In an ABC11 special report, the I-Team explored the growing demand for cyber insurance policies, which right now is only available to businesses to protect against data breaches and other internet risks.
Though industry insiders reports, Cyber Insurance has been available for more than a decade, and the product has emerged as a must-have after major companies like Equifax, Yahoo and Home Depot became victims of costly cyber attacks.
"If you think hackers, you think of code scrolling across the screen trying to break into a website, but hackers don't break in anymore," Jason Hollander, a cybersecurity expert, explains to the I-Team. "They log in. They log in because they have access to your information. So now they can be you. Think of how scary that is."
Hollander is a Raleigh-based entrepreneur now working with Triangle companies on their cybersecurity. His company, Cymatic Security, also works with insurance companies issuing cyber insurance policies; like a person applying for a life insurance policy, companies have to show good cyber health for a better rate.
"It is better as a consumer to do business with someone that actually has cybersecurity insurance than with someone who does not," Hollander asserts. "Why? Because you know that they've gone through a proper audit of their security controls to ensure they're doing whatever they can to be more secure to prevent a breach. As a consumer, you can feel more comfortable that the company you're doing business with has a set of controls in place to hopefully mitigate a risk there could be a breach in the future.
According to Hollander, 2018 will be a record year for data breaches, affecting some 4,000 companies and 3.6 billion data records. Those records may include usernames, passwords, social security numbers or bank information.
"Typically most people reuse their usernames and passwords across multiple sites," Hollander said. "The problem is not that one site has been breached - the problem is that it's a waterfall that this breach on one site affects many other sites."
But just as car insurance won't stop a crash, cyber insurance cannot prevent a breach. Instead, it's being used a tool for businesses to keep running in the midst of a breach and to help affected consumers. In some cases, cyber insurance policies provide identity theft protection for affected consumers or even reimburse customers for financial losses.
Mike Causey, North Carolina's Insurance Commissioner, reported that 23 insurance carriers are now offering cyber insurance in the Tar Heel State.
"As we've seen in the past, if there's a risk - and insurance is all about risk - that risk usually finds a way to be covered under type of insurance coverage," Causey tells ABC11. "If you're connected to the internet, you're subject to a cyber-attack. It's sort of like flood insurance that if it rains where you live you need flood insurance. If you're on the internet, you're subject to a cyber-attack."
Still, cyber insurance is so new that the Department of Insurance posted a new webpage on cyber insurance on the same day the I-Team report aired on Eyewitness News. On the department's homepage, moreover, there's now a banner that reads "Learn more about this emerging coverage for businesses on how to protect themselves against liability relating to a cyber-attack or data breach."
In addition to answering some basic questions about what cyber insurance might cover, the DOI created a new email address for those who want more information - CyberLiability@ncdoi.gov.
Though currently only available to businesses, Causey expects insurance companies to soon open opportunities for individuals to purchase cyber insurance. "It's an emerging market. There are so many unanswered questions."
Among those questions - how to know if a company has cyber insurance or not. Both Causey and Hollander agreed that consumers should do their homework by asking questions directly with their banks, financial advisors, investment firms or other companies they deal with. Some of that information could even be located in the "fine print."
Hollander, however, still maintained that individuals have tremendous power to deter cyber attacks by practicing what he calls "good password hygiene."
"Good password hygiene means that you chose a password that's easy to remember but complex enough that someone can't guess - don't use your pets, don't use your kids' names," Hollander explains. "You don't reuse your password, you don't write down your passwords so someone can copy it. You do what you can to control your security."