVIS. Right.
    Ms. CLARKE. Theft insurance, what have you. But not many of 
those types of mom-and-pop establishments, which are very 
prevalent in Brooklyn, New York, where we are from----
    Ms. DAVIS. Yes.
    Ms. CLARKE.--would be looking to essentially look at their 
sort of connectivity and determining how they would add that to 
a current policy.
    Ms. DAVIS. And I think that is a great point and it really 
gets at the way that the product has evolved from just a couple 
of years ago, where it was really focused on more privacy 
exposed organizations, and now we are at that new cusp of 
buyers and coverages that are more driven towards that business 
interruption, that network interruption, and the downtime and 
financial impact that it could mean to those mom-and-pop 
organizations.
    Ms. CLARKE. Wonderful. Thank you.
    Mr. Luft, in your testimony, you point out that small 
businesses often do not perceive themselves as being targets 
for cyber attacks. What can we do to educate the general public 
on the risks of not being protected? And what can we do to 
ensure that they have a place to go after a cyber attack takes 
place? As it stands now, where do they go?
    Mr. LUFT. Well, I would say the first step is the small 
business needs to understand that there is extreme risk out 
there and they need to look no further than to television. 
There are plenty reports about what is happening to major 
corporations, to small businesses on a daily basis. So my first 
suggestion is that small businesses need to take that 
initiative.
    From an education standpoint from this body, I do know from 
the Federal resources, from the SBA, especially within 
Cincinnati, they do a tremendous job of having events informing 
small businesses about cybersecurity and actions they need to 
take place. So I would think more what needs to happen is the 
initiative from the small businesses to take action.
    Ms. CLARKE. And probably partnering with some Chambers of 
Commerce?
    Mr. LUFT. Absolutely. Yes.
    Ms. CLARKE. And things of that nature?
    Thank you very much again for your testimony here today. 
Mr. Chairman, I yield back.
    Chairman CHABOT. Thank you very much. The gentlelady's time 
is expired.
    And the gentlelady from American Samoa, Mrs. Radewagen, who 
is the Chairman of the Subcommittee on Health and Technology is 
recognized for 5 minutes.
    Mrs. RADEWAGEN. Talofa. Good morning. Thank you, Mr. 
Chairman and Ranking Member, for holding this critical hearing. 
Thank you all for appearing today.
    Ms. Davis, my first question is for you. You mentioned that 
businesses with personal health and personal financial 
information consider data security as more of an issue. Are 
there any industries that you believe are prone to cyber 
attacks, but currently do not see cybersecurity as a pressing 
issue?
    Ms. DAVIS. I would say the one class of business where we 
are definitely seeing an increase in awareness is in the 
manufacturing space. And again, that gets back to more of the 
corporate confidential information, the supply chain, and what 
interruption, network interruption could mean to those 
organizations. Manufacturers, historically, had felt like the 
product did not necessarily speak to their coverage needs, to 
their exposures, and we are definitely seeing that maturity 
start to change in their thought process.
    Mrs. RADEWAGEN. Thank you.
    My second question is actually for all of you. What do you 
think are the biggest risks for cybersecurity insurance 
providers that do not exist in other insurance markets? Mr. 
Luft?
    Mr. LUFT. Your question was specific to the cyber insurance 
companies?
    Mrs. RADEWAGEN. Insurance providers. Yes.
    Mr. LUFT. In speaking about the small businesses, the 
reason why they need to think about that as the statistic has 
been mentioned several times today, that after a cyber attack, 
60 percent of small businesses are out of business within 6 
months. I think that is the greatest call for action from a 
small business perspective.
    Mrs. RADEWAGEN. Ms. Davis?
    Ms. DAVIS. I think one of the biggest challenges to 
insurers right now is really not having a solid sense of what 
their aggregation concerns may be. When we think through 
property as an example, you are able to model, right, what your 
windstorm-exposed areas are. When it comes to cyber, there are 
all of these hidden or sort of silent interdependencies that 
you may not be able to track or to model in the underwriting 
process. So that is definitely a concern for us.
    I would also say the intersection of the various lines of 
business is unique to the cyberspace. We are talking today 
about kind of the standalone cyber policies, but what we are 
finding is that as the threats evolve, some of these coverages 
are creeping into different policy lines, and so making sure 
that we have a way of identifying those gaps and redundancies 
to make sure we are providing good, holistic, meaningful 
solutions to our customers.
    And lastly, I would just say that this is a product still 
in its infancy and so we are learning together across the 
industry to make sure that we provide more consistent 
underwriting processes, more consistency in our application 
process, and in the language and vernacular that is being used. 
And I think all those things are hurdles for us at this time.
    Mrs. RADEWAGEN. Mr. Cernak?
    Mr. CERNAK. Thank you for the question.
    I see two major challenges right now, in addition to the 
ones that Ms. Davis pointed out. First is the patchwork of 
regulations that we are faced with in terms of trying to 
address and create products. We have to not only worry about 
the State, but the Federal, and now international regulations 
and security standards. So that is one item.
    The other, as Congressman Luetkemeyer mentioned in his 
remarks, is the smartphone is turning 10 years old this year, 
right? Never have we tried to insure an exposure that is 
evolving this quickly. It is moving with the speed of 
technology, and that in and of itself poses challenges.
    Mrs. RADEWAGEN. Thank you.
    Mr. Geopfert?
    Mr. GEOPFERT. I will speak as the neutral third party in 
the room. Quite often when things go bad, what we see working 
as responders with the insurers and the small businesses, it is 
more of a syntax issue. There is no common language to talk 
about security and risk within these organizations. So what we 
see is the insurance companies reaching out to the small 
businesses trying to put together their policies and packages 
and understand the risk of the organization they are going to 
insure. And the small business, not being malicious, they 
simply do not understand security.
    When they are filling out the package and trying to 
communicate how much data do they have? How do they control it, 
their business partners, their systems? They do not know how to 
fill out the packages and applications in the right way. So 
quite often the insurance companies will pick up that policy 
and not really understand what is underneath the hood until 
there is a breach, until we come in on the technical side and 
start touching the environment. Quite often, the insurance 
companies really do not understand how bad bad can get.
    And so until we can get to the point where there is sort of 
a standardized language where the insurance companies know how 
to rate the risk of a small organization and the small 
organization knows how to rate themselves, there simply could 
be missed expectations on both sides.
    Mrs. RADEWAGEN. Thank you. Thank you, Mr. Chairman. I yield 
back.
    Chairman CHABOT. Thank you very much. Thank you very much. 
The gentlelady's time is expired.
    The gentleman from Pennsylvania, Mr. Evans, who is the 
Ranking Member of the Subcommittee on Economic Growth, Tax, and 
Capital Access, is recognized. And I would like to thank him 
for his leadership on this issue and introducing legislation to 
ensure that the SBDCs accredit the people that will help to 
train small business folk to better protect themselves against 
cyber attacks. So we appreciate his leadership on this. And he 
is recognized for 5 minutes.
    Mr. EVANS. Thank you, Mr. Chairman. I appreciate you and 
the ranking member's leadership collectively on the fact that 
this is really a bipartisan approach and we have all got to 
work together.
    So what I want to piggyback a little bit and expand a 
little deeper on what Ms. Davis said and the term that she 
used, ``risk mapping.'' And used that term, and kind of if you 
have a crystal ball, if you say ``risk mapping,'' what 
particular industries, much more subject to the risk aspect in 
terms of where we are today? You said risk mapping. Give me a 
sense on categories of small businesses.
    Ms. DAVIS. So when I speak through risk mapping, I am 
thinking through, you know, it varies by industry, but it is 
also about identifying what is at risk from a pure data network 
security view, but also the broader implications that that may 
have on your organization. So the lost revenue or the downtime, 
it could mean the reputational risk. It could mean bodily 
injury or property damage, and bringing together a multi-
stakeholder approach when evaluating cyber risk so that you are 
thinking of it as an organization, as an enterprise level.
    And in terms of the cyber or the IT risk mapping component 
of that, it could mean from a retail organization how many 
records you are holding. How long are you retaining them? For 
what reason are you retaining them? So that you are always 
keeping a proper calibration between your data risk and your 
data value.
    Mr. EVANS. Okay. I am starting my business. I mean, where 
would you go to kind of get that little sense of the mapping 
and understanding? To your knowledge, does anybody keep track 
of what takes place in terms of the community? Because 
listening, you just said the smartphone is 10 years old. Is 
there anywhere you can go to get a little sense of that?
    Ms. DAVIS. So there are businesses that you can turn to to 
help you do that, but I would say the very first step is doing 
it internally. And again, engaging your stakeholders within an 
organization to make sure that you have got either a risk 
manager or somebody who is acting in a risk manager role. You 
know, talking with HR or if you have somebody handling the IT 
business in-house. But really just beginning to have that 
dialogue internally so that you can start to gain and act on 
the information that you learn through something like an 
incident response plan to help you engage and limit your 
damages if and when an event does occur.
    Mr. EVANS. To the rest of the panel, hearing what Ms. Davis 
said, we just had this discussion about risk mapping. And as 
you look at it, what would you say in your particular case to 
your clients, understanding the aspect of risk mapping?
    Mr. GEOPFERT. The first point I am going to make is this 
is, again, dealing with small businesses. If you tried to 
explain this concept to them, to your point, they do not know 
where to start.
    Mr. EVANS. Right.
    Mr. GEOPFERT. This would be a perfect role for the Small 
Business Development Centers.
    Mr. EVANS. Right.
    Mr. GEOPFERT. Because they touch so many different 
entities, in a lot of cases they become the de facto knowledge-
sharing centers. And in a lot of cases, they would be able to 
start you on that process and lay that out.
    The other point that I want to make out, when we deal with 
risk mapping, in a lot of cases that operates off the mindset 
that, like what you see in the news, that there are hacking 
crews that are out targeting your specific organization and 
going after you. A lot of small businesses, when they are 
trying to consider their risk, they do not feel that they are 
at risk because we are too small, we are too new. No one is 
shooting at us. It misses the point that the vast majority of 
breaches are not targeted and you cannot plan for that risk. If 
you are plugged into the internet, there is sort of the 
background radiation of the internet that is constantly 
grinding through looking for anybody that happens to be 
vulnerable and it might happen to be you.
    And so a lot of organizations, when we first sit down to do 
risk mapping with them, they are shocked with that realization 
that they are not targeted; they simply were a target of 
opportunity on the network. And so I think the Small Business 
Development Centers would be great at communicating that 
message of in your specific industry, this is what a risk map 
would look like. But do not forget there is a permanent 
residual risk that you simply cannot excuse yourself because 
you are too small or you are not in that industry.
    Mr. CERNAK. I think there is also an opportunity for 
insurance agents and brokers to begin that process as well. 
Because as they are sitting down discussing with their clients 
what their exposures are, they can start to ask the leading 
questions, if you will, as to what data do they have, where is 
it stored, and how do you use it, a lot of the points that Ms. 
Davis suggested. So I think insurance agents and brokers need 
to raise their level of education to help the clients.
    Mr. EVANS. I yield back the balance of my time. Thank you, 
Mr. Chairman.
    Chairman CHABOT. Thank you. The gentleman's time is 
expired.
    The gentleman from Iowa, Mr. Blum, who is the Chairman of 
the Subcommittee on Agriculture, Energy, and Trade, is 
recognized for 5 minutes.
    Mr. BLUM. Thank you, Mr. Chairman. Thank you to the 
panelists for being here today to talk about a very important 
issue to small businesses.
    I am and was a small business person, and a few years back 
my high-tech company was compromised via a cyber attack. I was 
absolutely shocked at how untrained law enforcement was on how 
to handle this situation because we lost value. We lost value.
    Two questions concerning that for the entire panel: A, has 
that changed? Is law enforcement, in general, across the 
country better trained now to handle the theft of a company's 
information via cyber attack?
    And B, what can Congress do or what can government do, 
assuming we are not where law enforcement needs to be? What can 
we do to--any ideas or suggestions on how we can change that?
    Mr. LUFT. To your first question, I hope. And the second 
question, as far as what Congress can do, whatever can be done 
to help inform small businesses about the number of threats 
that are there and helping small businesses understand what 
steps they can do to protect themselves is the greatest thing 
that could be done right now.
    Mr. CERNAK. Again, I think, you know, the patchwork of 
regulations also can hinder a little bit of that because there 
is this attitude of, you know, well, who is ultimately 
responsible for that portion of the law enforcement if you have 
got different regulatory bodies that are involved in cyber 
events? So I think, again, streamlining that may help as well.
    Mr. BLUM. In your opinion, is law enforcement better 
trained than they were 5 or 10 years ago on cyber attacks? And 
how to prosecute and how to find out what the value is of what 
was taken, et cetera, et cetera?
    Mr. CERNAK. Yeah. No, and that is an excellent question. 
Unfortunately, my focus is more on helping the small businesses 
recover relative to the issue and that is where my expertise 
stops.
    Mr. GEOPFERT. Sir, it pains me to say, as I am a former 
special agent, so that is where I came from, are they better 
than they were 5 or 10 years ago? Yes. Has it materially 
improved the situation? No.
    Per my comments earlier, in a lot of cases, what happens 
with a small business especially is they do not register on the 
Richter scale enough to draw the attention of the law 
enforcement entities that could actually do something to 
resolve the situation. And so the FBI and Secret Service have a 
lot of very skilled people that do exceptional work, but there 
is only so much availability, so much bandwidth. And they are 
naturally going to gravitate to the larger events. And so while 
they would be interested to hear of the issues within the small 
businesses, the idea that they are going to send an agent down 
to start working on those cases is just not reasonable.
    And so what you are left with is local law enforcement, who 
usually are very excited to help, but they technically cannot 
do anything. They are very effective, and they have put a lot 
of people through training where if you have internal theft, if 
you have an employee that is committing fraud or something, 
they can assist with those types of issues, but at the end of 
the day, the goal of law enforcement typically is to affect an 
arrest against somebody. And with the vast majority of the 
attackers overseas, it is quite often hard to get them 
interested. And what they seem to miss is they do play a key 
role in this.
    Take a typical small business that might not have great 
security monitoring themselves, so they do not produce the 
evidence internally for us to reconstruct what the events were. 
But let us say we can see an offending IP address that touched 
them where the attacker came from on the last hub. That IP 
address is in somewhere else, another business, another citizen 
of the U.S. We cannot go acquire that system. But if I worked 
with a law enforcement entity, I could very rapidly get some 
type of search authority. They can go acquire that system. We 
might be able to recover the evidence we need to see how bad 
the event was off of that system. And when we try to do that 
now, quite often that is weeks or months to go through that 
process. By that time, all the evidence we could have used to 
limit the damage is gone.
    And so there is a role, but because they normally are not 
going to end up in arrest, it is hard to get them engaged.
    Mr. BLUM. Thank you very much.
    Last question, assuming the value of the compromised data 
is covered by insurance, how do you quantify? How do you put a 
number on compromised data? How does that work? That has got to 
be, I mean, that has got to be a tough thing. Give me some 
insight into that, please.
    Ms. DAVIS. So it is a tough thing. In talking about the 
patchwork of laws, it largely depends when you talk about how 
those records are compromised, you know, where they were 
compromised, the extent of them, the number of people who are 
going to require notification. There is a general sentiment 
that there is desensitization happening across the population, 
so fewer and fewer people are taking carriers up on offers for 
things like credit monitoring. It depends largely on the 
forensics, how long they were in your network, how much 
information was compromised, and really driving up those 
forensics costs; any fines and penalties that could be 
resulting from that and if there were data restoration costs 
involved. So the sums, they range wildly.
    To get to your earlier question, I just want to point out 
that they say the prosecution rate for these kind of nefarious 
actors only ranges around 10 percent, and so that means that 
criminals who were sort of lurking in the dark web are 
currently coming out because there is no reason to be in the 
dark and that means they are talking to each other. And so the 
sophistication and nature of the attacks really continues to 
increase.
    Chairman CHABOT. The gentleman's time is expired.
    Mr. BLUM. I yield back the time I do not have, Mr. 
Chairman.
    Chairman CHABOT. Thank you very much.
    The gentleman from Florida, Mr. Lawson, who is the Ranking 
Member of the Subcommittee on Health and Technology, is 
recognized for 5 minutes.
    Mr. LAWSON. Thank you, Mr. Chairman. And welcome to the 
Committee.
    Ms. Davis, as you are well aware, many small businesses may 
be unaware of the lack of capital to purchase cyber insurance. 
What can small business organizations, SBAs, as well as local 
entities, do to better educate the small businesses about the 
risk of cyber attacks and the importance of purchasing cyber 
insurance?
    And I say that because I was in small business and I have 
been trying to wind some things down. And a young person came 
in. I heard Mr. Cernak talk about the birthday of this here is 
10 years old and I had a typewriter in the office, an IBM 
Selectric typewriter. And one of the young persons said, what 
is that? You know, and I said this is one of IBM's best. They 
said, they still make those?
    So my question is, I just wanted to say that because when 
you talked about the birth of this, what can we do to educate 
small businesses about it?
    Ms. DAVIS. So I think when it comes to small businesses, 
you know, we really have to think through the culture of an 
organization. When it comes to controls, the expectations 
across industry class are really going to vary wildly, so you 
cannot say this one control will make you a better risk. There 
is no silver bullet answer, but it is about building a culture 
of resilience. It is about understanding what your risks may 
be. It is about ongoing employee training. And these are items 
that do not have a significant price tag associated with them. 
That is just an ongoing effort to make sure that you are 
bringing the right people into the conversation and that you 
have that multi-stakeholder incident response plan in place if 
and when an event occurs. Because what we do find is 
organizations who are lacking that sort of preparation are the 
ones who have a longer amount of downtime, more financial 
impact to their organizations because they were not prepared.
    I would say from an insurance perspective, do keep in mind 
that although the costs will vary based on some of the 
subjectivities we have talked about, you know, they cannot 
afford to be out of business for a prolonged period of time. 
And so when you think of the safety net that an insurance 
policy can bring to the equation, it will likely be a fairly 
small financial cost compared to that longer hardship if the 
downtime is significant.
    Mr. LAWSON. Okay. And I have read the staff report on cyber 
insurance can be customized to the specific needs of the 
company. Mr. Cernak, what are some of the more innovative ways 
that you see cyber insurance can be crafted to the specific 
needs of small businesses?
    Mr. CERNAK. One of the trends we have seen lately is 
tailoring it to small businesses by making it even more 
comprehensive. So a lot of the policies that may be out there 
currently offer higher limits, but you have to choose which 
exact coverages you feel you need as a small business owner. 
And the concern is maybe I select the wrong coverages for what 
I need.
    So we are seeing a trend of packaging multiple coverages 
under a common limit, making it a very streamlined approach so 
that they do not have to answer 12 pages of underwriting 
questions where you are going to get the wrong information, not 
by any malicious intent, but simply by the fact that they do 
not understand the application. Perhaps provide cyber insurance 
as an endorsement to a policy they might already be buying. So 
perhaps they are already buying a business owner policy that is 
providing them with property and liability insurance. Can we 
add on a very nice and tidy package of cyber coverages as an 
endorsement to that?
    Mr. LAWSON. And a real quick question, anyone can answer. 
Will small businesses in the small business be able to do group 
coverages, hopefully, to stabilize their premiums?
    Mr. CERNAK. So along the lines of almost a captive or some 
sort of that, there has been, I know, some conversations around 
that idea. It is a little bit of a challenging idea because as 
we stated earlier, you know, cyber does provide some level of 
aggregation exposure. And so by doing a group approach, you may 
be doubling down on that aggregation exposure as well. But 
there may be some cost savings, especially as these policies 
tend to bring services into play. Those services may be had at 
a more competitive price.
    Mr. LAWSON. Okay. My time has expired, but I hope you all 
remember the IBM Selectric typewriter.
    Mr. Chairman, I yield back.
    Chairman CHABOT. Thank you very much. The gentleman yields 
back.
    And we want to very much thank the panel here for helping 
the Committee to better understand an issue that more and more 
small businesses all across the country are facing, and that is 
the cyber risk that is out there, the attacks that they could 
be facing. We are committed as a Committee to doing everything 
we can to assist the small business community to better protect 
themselves, whether it is best practices, whether it is 
potentially cybersecurity insurance, and you all have assisted 
us in doing that, so we thank you very much for that.
    I would ask unanimous consent that members have 5 
legislative days to submit statements and supporting materials 
for the record.
    Without objection, so ordered.
    And if there is no business to come before the Committee, 
we are adjourned. Thank you very much.
    [Whereupon, at 12:22 p.m., the Committee was adjourned.]
                            A P P E N D I X

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                    Testimony of Erica Davis

Senior Vice President and Head of Specialty Products Errors and 
                           Omissions

                      Zurich North America

                           before the

               House Committee on Small Business

     ``Protecting Small Businesses from Cyber Attacks: the 
                Cybersecurity Insurance Option''

                         July 26, 2017

    Chairman Chabot, Ranking Member Velazquez, and Members of 
the Committee, thank you for the opportunity to speak with you 
today about the important issue of cybersecurity and the role 
of the private sector in providing risk management solutions to 
businesses to protect against cyber risk.

    As a leader of a team of market-facing underwriters at 
Zurich North America, I work with brokers and customers on the 
placement of cyber insurance. While there is increased 
awareness of the threats across all sizes of organizations, 
businesses are still struggling to understand cyber risk: the 
full scope of their exposures and how best to protect 
themselves and their customers.

    Zurich

    Zurich is a leading multi-line insurance group with more 
than 140 years' experience serving businesses worldwide. Zurich 
employs approximately 54,000 people and serves customers in 
more than 210 countries and territories.

    Zurich entered the United States in 1912, and for more than 
100 years has served businesses of all sizes in America, 
including Fortune 500 companies, small and medium size 
businesses, as well as farmers and ranchers. We are proud to 
help them manage risk and give them the confidence to 
contribute to the U.S. economy. Zurich's North American 
headquarters is in Schaumburg, Illinois, and supports the jobs 
of over 9,000 employees across the United States. We are proud 
to have a market and employment presence in each of your 
states. We are also pleased to offer risk management solutions 
to customers in Puerto Rico and will explore the marketplace of 
American Samoa.

    As one of the five insurance providers currently leading 
the North American cybersecurity insurance market, Zurich is 
invested in identifying risks and delivering solutions for its 
customers. Zurich is committed to staying at the forefront of 
the cybersecurity issues, as both the likelihood of a security 
breach and costs continue to escalate.

    Zurich's Approach to Cyber Risk

    Understanding Attitudes to Cyber Risk. As the cyber threat 
landscape continues to evolve, companies across all industries 
find themselves increasingly vulnerable to potential harm from 
a security or privacy event.

    Most loss dollars arise from first-party privacy breach 
costs, such as forensics, breach coaches, consumer notification 
and credit monitoring. We are also seeing:

           Business interruption loss

           Liability lawsuits

           Regulatory fines

           Reputational damage

           Shareholder suits

    Businesses today face difficult decisions about 
cybersecurity and how best to manage their risks: deciding 
whether they should retain the residual risk or transfer it 
through the purchase of a cyber insurance product.

    The role of insurance is continuously increasing as 
customers are now seeking industry feedback and risk insights. 
It has become more of a partnership, with businesses focusing 
on not just what happens post-breach and a loss being paid. 
They value having a stable of pre-vetted vendors available to 
them if they are impacted by a data or security event. They are 
also focusing more on pre-breach services to guide them through 
risk mitigation tools like technology assessments.

    In October 2016, Zurich and Advisen (a leading provider of 
data, media and technology solutions for the commercial 
property and casualty insurance market) released a sixth annual 
survey of risk managers, insurance buyers, and other risk 
professionals on the current state of trends in information 
security and cyber risk management. Key findings included:

           Eight-seven percent of respondents believe a 
        technology interruption would have a moderate-to-
        significant impact on their business.

           Over the last six years, the proportion of 
        companies buying security and privacy cyber insurance 
        has increased by 85%, from 35% in 2011 to 65% in 2016.

           For the firsts time in the six years of this 
        study, general counsel has surpassed information 
        technology as the department most frequently 
        responsible for assuring compliance with all applicable 
        federal, state, or local privacy laws, including state 
        breach notification laws.

           Most companies surveyed (97 percent) clearly 
        recognize the importance of collaboration between their 
        risk management and information technology departments 
        on issues related to cyber security.

           Industries with substantial personally 
        identifiable information, personal health information 
        and/or personal financial information, in general, 
        consider data security and privacy to be a more 
        significant risk. As a result, they also are more 
        likely to purchase security and privacy insurance and 
        engage in risk management activities.

           Costs related to a breach of customer/
        personal information are the leading reason for 
        purchasing cyber insurance.

    Coverage. Zurich provides coverage for cyber risk to 
businesses of all sizes, and cyber coverage is tailored based 
on customer need. While the historical reason for purchasing 
cyber insurance is liability concerns and costs related to 
breach of customer or personal information, coverages recently 
have focused on business interruption and supply chain downtime 
as the result of a cyber event.

    Risk culture is also critical to underwriting any line of 
business. Cyber insurance is no exception. It is critical for 
businesses to build a culture of awareness at all levels. 
Events in recent years have raised awareness of cyber risk 
across all industry segments. Businesses must adopt a mindset 
of resilience rather than just protection.

    More businesses are beginning to view information security 
as an organizational challenge rather than just a technology 
issue. The business community's interconnectivity and reliance 
on technology has increased, which creates more points of entry 
and new threat vectors. The exposure has broadened to include 
potential property damage for something like critical 
infrastructure, bodily injury caused by autonomous vehicles or 
cyber espionage.

    Therefore, the underwriting of the cyber product is 
evolving as the risks are morphing. The insurance community is 
continuously working to understand the full scope of the 
exposures and what the controls might need to be. Each business 
needs to be underwritten differently.

    Resilience. Organizations of all sizes now realize they are 
at risk of a security or privacy event. Finding solutions to 
the most complicated of cyber risks will require collaboration 
between the insurance industry, governments, academia and other 
think tanks to establish standards, encourage information 
sharing, build resilience and create adequate global 
governance.

    In an effort to continuously help customers understand and 
protect themselves from risk, Zurich began participating as a 
key industry consultant in a ``first of its kind'' public-
private partnership by the University of Maryland and the 
National Institute of Standards and Technology (NIST). The 
partnership embarked on a research project to assist companies 
ascertain the effectiveness of their information security and 
cyber supply chain best practices, with an end goal of helping 
organizations increase their cyber risk assessment and 
management capability. The project built on an existing Cyber 
Risk Portal, which collects data by allowing participating 
businesses to anonymously upload information to compare their 
cybersecurity capabilities to the existing NIST Framework, as 
well as to their peers and competitors.

    To further assist businesses with their security and 
privacy risk management, Zurich is also collaborating with 
Deloitte to help improve a company's cyber resilience. 
Policyholders can complement Zurich's cyber coverage with pre-
breach cyber risk assessment and management services through 
Deloitte to understand their level of cyber exposure and 
resilience. These services include standards-based risk 
assessment of an organization's threat detection and incident 
response capabilities, as well as risk mitigation 
recommendations. This is just one area where Zurich is focusing 
on cyber risk mitigation rather than solely risk transfer.

    Insurance Issues

    Data Breach Uniformity. Because there is a myriad of state 
laws governing data breach, we are interested in a national, 
uniform standard on data security and breach notification. 
While this is not directly in the jurisdiction of this 
committee, it is certainly relevant for you as Small Business 
Committee Members to recognize the complexity of cybersecurity 
governance from a business perspective. We appreciate the 
efforts of Congressman Luetkemeyer in this regard.

    Cyber Accumulation. A challenging issue for all insurers is 
cyber accumulation. Given the cyber interconnectedness of 
potential data loss, business functions, and supply chains, the 
ability to quantify exposures, accurately price risks, and 
manage accumulations and capital requirements will remain a 
difficult issue for the insurance community for the foreseeable 
future.

    Cyber as a Peril. Zurich is contributing to the public 
dialogue around interconnectivity and the full range of 
exposures from cyber as a peril. The extent of exposures 
presented by a cybersecurity event is beyond the current scope 
of coverage. For example, physical damage is rarely offered on 
a cyber insurance policy, but can result from a cyber attack. 
The full range of the exposure is too broad to be covered by 
the private sector; not all causes of loss can be transferred 
to an insurance policy. Cybersecurity breaches can cause losses 
including property damage, bodily injury and reputation risk, 
and we are investigating the best way to consider these 
impacts.

    Conclusion

    Zurich continues to refine its understanding of cyber 
exposures so we can help our customers understand the risk, 
make thoughtful decisions on our current product, and develop 
additional insurance solutions going forward.

    With data breach, ransomware and other attacks on small 
businesses occurring daily, we appreciate your focus on risk 
management solutions provided by the private sector.

    Thank you again for the opportunity to testify today. I 
look forward to answering your questions.
[GRAPHIC] [TIFF OMITTED] T6297.010

    Chairman Chabot, Ranking Member Velazquez, and members of 
the Committee, thank you for inviting me to testify. My name is 
Eric Cernak, and I am Vice President U.S. Cyber and Privacy 
Risk Practice Leader at Munich Re, US. Munich Re provides a 
range of reinsurance and insurance solutions through various 
companies that are part of the Group. In the U.S., Munich Re 
provides cyber- and privacy-related insurance for small 
businesses through Hartford Steam Boiler Group (HSB) 
headquartered in Hartford Connecticut. HSB has an A++ 
(Superior) financial strength rating from A.M. Best Company and 
has underwritten cyber reinsurance and insurance for over 12 
years. Small business cyber insurance clients are served by 
over 1,500 HSB employees in our Hartford office and regional 
offices throughout the U.S.

    I am testifying today on behalf of the Reinsurance 
Association of America (RAA) and the Property Casualty Insurers 
Association of America (PCI).

    The RAA is the leading trade association of property and 
casualty reinsurers doing business in the United States. RAA 
membership is diverse, including reinsurance underwriters and 
intermediaries licensed in the U.S. and those that conduct 
business on a cross border basis. The RAA represents its 
members before state, federal and international bodies.

    PCI is composed of nearly 1,000 member companies, 
representing the broadest cross section of insurers of any 
national trade association. PCI members write $202 billion in 
annual premium, 35 percent of the nation's property casualty 
insurance. Member companies write 42 percent of the U.S. 
automobile insurance market, 27 percent of the homeowners' 
market, 33 percent of the commercial property and liability 
market and 34 percent of the private workers' compensation 
market.

    Today's hearing is an important discussion to highlight the 
success of the private sector in developing cyber insurance and 
to help raise awareness among the small business community 
about the option of securing cyber insurance, which can offer 
both preventative, risk-management tools and act as a critical 
safety net should a cyber event occur. My perspective today is 
from that of a reinsurer and insurer. Munich Re's Hartford 
Steam Boiler Group, as a reinsurer (insurance for insurers) for 
primary insurers, provides reinsurance to share in the risk of 
loss, helps primary insurers underwrite cyber risk and develop 
products, and provides other services to primary insurers that 
are writing, for example, cyber insurance specifically for 
small businesses. HSB, as a primary insurer, also offers cyber 
insurance and services directly to customers (via brokers and 
agents).

    ORIGIN AND DEVELOPMENT OF CYBER INSURANCE

    Cyber is a rapidly evolving risk and reinsurers and 
insurers continue to develop products to meet the increasing 
demand and needs of the insureds, including small businesses. 
The magnitude of known attacks, development of new technologies 
and security measures to protect against such attacks are 
growing dynamically. As reported by Risk Management Solutions 
in its 2017 Cyber Risk Landscape Report, the number of large 
magnitude data exfiltration events has grown substantially in 
the years prior to 2016 (with 2016 showing some recent 
flattening of incident rates). To protect against these 
threats, companies are increasingly investing in their own 
cybersecurity systems. And, per the RMS report, global 
expenditure on cybersecurity is estimated to have grown 14 
percent year-on-year, from $75B in 2015 to $86B in 2016.

    According to a report published last month by Aon titled, 
``Global Cyber Market Overview, Uncovering the Hidden 
Opportunities,'' the global stand-alone cyber insurance market 
in 2016 was around $2.3 billion in premium, up from $1.7 in 
2015, and the U.S. accounted for 90% of the 2015 market. The 
report noted that ``the market is still believed to be in its 
infancy and penetration levels are still relatively low.'' It 
estimated that globally ``over 75%'' of certain large 
businesses but ``less than 5%'' of small and medium-sized 
businesses secured some cyber insurance. In the U.S., around 
19% of small businesses secured some cyber insurance. Aon's 
report projected that the U.S. stand-alone cyber insurance 
market gross written premium will continue to grow at 30% per 
year and could more than triple from 2015 to 2020, from $1.5 
billion to $5.6 billion.

    More insurers have become interested in offering cyber 
insurance over time. Less than a dozen insurers offered some 
cyber insurance in the early 2000s compared to more than 70 in 
2016. Reinsurance risk transfer options for insurers with 
regard to cyber may also become increasingly available. Aon's 
report mentioned another study by Aon Benfield that ``estimates 
the 2015 global reinsurance market to be worth c. $525m in 
annual premium.'' Further, ``more than 15 reinsurers actively 
write standalone cyber treaties and the number is increasing.''

    Most cyber insurance policies have their roots in liability 
coverage. Initially, these policies were considered ``stand-
alone,'' meaning the business needed to purchase the coverage 
separately from any other insurance, such as general liability, 
they might be purchasing, as these policies did not provide 
explicit coverage for cyber-related losses. The first cyber 
policies were often expensive, difficult to obtain, and 
required a relatively cumbersome and confusing application 
process. For these reasons, the initial success related to 
cyber policies came from the larger end of the market--Fortune 
1000 companies--and provided limits generally ranging from $10M 
to $25M+.

    Early on, many insurers required the applicant to submit to 
an external data system penetration test. The results of the 
test were then submitted as part of the insurance application. 
As cyber insurance became more prevalent, most insurers dropped 
the penetration test requirement and focused on the 
application. As the market has evolved, it is now possible for 
an insured to obtain up to $5M in coverage by answering as few 
as 4-20 questions.

    As more attacks on larger businesses occurred and media 
coverage increased, smaller business began to take notice of 
the exposure. The insurance market responded by creating cyber 
insurance endorsements, which is simply an insurance product 
that is added to policies the small businesses were already 
purchasing, such as their business owners' policy or commercial 
property policy. Business owners' policies typically cover 
small business property and liability exposures in one simple 
insurance package, and commercial property policies typically 
cover the property exposures of larger businesses. A cyber 
insurance endorsement can cover various exposures not addressed 
by Businessowners' or Commercial Property policies by providing 
coverage for costs resulting from a breach of personal 
information, cyber extortion, transmission of a virus to 
another entity, breaching another entity's propriety 
information, etc. These endorsements afforded the insured a 
streamlined product and application process (generally an 
application is not needed for base limits), and lower premium 
for a commensurate limit (e.g. $100,000). Often these cyber 
endorsements could be automatically quoted without the insured 
ever completing an application--greatly simplifying the 
process.

    With either the stand-alone cyber insurance policy or the 
endorsement approach, a significant part of the value 
proposition is the value-added loss prevention services that 
can be ``bundled'' into the policy to reduce the insureds' 
exposure. For example, a cyber insurance policy could include 
risk-management services such as vulnerability assessments, 
next generation firewalls, IT security audits, and intrusion 
detection/penetration testing. These were ranked as a the top 
five most helpful services related to cyber insurance in a 2016 
survey of small businesses conducted by Hartford Steam Boiler.

    In that same survey, 36% of participants gave three reasons 
why they did not purchase cyber insurance. The number one 
reason given was that they claimed they did not need it. The 
second was the expense of coverage, and the third was that the 
process was too complicated and confusing. These results 
suggest that education is key to increasing the take-up rate of 
cyber insurance by small businesses, particularly given that 
86% of the respondents stated that they store Personally 
Identifying or Personal Health Information.

    HOW TO INCREASE THE TAKE-UP RATE OF CYBER INSURANCE BY 
SMALL BUSINESS

    The small business objections to cyber insurance noted 
above, two of the three speak to the misunderstanding of the 
value proposition of cyber insurance relative to the exposure. 
Small businesses would benefit greatly from better 
understanding the risks presented to their operations by cyber-
related exposures and the cyber insurance option to address 
those risks. Almost every business now relies upon at least one 
computer to conduct business, whether it is for accepting 
payments, designing parts, or servicing customers. It is 
important for small businesses to better understand their 
reliance upon technology and the impact to their operations 
should it not perform as expected due to a cyber event.

    The public and private sectors have a role to play in 
helping businesses, small and large alike, to overcome the ``it 
won't happen to me'' mentality and constructively address cyber 
vulnerabilities while preparing for the aftermath of a cyber 
event. Cyber attacks may not be a matter of ``if'' but 
``when.'' It is essential for businesses, which are 
increasingly interconnected, to be prepared, protected, and 
resilient, and insurance can help with all three. Businesses 
are no longer being attacked solely for the data they have but 
increasingly for the access to larger businesses with which 
they conduct business. This exposure is now being recognized by 
larger companies as they frequently require smaller business 
partners to carry cyber insurance as part of their contractual 
relationship.

    In addition to education efforts, the insurance marketplace 
needs to continue to refine the process and coverage to reduce 
the complexity associated with purchasing cyber insurance. One 
significant challenge is that the terminology in a coverage 
form can vary greatly from insurer to insurer, thus making it 
harder for an applicant to understand what is covered in 
different policies. Last year, Munich Re's Hartford Steam 
Boiler Group participated in a Treasury-led project to develop 
a glossary of cyber insurance terms to help simplify and 
standardize cyber insurance terminology.

    LIABILITY THAT MAY STILL BE PRESENT EVEN IF AN INSURED 
PURCHASES CYBER COVERAGE

    As previously discussed, the terminology used in coverage 
forms can vary greatly from insurer to insurer, which makes 
understanding coverage difficult when a business is evaluating 
its needs.

    Typical cyber-related coverages can include:

     Data Breach Response

     Data Breach Liability

     Computer attack

     Network Security Liability

     Media Liability

     Cyber Extortion

     Misdirected Payment Fraud (e.g. Business Email 
Compromise)

     Fines and penalties (may not be insurable in all 
jurisdictions)

    Some cyber policies also are beginning to examine and/or 
address the exposure related to:

     Property and bodily injury resulting from a cyber 
event

     Failure of the Internet and the potential impact 
to business operations

    However, the insured may still need to examine other 
policies for potential coverage for cyber-related exposures. 
These other policies may include:

     Crime

     Directors & Officers (which covers legal actions 
against top company executives)

     Contractual Liability (which protects a 
policyholder from liabilities assumed under a contract)

     Technology Errors & Omissions for exposures 
resulting from IT products the insured creates

    MINIMUM SECURITY EXPECTATIONS FOR OBTAINING COVERAGE

    Where an application is required for a cyber product, 
insurers may want to understand if the applicant complies with 
various security requirements (when applicable for the industry 
in question) such as the Payment Card Industry Data Security 
Standard (PCI-DSS), Health Information Technology for Economic 
and Clinical Health Act (HITECH), Gramm-Leach-Bliley Act 
(GLBA), Red Flag Rule, and Sarbanes-Oxley.

    Additionally, from a technical perspective, many 
applications will inquire about encryption being deployed, 
systems patching cadence, back-up procedures, password 
management, firewalls installed, anti-malware software, 
intrusion detection/protection devices deployed, etc.

    However, there is growing recognition that strengthening 
companies' security culture, embodied by various policies 
(privacy/security and document retention/destruction), criminal 
and credit checks conducted on employees, and robust training 
programs, deserves strong consideration as part of the 
underwriting process. This also is supported by the above-
referenced Hartford Steam Boiler survey finding that nearly 
half (47%) of all data breaches were attributed to a vendor/
contractor, followed by employee negligence or malfeasance 
(21%), and lost or stolen mobile device (20%). Hacking or other 
cyber-attack only represented 11% of data breaches.

    By contrast, when no application is needed for an 
endorsement-based cyber product, often the form may contain 
language stating that the insured needs to comply with 
reasonable and industry-accepted protocols. These protocols may 
include:

     Providing and maintaining appropriate physical 
premises, computer, and Internet security

     Maintaining and updating at appropriate intervals 
backups of computer data

     Protecting transactions, such as processing credit 
card, debit card and check payments

     Appropriate disposal/destruction of files 
containing sensitive personal or corporate information/data

    HOW INSURERS DETERMINE COVERAGE AND PRICE

    Cyber insurance is unlike most other insurance coverages in 
four fundamental areas. Insurers are grappling with the 
following factors in offering cyber coverage and at what 
premium/limit.

    There is no significant historical loss data.

    The exposure is relatively nascent as the Internet has only 
been commercially viable since the late 1990's. Further, the 
loss data generated even 10 years ago does not fully represent 
the exposure today. For example, virtual currencies and 
smartphones did not exist 10 years ago.

    Due to the lack of loss data, insurers have adapted 
pricing, terms, and conditions from other lines of business, 
such as technology errors and omissions, crime, media 
liability, etc. Some insurers also have looked to conduct 
primary research and have interviewed experts in various 
fields, including IT forensics, attorneys, breach response 
service providers, public relation firms, and others. Through 
this process insurers can better understand the frequency of 
events, how long events may take to address, and the associated 
costs for the various services. These figures are then 
converted into insurance premiums. As experience develops, 
these initial figures can be blended with the actual insurance 
claims results to refine the premiums being charged.

    Another tool insurers have deployed to improve cyber 
insurance products and pricing is the survey of potential 
customers (e.g., business owners) to understand specific kinds 
of concerns, the frequency of issues they face, and the costs 
to address them. This helps insurers prioritize which coverages 
to develop and include in a cyber insurance product and 
determine associated terms and pricing.

    The cause of loss is generated by an active adversary, 
which is capable of changing tactics and targets to suit their 
needs based on advances of technology.

    As new technologies are introduced, exposures that 
previously did not exist become commonplace. For example, cyber 
extortion was typically limited in scope to targeted attacks 
where the attacker threatened to release data that had been 
stolen or to continue with a Denial of Service attack unless a 
ransom was paid. These attacks took significant time to conduct 
and often posed a significant risk to the perpetrator as they 
needed to interact with the company to receive payment. With 
the advent of virtual currency, ransomware exploded and is now 
a leading cause of loss.

    Legislative and regulatory requirements continuously 
evolve.

    Insurance companies need to monitor the evolving state, 
federal, and international privacy and data protection laws. 
While these laws are designed to protect consumers, they may 
create an exposure to small business owners. For example, there 
are 48 different state breach notification/data protection laws 
with which a small (or large) business must comply. Many of the 
first cyber insurance policies focused solely on liability 
exposures of third parties (as opposed to those faced by the 
entity purchasing the coverage) and only provided a small 
sublimit (the maximum amount for which the insurance policy 
would pay for in the event of this type of loss, which is less 
than the overall limit of the policy) for costs the insured 
might incur complying with various breach notification laws. As 
more states followed California in the mid-200's with their own 
breach notification laws, insurers responded by expanding their 
breach response coverages.

    Cyber poses potential aggregation or accumulation risk for 
insurers.

    Cyber risk is not bound by geography, which greatly 
increases the aggregation risk from an insurer's perspective.

    Many insurers will identify potential causes of aggregation 
(e.g. particular industry, service providers, failure of the 
Internet, etc.) and either decide to exclude that cause of 
aggregation or to monitor the amount of insurance being 
provided very closely. For example, an insurer may monitor the 
number of insureds using a particular cloud service provider.

    CONCLUSION

    As the private cyber insurance market continues to rapidly 
expand, reinsurers and insurers will continue to monitor and 
analyze cyber risks, survey and work to better understand the 
needs of existing and potential customers, develop insurance 
products and services accordingly, and help insureds following 
a cyber event. It is equally, if not more important, to U.S. 
businesses for federal and state governments' lawmakers, 
regulators, and other entities focusing on cybersecurity and 
evaluating potential regulatory changes, to develop clear, 
consistent requirements and to avoid a patchwork of different 
requirements and standards. Such a patchwork would impede 
companies' ability to effectively implement cyber security 
protocols and respond quickly and appropriately to a cyber 
security event. Although the nature of reinsurance means that 
reinsurers do not directly interact with consumers, and 
therefore reinsurers' obligations in the event of cyber 
security events differs somewhat from the primary insurance 
industry, the entire insurance and reinsurance industry (as 
well as consumers) benefit from uniform, consistent standards 
that are both proportional and flexible enough to work in an 
ever-changing cyber environment.

    We also encourage the Administration to coordinate 
cybersecurity policy among federal agencies and designate lead 
agencies to coordinate discussions where appropriate. This 
should include discussions with state insurance regulators to 
encourage healthy cyber standards while eliminating conflicts 
and duplicative regulation.

    Thank you for your time and your interest in this very 
important issues.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                 House Small Business Committee

     ``Protecting Small Businesses from Cyber Attacks: the 
                Cybersecurity Insurance Option''

                         AIA STATEMENT

                         July 26, 2017

    In today's increasingly interconnected world Cybersecurity 
is a risk that no business is immune from regardless of 
industry or size. We appreciate the House Small Business 
Committee (Committee) holding the hearing. ``Protecting Small 
Business from Cyber Attacks: the Cybersecurity Insurance 
Option.'' The comments below are intended to provide a brief 
overview of cybersecurity insurance and some potential 
challenges for this market.

    As with many other emerging and complex risks, insurance 
is, first and foremost, a useful targeted risk transfer 
mechanism. A cyber event can be costly for any business, 
including small and medium businesses, so minimizing that 
financial impact through cyber insurance is beneficial. And, 
just as cyber risks continue to evolve and develop, so has the 
cyber insurance market. Therefore, a key point is that the 
insurance market is developing responsibly to meet changing 
client demands and offering produts tailored to meet small, 
medium and large business needs.

    Approximately 15 years ago, ``cyber insurance'' originated 
as a technology errors and omissions product that provided 
coverage for negligent acts, errors, and omissions in the 
deliverance of technology products and services. Today, stand-
alone ``cyber insurance'' products may include coverage for 
forensic activities, legal fees associsated with determining 
how best to comply with each state or territory's notification 
rules, notification and credit monitoring costs, business 
interruption, and damages and expenses incurred in connection 
with claims brought against a third party, such as costs 
associated with responding to or defending against regulatory 
inquires, payment of fines, and lawsuit liability. More 
recently, some insurers may also offer dedicated cyber coverage 
for bodily injury or property damage.

    Importantly, cyber risk should be considered a peril. 
Coverage for the cyber peril can be addressed, in whole or 
part, in a dedicated, stand-alone product or embedded in a 
multi-risk policy that might include cyber as one of the many 
causes of loss, for instance a commercial property policy or a 
directors and officer's policy.

    Moreover, cyber insurance can serve as a valuable tool in 
crafting a risk management program. Hence, communication is an 
important aspect of the cyber insurance purchasing process. The 
process typically begins with a conversation with the insurance 
carrier and with the advice of an insurance agent and broker 
whose expertise guides the insured in evaluating its coverage 
needs and existing insurance products to determine whether 
insurance gaps exist and how best to address those gaps.

    Additionally, cyber insurers continually innovate and offer 
add-on products and access to strategic partnerships that small 
business may find invaluable. For instance, many insurers have 
partnerships with computer forensic firms, public relation 
coaches, and expert legal counsel. Timing is critical in the 
event of a breach, therefore, having a list of identified 
resources could be crucial. As well as post-event resources, 
pre-event resources may also be important to a small business. 
For example, risk assessments, employee training, and table-top 
exercises are useful tools that an insurer may offer.

    It is important to note that there are clear business 
benefits to cyber insurance, as identified above, but cyber 
insurance should not be seen as a driver of behavior, guarantor 
of cyber security, or a standard-setting vehicle. Regardless of 
a business's size, cybersecurity requires an ever-evolving 
adaptable approach that is incorporated into an entity's 
overall risk culture and each individual company is uniquely 
and best able to assess its own risk and global approach to 
managing cyber exposures and deciding what role insurance will 
play.

    We recognize that small and medium businesses have limited 
resources and the decision to purchase cyber insurance is one 
that should remain within the businesses sole discretion. As 
such, our industry is committed to responsibly meeting market 
demand and offering innovative solutions that best suit our 
client's needs.

    Therefore, the cyber insurance market should be allowed to 
grow organically without undue pressure that could stifle 
innovation and market growth. Rather, through public-private 
partnerships we should explore solutions for addressing the 
challenge that confront market growth. Some of these challenges 
include the following:

           Education - Businesses are not always 
        convinced that they are at risk of a cyber-event. Size 
        and industry may be factors that convince an entity 
        they are not at risk, but unfortunately, today's 
        connected society and supply chain interdependencies 
        makes everyone a target for unscrupulous actors.

           Data and Risk Modeling - The risks presented 
        by the cyber age are new and more rapidly evolving 
        compared to more traditional risks that insures have 
        been underwriting for hundreds of years. Thus, 
        sufficient loss data and risk modeling capabilities, 
        which are critical to responsible underwriting, will 
        need time to develop. Moreover, the risk is continually 
        evolving as bad actors look for new ways to expropriate 
        information and process it for their own purposes.

           Aggregation and Accumulation - As indicated 
        above, coverage for cyber events may be embedded in a 
        number of insurance policy types. Further, cyber is 
        also a global challenge, sometimes without geographic 
        borders or predictable locational centers, thereby 
        increasing the geographic risks broadly. The 
        increasingly interconnected business environment and 
        the ubiquitous presence of cyber in our commercial 
        world also serves to increase the aggregation and 
        accumulation risks insurers must manage.

           Forensic Review - A lack of actuarial data 
        is not the only data gap that insurers may face. Often 
        times insureds may avoid sharing data such as forensic 
        reports with their insurer in an effort to avoid an 
        assertion that they have waived the attorney client or 
        work product privilege. Though these concerns are 
        understandable, failing to provide forensic information 
        hurts insurance carriers and their clients in two ways: 
        (i) it makes it more difficult to evaluate claims 
        triggered by a cyber-event given that critical 
        information is withheld from the carrier; and (ii) 
        there will be less information available to insurance 
        carriers to aid in risk management and risk transfer 
        solutions for the client and more broadly for the 
        benefit of the cyber insurance market.

    Insurers are committed to meeting the challenges of market 
growth so that they can continue to evolve their product 
offerings in order to provide risk transfer solut8ions that 
benefit businesses of all sizes. Thank you for your interest in 
this subject matter. Our membership is an active participant in 
the cyber insurance market and we would be happy to discuss 
this issue and answer any questions that you may have.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

              STATEMENT ON BEHALF OF WILLIS TOWERS WATSON


                               BEFORE THE


                 UNITED STATES HOUSE OF REPRESENTATIVES


                      COMMITTEE ON SMALL BUSINESS


HEARING ENTITLED, ``PROTECTING SMALL BUSINESSES FROM CYBER ATTACKS: THE 
                    CYBERSECURITY INSURANCE OPTION''


                             JULY 26, 2017


    On behalf of Willis Towers Watson, we submit the following 
statement in response to the above-referenced hearing.

    Small businesses (SBs) tend to be less concerned about 
their technology/cyber risks than their publicly traded 
counterparts. This view may be due primarily to a limited 
understanding of the scope of risks these organizations face. 
According to the Verizon Data Brach Repot, approximately 61% of 
data breach victims are businesses with less than 1,000 
employees. With this in mind, here are some of the common 
misconceptions we found among SBs:

          a. We're not a target for attackers because we don't 
        have valuable data: Any business that processes data 
        and is connected to the internet has cyber risk. While 
        SBs often do not have large `troves' of data, they 
        still have data. Attackers view access to SB networks 
        as a `path of least resistance.' Compared to large 
        publicly traded companies, SBs may not have significant 
        resources invested and dedicated to protecting their 
        critical assets. As such, it is easier for a hacker to 
        infiltrate a high volume of SBs than one large 
        organizations with stronger controls.

          b. We outsource the storage/processing of data: Most 
        SBs think outsourcing data storage and processing will 
        completely transfer their risk and potential liability 
        to the outsource provider. However, the organization 
        that owns the data ultimately has reasonability for it. 
        While there may be some shared liability with outsource 
        providers, most have limit of liability provisions in 
        their contracts. Further, determining liability is a 
        lengthy process and something an organization will be 
        challenged to devote time to while responding to a 
        breach.

          c. We have adequate technology security controls: 
        While technology controls are important and part of the 
        solution, cyber risk at its core is a people risk. 
        Willis Towers Watson claims data reveals that 69% of 
        cyber breaches can be attributed to an organization's 
        employees and can stem from a lost laptop, a 
        disgruntled employee, inadequate cyber awareness 
        training or hiring of non-qualified employees. 
        Therefore, to address these vulnerabilities, it is 
        important organizations to also devote attention and 
        resources to people solutions, such as employee 
        engagement, awareness and hiring the appropriate IT 
        talent.

    Both Business to Business (B2B) and Business to Consumer 
(B2C) organizations should understand their cyber risk and 
consider cyber insurance as a method of risk transfer. For B2B 
organizations, it's easier to understand why cyber insurance is 
important. When dealing with other businesses, there may be 
contractual requirements that require organizations to carry 
cyber insurance or technology professional services coverage.

    If an organization is providing technology professional 
services, it is important for them to put together technology 
professional services coverage with cyber liability insurance, 
as there is an overlap in coverage. Even if an organization is 
not providing a technology professional service, cyber 
insurance should be considered as it can provide balance sheet 
protection for both first-party coverage (out of pocket 
expenses - i.e., business interruption, data restoration, and 
cyber extortion) and third-party liabilities (lawsuits alleging 
financial harm as a result of an organization's errors or 
omissions).

    For B2C organizations, historical buyers of cyber insurance 
were industries that held a lot of records (i.e., retail, 
healthcare and education); however, the more recent cyber 
claims have affected other industries such as manufacturing, 
nonprofits and critical infrastructure.

    One of the best practices for SBs seeking to understand 
their cyber exposures is to review cyber claims and losses 
scenarios, such as the following:

    Retail

    An online retailer noticed unusual activity on its server, 
which prompted an investigation. They discovered that hackers 
had stolen an employee's credentials and used them to access 
the names, billing addresses and credit card numbers of 
approximately 50,000 customers during checkout.

    Outcome: The insurer retained the appropriate vendors and 
notified the necessary individuals and agencies. The retailer 
incurred approximately $1M in first-party costs.

    Healthcare

    A hospital office employee stole medical profiles, 
histories and detailed personal information on approximately 
125,000 patients.

    Outcome: The insurer provided the client hospital with 
crisis support team, made up of outside vendors, to help 
resolve the breach and reimbursed the hospital approximately 
$800,000 for the crisis team's expenses.

    Manufacturing

    A consumer products company underwent a software system 
upgrade performed by a vendor. The system upgrade failed, which 
caused all of the manufacturer's systems to malfunction on the 
same day. This caused an unintentional and unplanned outage, 
which resulted in the suspension of the manufacturer's 
operations.

    Outcome: $2M was paid by the insurer for extra expenses 
associated with the business interruption, including expenses 
to continue normal business operations.

    Technology Professional Services

    A technology services provider of software applications, 
implementation services and support contracted with a social 
welfare organization to consolidate and update its legacy IT 
systems. The social welfare organization filed suit against 
insured, claiming it failed to meet contractual deadlines, 
delivered a poorly performing system and failed to properly 
staff the project.

    Outcome: The social welfare organization sought damages in 
excess of $15M.

    Cyber Extortion

    A client's computer server was maliciously attacked by a 
virus that encrypted their data and demanded a $5,000 ransom to 
unencrypt. The insured reported the matter to the FBI and local 
authorities, and refused to pay the ransom.

    Outcome: The insurer engaged ex expert to perform a 
forensic analysis of the client's system. The expert found the 
impacted server didn't contain any confidential information. 
They removed the virus and strengthened the client's data 
security protections. The insurer reimbursed the insured 
$45,000 for forensic costs incurred.

    Handling cyber breaches can be complex and expensive, and 
costs can easily amount to thousands of dollars or millions if 
an organization is not proactive. SBs need to take advantage of 
cyber insurance, as it provides a risk transfer, as well as a 
partnership with the various experts (such as forensics, 
attorneys and public relations) that need to be involved in the 
event of a breach. Most cyber insurers offer their 
policyholders a choice of breach response services, typically 
from a list of pre-approved vendors. Many allow the 
policyholders' own choice of vendor. Most insurers also grant 
policyholders access to a complimentary cyber risk management 
portal that includes the most updated information on emerging 
cyber threats and the latest reports on risk mitigation 
measures and practices. Moreover, premiums and other terms and 
conditions are extremely competitive as market conditions are 
relatively soft with slight rate decreases. This is likely due 
to additional capacity in the market and underwriters being 
able to better quantify exposure.

    In sum, SBs need to be as proactive as their larger 
counterparts by: (1) conducting proper risk assessment and 
quantification; (2) investing in a cyber-savvy culture; (3) 
insuring cyber threats they can't mitigate and; (4) allocating 
enough capital to technological cyber defenses.

    Willis Towers Watson (NASDAQ: WLTW) is a leading global 
advisory, broking and solutions company that helps clients 
around the world turn risk into a path for growth. With roots 
dating to 1828, Willis Towers Watson has 39,000 employees in 
more than 120 countries. We design and deliver solutions that 
manage risk, optimize benefits, cultivate talent, and expand 
the power of capital to protect and strengthen institutions and 
individuals. Our unique perspective allows us to see the 
critical intersections between talent, assets and ideas - the 
dynamic formula that drives business performance. Together, we 
unlock potential. Learn more at willistowerswatson.com.

                                 [all]