Hacks Are Getting So Common That Companies Are Turning To 'Cyber Insurance'

Jan 11, 2019
Originally published on January 11, 2019 7:29 pm
Copyright 2019 NPR. To see more, visit https://www.npr.org.

AUDIE CORNISH, HOST:

Cyber hacks are getting so common that companies are turning to something called cyber insurance. NPR's Dina Temple-Raston of our Planet Money team explains why insurance companies are writing about a thousand new cyber insurance policies every day.

DINA TEMPLE-RASTON, BYLINE: The email arrived last October, and it seemed innocent enough.

MAVIS: And I replied to the email. And I said, are you sure this was meant for me? And it came back and said, oh, yes, it's for you. And that's when I clicked on their email.

TEMPLE-RASTON: It wasn't until a few days later that this woman - we'll call her by her nickname, Mavis - opened up her sent email folder, and then she saw it - her computer spitting out emails as if it had a mind of its own.

MAVIS: And you're just seeing sent, sent, sent, sent, sent, sent, sent, sense, sent, sent, sent, sent.

TEMPLE-RASTON: Seeing that was particularly scary because Mavis worked for a financial services company, which means her email contains all kinds of confidential information.

WENDY: Social Security numbers are on everything.

TEMPLE-RASTON: That's Mavis's boss, Wendy.

WENDY: Bank account information in many cases, you know, their spouse's information, beneficiary information.

TEMPLE-RASTON: So this was bad. That's why we're using first names in this story. The company doesn't want to be identified because it might cause them to lose some of their clients. The good news is Wendy had a plan. She went to her office, pulled a big black binder off the credenza and started flipping through the pages.

WENDY: It was buried in there on about page 6 or 7.

TEMPLE-RASTON: She was looking for a very specific phone number.

(SOUNDBITE OF VOICEMAIL MESSAGE)

UNIDENTIFIED PERSON: You have reached the data security event hotline for...

TEMPLE-RASTON: About a year ago when she signed up for something called cyber insurance, and that gave her access to a host of experts who were supposed to help her when something like this happened.

CHRIS DILENNO: We get a call a day at least. It's just happening all the time.

TEMPLE-RASTON: Chris Dilenno is a data privacy lawyer with Mullen Coughlin in Pennsylvania. There's a reason why lawyers billing hourly rates are answering the phone.

(SOUNDBITE OF VOICEMAIL MESSAGE)

UNIDENTIFIED PERSON: The initial discussion will be protected by the attorney-client privilege. Thank you. And someone from Mullen Coughlin will be in touch with you shortly.

TEMPLE-RASTON: Wendy could be more honest this way. In this case, Dilenno brought a second key player onto a conference call.

DEVON ACKERMAN: My name's Devon Ackerman. I'm an associate managing director with Kroll Cyber Risk. And I lead two of our incident response teams for North America.

TEMPLE-RASTON: Incident response team, that's like a SWAT team for cyber?

ACKERMAN: (Laughter) You certainly could think of it like that, yes, ma'am. We conduct digital forensics-related investigations for companies or clients that have had some type of a cyber-related event.

TEMPLE-RASTON: Ackerman used to be an FBI agent, chasing hackers for the Feds. And now he's doing that for people like Wendy.

ACKERMAN: What we look for are kind of - what I would equate to the fingerprints of the actor or the bad guy when they're in the account.

TEMPLE-RASTON: The cyber equivalent of dusting for fingerprints is isolating IP addresses. In Mavis's account, his team turned up an IP address from Lagos, Nigeria. It had been active in Mavis's account for four days. And Ackerman could trace exactly what they were searching for in Mavis' emails, words like...

ACKERMAN: Payment, wiring instructions, wire transfer.

TEMPLE-RASTON: And a host of other financially related search terms. The hackers read her mail for four days, hoping to intercept a message that could get them some cash, but it didn't happen. So they left. Still, the hack was expensive. It cost about $200,000 to pay for legal counsel, the investigation and notifying clients.

Now, cyber insurance covered most of that, but it doesn't come cheap. It costs about $15,000 a year to get about a million dollars in coverage. In addition to that, the insurance seems to be doing a second thing - addressing the Mavis problem everyone has. You know, the employees who click on the wrong thing.

DILENNO: The process of getting an insurance policy that covers cyber requires you to ask some hard questions about your data security knowledge.

TEMPLE-RASTON: That's lawyer Chris Dilenno again.

DILENNO: And that has to make you want to change your behavior.

TEMPLE-RASTON: Your behavior changes because insurance rewards you if you're safer. For that reason, cyber insurance may become one of the best defenses against hackers because it gives companies a financial incentive to focus on the most-vulnerable part of cyberspace - the humans. Dina Temple-Raston, NPR News. Transcript provided by NPR, Copyright NPR.