KELLY MCEVERS, HOST:
Cybercrime is costing the global economy close to half-a-trillion dollars a year, so says the insurer Allianz. And now businesses are looking for protection. NPR's John Ydstie reports that one option is cybercrime insurance.
JOHN YDSTIE, BYLINE: Mark Patterson found out the hard way that firewalls and anti-virus software are no longer enough protection for a small business. Cyber-crooks hacked into the email system of his construction company, Patco in Sanford, Maine, and ordered money transfers from its bank account.
MARK PATTERSON: Over the period of five consecutive nights excluding weekends, $100,000 a night had been taken out of our checking account, and we were down about $545,000.
YDSTIE: Patterson's bank refused to reimburse him. He sued and finally won, but legal costs ate up most of what the bank paid. After that experience, Patterson boosted his security and bought cybercrime insurance. But most companies aren't insured for cybercrime losses. In fact, only about 1 in 5 are. However, Chris Arehart, a vice president and cybercrime specialist at Chubb Insurance, says demand is now booming.
CHRIS AREHART: We have interest every day on this emerging topic, and it really has taken the world by storm.
YDSTIE: Chubb has added some cybercrime elements to its commercial crime policies over the past decade, and recently it added coverage for something called social engineering fraud, which Arehart says often combines computer hacking and an old-fashion con.
AREHART: They may begin by researching online using the wealth of information that we all share to determine an appropriate mark within the company to build up a pretext, a story that's as varied as the imagination of the criminal.
YDSTIE: Cyber criminals often penetrate a company's computer and email systems and, for a year or more, watch and plan their attack. Then they strike. Here's a dramatization of a scam where the fraudster is impersonating a top company officer calling in from Asia to a lower-level employee. The fraudster knows the employee's boss, Steve, is away.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED ACTOR #1: (As Character) OK, look; I need you to step up here. I need you to do a wire transfer for me. You know how to do that?
UNIDENTIFIED ACTOR #2: (As Character) Uh...
UNIDENTIFIED ACTOR #1: (As Character) Steve says you know pretty much everything.
UNIDENTIFIED ACTOR #2: (As Character) Yes, I have done that. I can do that, yes, absolutely, yeah.
UNIDENTIFIED ACTOR #1: (As Character) Good. We just signed a contract over here for production capacity for the next quarter, and we need the deposit wired right away. I just emailed you the wire transfer information.
UNIDENTIFIED ACTOR #2: (As Character) OK.
YDSTIE: The FBI says cybercrimes are growing at an alarming rate, and cyber-fraud insurance can help protect companies from those losses. But Garret Droege cautions it's not a silver bullet. Droege runs TechAssure, an association of companies that offer cybercrime insurance. Part of the problem, he says, is that many policies don't cover the latest scams.
GARRET DROEGE: Unfortunately, there's a lot of gotchas in this type of policy just because it's evolved so quickly. And the insurance companies are having a hard time innovating fast enough to keep up with the risks.
YDSTIE: Droege says a company looking for coverage first needs to figure out its cyber risk profile, then put protections and protocols in place. In fact, companies may not even be able to buy insurance unless they have that all in place, says Chubb's Chris Arehart. We're looking for companies that have strong controls in the first place and then strong cultural controls that would prevent this type of fraud from making it past the first phone call or the first email that hits the company's computer systems.
YDSTIE: Garret Droege says insurers are being selective because the ultimate risk they're taking is not well understood.
DROEGE: Traditional insurance is based on sometimes hundreds of years of historical data. They can look back, see where the losses came from, and they price accordingly, where cyber, the market's still very, very juvenile.
YDSTIE: Because criminal hackers are so proficient and because computer systems are so central to business, some analysts predict insurers could soon face catastrophic losses. But Droege says the industry has to step up.
DROEGE: We don't have a choice as an industry. We have to figure it out. If the cyber risk is so pervasive today, think 10, 20 years in the future when we're even more reliant on technology. Businesses cannot afford to deal with these things by themselves.
YDSTIE: That's Garret Droege of TechAssure. I'm John Ydstie - NPR News, Washington.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.