The growth of cybercrime risks created a massive market for cyber risk insurance policies, but can any liability be insured? And what is the difference between a cyber risk policy and an ordinary liability policy? What companies shall do in case of cyber attack?
On 28 October 2015, I will discuss about cyber risk and the opportunities arising from such type of risk for the insurance sector at the Annual Assicurazioni event, which is one of the largest Italian conferences dedicated to the insurance sector. The interest for the topic shows the relevance that the cyber risks gained in any industry.
Is cyber risk a real risk?
When I discuss about cyber risk I always remember the comment from John Chambers, the Executive Chairman of Cisco
There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked
And this claim does not sound as an exaggeration if it is considered that 48.8 million of cyber attacks occurred in 2014 causing damages in the range of $ 445 bn. Companies like Target were victims of the theft of over 70 million records which caused data breach costs of $ 248 million, while 145 million of eBay’s users records were stolen leading to a decline in users’ activity which caused a reduction in annual sales targets of $ 200 million. JP Morgan Chase declared that will invest $ 250 million a year on cybersecurity, employing 1,000 people to oversee the IT systems after 76 million of financial records of their customers were stolen.
Will cyber risk grow?
According to a research, the current average cost of a data breach is of $ 3.8 million, while the global cyber insurance premium is of only $ 2 billions with 90% of the policies worldwide concentrated in the US. But according to the estimates premiums will increase up to $ 20 bn in the next 10 years especially if it is considered that the annual cyber cost of the 4 largest economies in the world is of $ 200 bn.
And such growth will be accelerated by the growth of the Internet of Things (IoT). 50 billion connected devices will generate over 50 trillion of GBs of data creating an even further appetite for hackers.
Also, the compliance costs will increase with the new EU Privacy Regulation which will introduce notification obligations to victims and data protection regulators as well as fines up to 4% of the global annual turnover.
Where is the cyber risk coming from?
Cyber attacks can impact on any component of a business which as mentioned above is and will be more and more interconnected. Confidential information in cloud data bases, connections between the different components of a supply chain or with subcontractors such as supplier or payment providers as well as customers’ data and financial information stored by banks can be affected.
The cyber attack can originate from malicious attacks from hackers, but often is the result of non-malicious failures such as an IT failure or the mere loss of a computer by an employee. And this threat can come from both IT infrastructures and individuals internal to the organization and IT and non IT providers external to the organization.
What damages can be caused?
A cyber attack is usually associated to the loss of personal information about the business’ customers. However, the range of damages that can originate is much broader and includes
- theft of intellectual property and confidential information,
- investigation, notification and response cost e.g. notifications required under data protection laws,
- reputation damages as occurred in the major accidents mentioned above,
- third party claims from customers, supply chain suppliers, regulators, but even employees whose data might be lost or that might found out to have been illegally monitored,
- direct financial loss e.g. in case hackers are able to steal funds from bank accounts or extort funds,
- physical damages which with the growth of the Internet of Things will considerably increase as any component of a business is automatically operated based on data coming from different sources,
- data and software deletion which might have a massive negative effect on a business if it s considered the value that customers’ data – including big data – now have for any type of company and
- business disruption and interruption.
The situation of cyber risk as of today
According to a survey, 52% of CEOs believe that they are covered against cyber risk, but in fact only less than 10% of them do. And often their liability insurance policy does not cover cyber risk because, among others,
- property insurance and business interruption policies require physical damages that might include damages to software and data,
- general liability policies exclude damages due to the unauthorized access to confidential information and
- E&O/PI have a coverage restricted to liability claims by customers and exclusions might apply (e.g. virus).
What can be insured under a cyber risk insurance policy?
The list of cyber risk events that can be covered under an insurance policy is quite long and includes
- privacy events even though in a number of countries regulatory fines cannot be covered by an insurance policy,
- network security liability such as in cases when the assured IT system is used to hack a third party’s system,
- data and software damages due to the cost to restore lost data,
- loss of funds due to illegal financial transactions performed by hackers as well as extortion of funds
- network and business interruption that will become even more relevant in an interconnected IoT environment,
- physical damages linked to effects caused by systems’ failures,
- intellectual property theft and espionage (e.g. when a trade secret is disclosed) which might be quite difficult to insure as it is hard to quantify damages, but legal costs against third parties might be covered,
- death or bodily injury that is usually covered by general policies.
Cyber risk needs immediate action!
The misunderstanding in approach cyber risks is to treat it as any other type of business risk. On the contrary, the time of reaction following a cyber attack is crucial to minimize the negative effects of the attack on business’ operations and potential liabilities towards third parties.
The actions to be taken in the first 24/48 hours following the attack include
- the setting up of an incident response team to coordinate the issue,
- the establishment of a privileged reporting and communicating channel to keep confidentiality over investigations and
- the liaising with legal and forensic experts and for instance the action points required to be performed by lawyers include
- the advice on regulatory obligations under for instances privacy laws (e.g. in relation to notification obligations) as well as any other law that might be impacted,
- the filing of applications to court to collect evidence,
- the liaising with regulators, authorities and law enforcement agencies and
- the assistance on insurance issues e.g. the coverage, defense and subrogation.
And all the actions above have to be done very FAST!