All your resources at your fingertips.Learn More
Ian Searle takes on cyber risks as he considers what precautions and protections there are available against the silent threat.
Try putting ‘cyber risk' into Google and there are hundreds of successful returns. Try obtaining a definition of cyber risk and it gets a little trickier. I took an indirect route and found a specialist technology security website which defined ‘cybersecurity' as: 'the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorised access. In a computing context, the term security implies cybersecurity.'
So from this, we can deduce that a cyber risk involves anything that can attack, damage or gain unauthorised access to technology - a pretty wide definition, by all accounts.
What harm can be caused?
Using insurance terminology, these cyber risks can cause first party or third party losses: first party being loss or damage to the technology operated by the organisation under attack, and third party loss or damage can be suffered by those who use this technology directly or indirectly - customer, suppliers, subscribers and so on.
First party losses can include physical damage, extortion, theft, fraud and business interruption, whereas third party losses can include errors and omissions, libel and slander allegations. However, what is clear, is that the results of cyber risks are clearly in the minds of boards and executive management.
Where are the risks?
Technology is now highly mobile. Whilst cyber risks are often perceived as hacking into an enormous datacentre, consider the risks of ‘BYOD' (bring your own device) - workers using their personal smartphones, tablets and laptops for business purposes, accessing data on the move through virtual networks. Systems can be infected quickly and with widespread results through simply infiltrating one linked mobile device.
So the exposures are pretty much as mobile and widespread as the technology used by the business.
Are cyber risks really a cause for concern?
The answer here is: yes! Suddenly, the terminology used around cyber risks has entered the vocabulary of the ‘non-geeky'. Malware, hacktivists, ransomware are all words we can read in the headlines as incidents become more commonplace. However, that also reveals part of the problem. Events are seldom discussed or aired to their full extent, and the media only accesses the high profile or novelty cases. There are a number of reasons for this:
In the novelty arena we have the hackers who accessed Burger King's Twitter site and added a McDonalds logo, forcing it to close the account. In Madrid, Spanish authorities have recently bust a ring of ‘Ransomware' fraudsters masquerading as police who intercepted home PCs demanding Euros 100 to unlock the computers. In the high-profile category there is the current advice for foreign travellers heading for China who are told to leave devices at home as wireless network security in the country is so poor the risk of cyber attack is unacceptably high.
Businesses and governments are equally at risk. US banks and industry giants, such as Apple, have suffered repeat attacks on their networks, and there is much debate around the cyber attacks between the US and Iran which are being possibly aimed at disrupting the latter's nuclear capability. Conspiracy theory or fact? The lack of any real information on the topic simply fuels the debate.
The issue is of paramount importance as technology continues to develop at a serious pace, with security behind that technology developing at a much slower one. Whether for profit through fraud or through sheer enjoyment of the disruption wreaked, the cyber risk industry is growing, and it is being driven by technology-savvy individuals and groups who have a deep understanding of technology weaknesses.
At last, some meaningful research is being undertaken with reports emerging from trade associations and insurance companies with a real interest in the topic. The insurance industry had been accused of a lack of engagement on cyber risks for many years as many had turned to the market to help them tackle the exposures, with limited success. It is, therefore, good to see that the industry is now taking a lead on cyber risk research.
The associations that represent risk managers in industry - Risk Management Society (RIMS) for the USA, Federation of European Risk Management Associations (FERMA) for Europe and Association of Insurance and Risk Managers in Industry and Commerce (AIRMIC) for UK businesses - have all produced research documents. Each focuses on different areas of risk: for example, FERMA cites the need for vigilance with high stakeholder engagement across all internal departments who use or manage technology; it also advocates strong cooperation with regulators. AIRMIC focuses on risk transfer options, examining insurance cover available under existing corporate covers and the developing bespoke cyber risk insurance market. It does additionally press the need for strong risk management. Businesses should ask their insurance brokers for their latest reports on the subject.
The big insurance companies have undertaken some investigatory work to help map out the demand for cyber risks insurance. AIG and Zurich's work provides some interesting insights. AIG's report showed that 85% of the 258 respondents to their survey quoted cyber risks as the number one risk on top executives' radar.
Zurich's research (through Harvard Business School) examined who actually buys insurance cover. Of 152 respondents only 19% had focused on the need to buy any form of cyber risk insurance. 76% of the responses cited cyber risks as a major concern, with the majority expressing particular concern at the potential impact on stock price and reputation. Interestingly the majority concluded that internal collaboration is the key to avoiding or mitigating cyber risks.
Regulation and legislation
Legislating against this type of fraud is a tough call; Barack Obama has issued a warning to the US Congress that cyber risks and espionage using technology has reached the level where legislation and sanctions are required to control the problem.
In the UK, the Information Commissioner and other authorities have levied fines on large organisations which fail to control ‘big data' (the term given to massive volumes of data held or processed), and either unwittingly leak it or fail to prevent hackers accessing data. Sony lost an estimated US$171 million in revenue when it was forced to close its Playstation network earlier this year following unauthorised access to the database. The Information Commissioner fined Sony £250,000 for the impact on users in the UK. Fines and penalties are generally uninsurable as this is would be contrary to public policy.
Looking ahead, though, the World Economic Forum is considering levelling fines of up to 2% of global turnover in the event of cyber risks that impact shareholders and customers of major corporations.
Cyber risk insurance
With a range of risks that include loss, damage, fines, reputational impact, share price reduction extortion and libel - what are the insurance solutions on offer?
The market is best described as still under construction. Some big names - such as Beazley and Ascent -offer bespoke cyber risk products, others are following their lead, which is creating a reasonable level of capacity. Figures in the £100-200 million range for coverage have been quoted. In practice, companies are buying cover with limits in the low £ millions.
If a UK-based company is applying for cover, it is mainly offered in respect of UK-based risks, but with suitable underwriting data, wider territorial limits may be offered. Often coverage excludes technology hosted outside the buyer's control, particularly where this takes place overseas.
Technology which relies heavily on cloud computing is also proving difficult to insure. Understandably this reflects insurers' concerns at the state of security associated with cloud computing.
The bespoke cyber risks policies concentrate on providing insurance protection against theft or manipulation of sensitive or private information; computer viruses that can destroy data, damage hardware, cripple systems and disrupt a business' operations; and computer fraud.
The first party cover indemnifies against loss or damage to digital assets - data, software programs, etc. The policy covers costs incurred in restoring, updating, recreating or replacing these assets to the same condition they were in prior to the loss or damage. Specifically, the cost of fixing damage caused by malicious codes and viruses; attacks or unauthorised access to networks or individual computer systems; theft or defacement of websites and their contents (direct monetary losses and associated disruption from such theft, including theft of money or electronic funds); as well as the difficult area of cyber extortion where ransom demands are made in an attempt to extort money by threatening to damage or restrict the network, release data obtained from the network and/or communicate with customers in an attempt to obtain false information.
The cover can be extended to resultant business interruption losses, such as reduction in profits and the ongoing costs of employing staff whilst trade is interrupted, service degraded or occurring network outages. The policy may also cover additional costs incurred on finding and fixing the solution where this will expedite business recovery.
Third party or liability cover will provide protection against: claims from outside the business arising from breaches of privacy and confidentiality where data is leaked; costs of investigating privacy breach including defence costs, awards and fines; related copyright, trademark or defamation claims; costs of notifying and/or compensating customers where data breach has or may have occurred; errors and omissions claims where allegations of inappropriate actions or conduct are made; negligence in publication of any content in electronic or print media; and intellectual property infringement.
The coverage is offered on a ‘claims made' basis, where claims are dealt with by the underwriter in place at the time a formal claim is identified or received, even if the cyber risk event actually occurred during a previous period of insurance.
This is one type of corporate insurance where, unusually, proposal forms are always required - an emphasis of the need for full disclosure of all material facts.
Underwriting expertise around cyber risks is currently limited. The reason is simple - information on how risk exposures arise and how losses are committed is limited. Hackers and others with intent to cause damage and disruption are driven by many complex issues - political, personal financial gain and even sheer bedevilment. The modus operandi follows no logical pattern and risk management deterrents and monitoring are often reactive measures. Underwriters concentrate on the types and sensitivity of data held by applicants and the volumes of ‘big data' held or hosted.
Of key importance will be the history of systems attacks and disruptions, including events that could have lead to data loss. Underwriters will need to understand how these events were handled and the resultant risk avoidance measures introduced. Ongoing risk management of cyber risks, including monitoring and audit will need to be clearly explained to the underwriter.
Those seeking insurance should be prepared to deliver a presentation to underwriters with a full outline of risk exposures, defence measures taken, business continuity plans and disaster recovery procedures. The format of this presentation would be similar to those often delivered to Directors and Officers Liability underwriters.
Brokers play an important role here, as they will be aware of the appropriate markets, availability and suitability of cover on a case-by-case basis.
Purchasing insurance products
Those looking to buy cover against technology exposures should check the extent to which their existing coverage(s) will offer protection. Below offers a range of questions that can be put to brokers in an attempt to validate what is/is not already covered.
A Checklist for those considering cyber risks insurance
The following useful checklist was devised by AIRMIC as part of their study into this topic - it offers a good preparation guide for companies considering purchasing cover.
The cyber risks insurance market can be described as immature, but developing. Those who require cover should be prepared to put a lot of effort into underwriting submissions and should view cover as a safeguard in case risk management measures fail. Those who approach the insurance market with no clear risk management strategy will struggle to secure a quote.
Sadly, the threat of cyber risk is growing at a faster rate than the underlying technology and the scale and sophistication of attacks is increasing. Some form of cyber risk catastrophe insurance is likely to be a requirement for every company's corporate insurance programme in coming years.
About the author: Ian Searle is a seasoned risk manager with 35 years' experience; he is now concentrating on consulting and interim roles.
ICSA Information & Training Ltd
"exceptional value for money in today's challenging legal environment" John Mitton, PG Legal
"This is an indispensable aid to the busy company secretary. The text is clear, the precedents...