There still appears to be a significant disconnect between the understanding of cyber risks and the response to them at board level. RGL Forensics partner Ben Hobby explains that as a result companies might have already suffered, or are about to suffer, a cyber-attack resulting in a loss of intellectual property.
Knowledge is power. This oft-repeated quote is often attributed to Sir Francis Bacon and, in a commercial sense, he was right, particularly when that knowledge is used to innovate and to create new technologies.
However, a lot has changed since Bacon’s time, given that much of this knowledge isn’t stored on paper, but is now stored electronically.
Thus far, the cyber insurance market has been focussed on personal data. Understandably so, given the costs that have been incurred in data breaches in the US and the fines that can be levied under the upcoming General Data Protection Regulation.
Nevertheless, personal data, while valuable to criminals, is not where the real value sits for companies – it is the value of patents, know-how and technical acumen, its intellectual property.
Currently, the majority of cyber insurance policies provide business interruption cover for the time taken to restore normal operations in the company’s IT network. Some also provide cover for an additional period for recovery of the business, usually around 90 days.
However, cyber policies usually require there to be some interruption or degradation in the performance of the IT network for a BI loss to be covered. In the event of a data breach, this network interruption or degradation usually doesn’t occur, as the hackers are in and out of the network before the breach is discovered.
Even if the hackers stole IP and there was interruption to the IT network, when will this result in a BI loss? Given the time required to review and utilise illegally acquired IP to generate revenue, it is unlikely that this loss will crystallise before the end of any indemnity period available under a cyber policy. Which means that these losses are likely to be uninsured.
To address this risk, companies may wish to consider segregating those parts of the network where this IP is stored. This process of segregating sections of the network may already have started after last year’s Wanna Cry and Not Petya attacks, as companies seek to ensure that an attack on one part of the network does not cripple the entire global infrastructure. However, by extending this process to consider business critical data will help to ensure that all key IP is appropriately protected.
However, it is unlikely that the risk of a data breach resulting in the loss of IP and a subsequent loss of profit can ever be completely removed. While there are a number of insurers that write IP cover, the take-up of these policies is low, with some commentators suggesting that less than one per cent of insurable IP assets are actually covered.
In addition, in 2016, Accenture reported that one-third of targeted cyber-attacks succeed. The same report also stated that 75% of corporate executives were confident in their security strategies. There is clearly a disconnect, therefore, between the understanding of the cyber risk and the response to it. Given this disconnect, the risk that companies have already suffered, or are about to suffer, a cyber-attack resulting in a loss of IP must be significant.
Inevitably, hindsight is 20:20, as shown by the increase in new cyber policies written after the Wanna Cry and Not Petya attacks. However, given that corporates must surely be aware that the risk of IP theft via a cyber-attack exists in the here and now, does ‘Corporate Britain’ really need to wait for the inevitable scandal of one company suffering a significant uninsured IP loss following a cyber-attack before it realises the value of IP insurance policies?
Because, really, knowledge is only power if you use it.