Public and political awareness of cyber risks is on the rise as high-profile cases hit the headlines. Patrick Hill and Hans Allnutt review the effectiveness of existing cover options and detail unconventional developments.
Recent data breaches affecting Sony ensured the company's residency in press headlines for more than a month. The numbers alone are striking: 100 million customers affected and a forecast annual loss of $3.2bn (£2bn), of which $170m is attributable to the hacking incidents.
Publicity surrounding the Sony debacle is symptomatic of a growing public awareness of cyber risks, which is now being echoed on a political stage. For example, the UK's own National Security Council is ranking hostile attacks on UK cyberspace as a tier-one threat alongside international terrorism, and President Sarkozy of France called for regulation of a lawless cyber world at the eG8 summit.
As the commercial 'real' world steadily transfers to an exclusively online existence, the threats to organisations from cyber risks have never been greater. By their nature, these risks are constantly evolving and the related insurance market, while embryonic, is adapting too.
Established risks and protection
So, what are the established risks? What insurance protection exists, and what might the future hold?
First-party cyber risks are the most predictable and straightforward to mitigate. They include: physical damage to electronic systems — such as fire, flood and other natural phenomena; virus, malware and other 'denial of service' attacks that down systems and lose data; theft of data by employees or third parties; and cyber 'extortion' by employees or third parties.
Such events are often considered within an organisation's existing contingency plans. But the extraordinary financial costs can be significant and organisations should be careful not simply to plan on funding remedial action themselves. Losses arising from these cyber risks include: the costs of recovery & data reconstruction; the costs of investigating the source of the incident, including forensic costs; replacement infrastructure and hardware costs; business interruption and loss of profits; and PR and crisis management costs.
Further, an organisation might consider remedial actions — for example, data reconstruction and forensic investigations — to be within the expertise of its own IT personnel. However, such remedial action is almost always time-critical and those personnel may lack sufficient capacity or the necessary expertise. Such is the specialist nature of these risks that the protection offered by cyber risk insurance — be that financial or by the provision of expertise — should be integral to an organisation's mitigation strategy.
Third-party cyber liabilities on the other hand include: claims arising from electronically published media, including libel, slander and copyright; claims arising from hosted or online services to third parties; data & privacy breaches; and identity theft claims.
Media-based cyber claims are well established as they rely on existing laws and, as such, may fall within the scope of an organisation's existing media liability policies. Conversely, third-party cyber liability claims for data and security breaches are relatively undeveloped in the UK.
In part, this is due to historic legal, regulatory and political apathy towards the potential damage that can be caused. This is certain to change as the value of privacy gains significant political traction and politicians become ever more eager to legislate in the public interest. You only need to look at the recent super-injunctions, which have courted such public and political interest.
Data breaches like those suffered by Sony often remain unreported in the UK due to the lack of a compulsory notification regime. Almost all publicised investigations undertaken by the Information Commissioner's Office relate to public rather than private organisations — the latter being generally more financially sensitive to adverse publicity and with incentives against disclosure.
However, the tide is changing. As of 26 May 2011, communication service providers must report any personal data breaches to the ICO and customers. The resulting civil liability exposure should not be underestimated. While limited to CSPs, the regime could widen to other types of organisation.
A wider compulsory notification regime would undoubtedly result in more ICO investigations and fines in the private sector. The power to impose fines of up to £500 000 was granted to the ICO in 2010 and it might be expected that the ICO will be looking to take a CSP's scalp as an example to the private sector.
The dominant purpose of most cyber liability policies is to protect the financial exposure of an organisation. The difficulty, as noted above, is that the regime in the UK is undeveloped. Liability policies indemnify losses that aren't really being experienced on a large scale — as yet.
While customers might not suffer a direct financial hit as a result of the loss of their personal data, they do suffer an instant breach of privacy. When that privacy is threatened the customer experiences a feeling of loss.
Although the DPA expressly provides for compensation for 'distress' in the event of a breach, there are no reported claims and the law remains in its infancy. In the meantime, organisations and insurers are beginning to provide more unconventional compensation for distress or non-financial loss. For example, when Sony brought its Playstation Network back online after a three-week intermission, it offered its customers a 'welcome back pack' of free games and subscriptions. Such offers help quell animosity and go some way to preserve the customer relationship.
However, traditional liability insurance would struggle to indemnify an insured for compensation schemes where the third party has not suffered a clear loss.
One insurance product that is growing in the US is 'data breach insurance'. In the event of a data breach, this cover provides an organisation's affected customers with credit monitoring and identity theft protection. While it cannot undo the loss of a customer's privacy, it can go some way towards putting at ease the customer's concerns and restore confidence in the company in question.
In short, organisations must regularly assess their exposure to cyber risks as they evolve with constant technological advancement in line with the changing legal regime. Yes, they will benefit from purchasing dedicated insurance for more established first and third-party risks, but they should also work with their brokers and insurers to consider mitigating the unconventional risks.
Patrick Hill is a partner, and Hans Allnutt an associate, in Beachcroft's specialist and international risk group
- Swinton left with only 20 branches after latest closures
- Ex-Allianz and Axa pair launch 'open source' insurtech
- British Steel pursues disputed claim and damages against Zurich and others
- Aviva reveals adoption rates of repair portal
- Analysis: Are AI solutions being used to mitigate risks?
- Analysis: Collapse of Lamp highlights lessons still to be learned
- Keoghs expands into Northern Ireland