Israeli Businesses Learning to Insure Themselves Against Cyber Attacks

Banks lead the way in buying coverage but others are learning they need more than firewalls to protect their databases.

Dreamstime

When Bank of Jerusalem discovered its database of securities accounts had been hacked, the task of investigating what happened and assessing the damage wasn’t just a job for the bank and law enforcement authorities. Bank of Jerusalem’s insurance company, AIG Israel, took an active part, too.

Policies against cyber attacks are an up-and-coming business in the insurance industry in Israel and worldwide, where high-profile hacking attacks heightened awareness of the problem both by businesses and their customers. Premiums for cyber coverage run about $2.5 billion to $3 billion a year but by 2020 they could reach as much as $10 billion, according to one estimate, with the market growing by 32% a year.

“The moment a business keeps personal data on its customers, like credit card numbers or their identity numbers, it’s at risk of a cyber attack,” said Elad Shelef, deputy CEO of Menorah Insurance. “One of the things we’ve seen is that hackers don’t attack credit card companies directly. It’s more complicated and very troublesome. They prefer to attack weaker links in the chain, which is to say businesses that keep customer records, so they are more exposed than they think.”

In Israel, the market is just getting started. AIG worldwide is one of the biggest underwriters of cyber insurance and its Israeli unit has been active for some time. Menora began offering cyber protection in 2014 as an add-on to its business policies and today counts 1,000 policyholders, most of them small and medium-sized businesses.

Unlike most insurance, cyber policies involve the insurance company long before the first attack occurs. Insuring against cyber damage is complicated and involves assessing a lot more than the direct and immediate damage from an attack.

At the underwriting stage, an insurer will examine the client’s risk for an attack, what defenses it has already set up and policies for things like changing passwords. Insurers know they can’t prevent an attack, but they will do what they can to reduce the risk.

The most critical stage is immediately after an attack has been detected, said Shai Feldman, CEO of AIG Israel.

“When an attack occurrs the first 24-72 hours afterwards are the most important. It’s an emergency in which many specialists have to be brought in to understand what happened and to undertake operative decisions,” he said.

On the technology side, the company that’s been attacked must be able to restore operations as quickly as possible, Feldman said. On the legal side, it has to report to law enforcement authorities and regulators. And then there is the marketing aspect. “For instance, what do you say to the media, how to do you tell customers It’s like operating a war room,” he said.

Finally, the insurer has to assess the damage, which is complicated by the fact that the damage can often go beyond lost work days or downed production lines, both of which can be sized up relatively easily. Damage to a company’s reputation can be harder to quantify.

In the case of Bank of Jerusalem, the bank was relatively lucky. The hackers, who were apparently affiliated with the global hacking group Anonymous, stole information but weren’t able to manipulate accounts by making trades or altering information. Only 6,000 of the 38,000 accounts were current clients of the bank.

Banks, in fact, are the biggest customers of cyber insurance, in large part due to regulatory requirements. Cyber insurance is less prevalent among other businesses. “It’s a complicated risk for a business. For example, something like fire insurance is clear. Everyone understands how it works. By contrast, cyber insurance is more amorphous, so a business [owner] tends to think, ‘it won’t happen to me,’” said Shelef.