Cyber risks decoded Cyber … · Cyber risks decoded A report on data risks, the law, risk mitigation and insurance ... any release of information on the nature and extent of cyber

Cyber risks decoded

A report on data risks, the law, risk mitigation and insurance February 2012

EXECUTIVE SUMMARY 01

WHAT ARE THE MAIN CYBER RISKS? 03

WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05

CYBER CRIME EXAMPLES 06

SPOTLIGHT ON RETAILERS – ARE THEY PREPARED? 07

HOW IS THE LAW DEVELOPING? 08

HOW IS THE INSURANCE MARKET RESPONDING TO 10 THE CYBER DATA BREACH CHALLENGE?

TABLE OF CONTENTS

Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance

Cyber crime is not a fictional concept; it is a very real problem. Last year the cost of global cyber crime was estimated to be USD388bn1 – with an individual falling victim to a form of online crime every 19 seconds.

In today’s multi-channel, mobile and inter-connected world, every element of society including government, industry, commerce, charity, health, education and individual citizens is increasingly at risk as more and more sensitive data is stored on a computer system somewhere in the world. The risks are constantly evolving as technology develops, and they are likely to become more acute as a new generation of smartphones effectively become mobile wallets, which will place ever greater volumes of personal and financial data at risk.

To understand these issues better, we interviewed IMRG – the UK’s industry association for global e-retailing, four leading cyber and data protection underwriters, and members of the Lockton specialist technology and privacy practice in November and December 2011. We also undertook a variety of desk research. Our goals were to:

• Define the cyber threats to domestic and global businesses

• Quantify the costs of a data breach

• Understand current and future legal requirements

• Outline the insurance solutions available

Threat is growing Criminals looking to steal and exploit data for financial gain are in an increasingly strong position. Not only does new technology and growing access to that technology provide ever more opportunity, but governments and private enterprises are aware that they can no longer keep quiet about data leaks and malicious attacks on their IT systems. While it is good to keep the public informed, any release of information on the nature and extent of cyber attacks and how to prevent them also educates the fraudsters and raises the threat level further.

Regulatory change is happening Regulators across the world are waking up to the fact that changes in data privacy laws are required. The Obama administration in the USA, and the European Justice Commissioner, Viviane Reding, are both proposing new national and cross-border data breach notification and data privacy laws. These will have a major impact on companies, forcing them to notify regulators and consumers every time a data breach occurs, even if no records have been accessed. The EU data privacy proposals include fines of up to 2% of global annual turnover if a company breaches the proposed data laws, and a requirement for companies with over 250 employees to appoint a data protection officer, and for all breaches to be reported to the regulator – ideally within 24 hours.

These regulations present a significant new compliance burden for risk managers.

Cost of data breach is rising One certainty in this complex and fast moving area is that data breaches are becoming more common and dealing with them increasingly costly, complex and damaging for the organisation that ‘owns’ the data. Norton’s Cybercrime Report for 2011 estimates that the cost of stolen cash and the cost of time spent on identifying and resolving data breaches to businesses and governments is around USD388bn globally.

1Norton Cybercrime Report 2011 - http://community.norton.com

01


EXECUTIVE SUMMARY

Three key causes of loss As severity and frequency rise, risk managers and finance directors are realising that they need to develop a greater understanding of how to predict and prevent data breaches. According to NetDiligence’s recent study of cyber and data breach2 insurance claims published in June 2011, the reasons for data loss break down into three main areas.

• Hackers and criminals were responsible for 32% of breach events

• Rogue employees were the cause of 19% of data breaches – and the poor economic climate is expected to exacerbate this problem going forward

• Theft of mobile computer equipment such as laptops and memory sticks carrying unencrypted data was responsible for 33% of breaches

Insurance market is responding As the frequency and severity of cyber data risk increases, so the insurance world is becoming more concerned about the financial risks associated with a data breach and cyber crime. There is a growing insurance market for both first and third party data liability business, and also first party business interruption cover. These products and covers are likely to continue to develop over the coming years.

London is a pre-eminent market for this business due to high levels of innovation and its ability to provide specialist and tailored cover. We expect that the introduction of mandatory reporting of data breaches for companies handling EU citizen’s data inside or outside Europe will significantly speed up the rate of new product development in 2012 and beyond.

Data privacy is the top emerging risk for the 21st century In our opinion data privacy is, and will continue to be, the biggest emerging risk for businesses in the 21st century. Any company that does not put appropriate risk management and mitigation measures in place to deal with a potential data breach will suffer significant financial loss and irreversible damage to their brand reputation. However, companies that do plan for a breach, have robust risk management measures and systems in place and respond in a responsible and appropriate manner can emerge from a data breach incident relatively unscathed. Insurance can provide essential financial assistance and access to highly experienced legal, IT forensic and crisis PR advice – which can help companies preserve reputation and get back to trading as rapidly as possible.

We hope that you find this report informative and interesting. Please contact a member of Lockton’s global technology and privacy practice if you would like to discuss any of our findings.

Ben Beeson, Partner, Lockton Companies LLP, Global Technology and Privacy Practice

2NetDiligence – Study of cyber and data breach insurance claims – June 2011 - http://www.netdiligence.com

02


03

The connectivity that technology creates brings many business benefits, but there is a flip side. With the proliferation of mobile devices including Blackberries, iPhones, smartphones, notebooks and iPads, commercial organisations are opening themselves up to new and growing threats from the risk of cyber crime and data loss.

WHAT ARE THE MAIN CYBER RISKS?


As many entities, including Sony, TJX, T-Mobile and HM Revenue and Customs have discovered, the reality of dealing with an online attack targeting personal details of customers is very expensive and damaging to a brand’s reputation. In this section of the report, we review the various threats facing businesses. We also shine a spotlight on the retail sector and examine how seriously retailers are taking the threats and what steps they are taking to protect their business.

Cyber risk takes many forms – from human error, mischief, revenge, fraud, extortion and espionage through to terrorism.

Human error The majority of data breaches occur because of human error or a glitch in the system. These errors are often compounded when organisations fail to observe basic security procedures and to encrypt sensitive information. The most common reasons for data going astray are:

• Stolen or lost laptops, data sticks, flash drives, back-up tapes and CD-ROMs carrying unencrypted information

• Emails with sensitive customer data being sent in error

• Databases not being effectively protected

• Loss of unencrypted data in transit from one organisation to another

Theft Personal and financial data has a value. In these uncertain and tough economic times there has been a significant increase in the number of individuals as well as organised criminal gangs stealing personal data. Some of the theft is achieved through the use of computer viruses and malware – special software designed with the intention of breaching another computer system to allow access to sensitive data.

In 2011, the Data Breach Investigations Report (DBIR3 ) identified the main causes of data theft as follows:

• 92% from external agents (+ 22%4 )

• 17% from business insiders (-31% )

• 1% from business partners (-10%)

• 9% involved multiple parties (-18%)

The DBIR examined how breaches occurred, discovering that:

• 50% utilised some form of hacking (+10%)

• 49% incorporated malware (+11%)

• 29% involved physical attacks (+14%)

• 17% resulted from privilege misuse (-31%)

• 11% employed social tactics (-17%)

From these statistics it is easy to see that the external risks from professional hackers and criminals are increasing, and that these criminals are becoming increasingly sophisticated in the tactics they are using to steal data.

Spear phishing If data including emails addresses is stolen, there is a danger that the contacts could become the victims of a spear phishing scam. Spear phishers send email purporting to come from a reputable source in order to acquire personal information such as bank details, passwords or user names. Because the email looks genuine, consumers are fooled into giving away personal information which can enable fraudsters to steal their identity and so gain access to their bank accounts, credit or store cards.

There have been a number of high profile hacking cases this year where outsourced data management companies (that manage online marketing for a number of high profile companies such as Marks & Spencer, Hilton Hotels, Marriot Hotels and Play.com), have been targeted and customer email addresses have been stolen, with the intention of using them in spear phishing scams.

32011 Data Breach Investigations Report produced for Verizon – www.verizonbusiness.com which uses data from Verizon, the United States Secret Service and the Dutch National High Tech Crime Unit. 4(+ / - on 2010 DBIR figures)

Hacktivism This is a relatively new trend where an organisation’s computer system is hacked into in order to protest or to promote a political viewpoint. This form of hacking is not usually done for any personal gain, instead it is done with an ideological goal in mind and often results in websites being defaced, or taken over, email campaigns or anonymous blogging – all of which can be extremely damaging to a corporate reputation.

Denial of service (DoS) DoS attacks have been in the news this year when the Amazon and PayPal sites, among others, were bombarded with large numbers of site requests at the same time by people protesting about Wikileaks’ founder Julian Assange’s arrest. As a result of the heightened volume of traffic, the system overloads and the site crashes before being taken offline for a number of days until the attack dies down. DoS attacks forced Amazon and PayPal to stop online trading for a time. The attacks created a major disruption to these businesses, damaged consumer trust and harmed their brand’s reputation, negatively affecting their share price.

Cyber-extortion Sometimes attackers threaten, or carry out, a DoS attack as a means of extortion. These attacks usually do not get reported in the press for fear of the impact on the company’s share price, and also to reduce the potential for copycat attacks. Because these attacks are often kept quiet, the true scale of the problem is hard to assess, but anecdotal evidence would point to this being a growing issue.

Another method is to use a ‘Trojan’ virus to encrypt the target’s data within its computer systems. Once the attacker is in the system and has locked up the target’s data, it is in a powerful position to try and extort money from the company. The attackers tend to operate internationally and use fake email addresses making identification and arrest very difficult to achieve.

Cloud computing There is a move for organisations to outsource data storage and related IT service to a third party cloud computing supplier. Not only does this provide access to cheaper, scalable and up-to-date systems, it also enables employees to access the organisation’s computer system remotely via the internet – allowing for flexible and home working. The business benefits are obvious, but there are also significant risks, of which many companies may be unaware.

Working with a cloud provider means that companies are essentially handing over responsibility for all their company data to a third party, whose servers or internet space are often not located in the same country or jurisdiction as their client. Because of the global nature of the internet, many cloud suppliers are unable to clarify where particular data sets are held at any given time, making it difficult or impossible for data owners to ensure that they are compliant with the relevant local legislation. Many of the cloud operators are large international companies and have developed very stringent terms and conditions which indemnify the provider against the majority of liabilities associated with data loss or a data breach from their system.

Emerging themes Our research shows that there are a number of commonalities between data breach incidents, and that many systems are easy to breach. Breaches are often discovered by third parties, not the data owner, suggesting that online security and risk management controls are often inadequate.

04


There are laws in place in the majority of states in the USA and some parts of Europe which force companies to notify their customers of a data breach. The cost of dealing with a data breach is significantly more expensive in countries which have mandatory client notification, and this appears to be the way in which most regulators are heading (for more information on this see the law section of this report). Using the USA as a benchmark gives us a good indication of the likely costs of a data breach in other countries in the future.

WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05

The two charts below clearly show the impact that mandatory notification legislation has in terms of cost and lost business.

USA data breach costs

The USA figures are particularly high because 46 out of 50 states have compulsory notification laws in place.

UK data breach costsIn the UK, where notification is not currently mandatory, the costs of a data breach are currently much lower. In the 2010 Annual Study into the cost of UK data breaches, the Ponemon Institute assessed the cost of UK data breaches involving the loss of between 6,900 and 72,000 records. It found that the average cost per record had increased from GBP65.00 in 2009 to GBP71.00 in 2010.

6 2010 Annual Study – U.S. Cost of a Data Breach – www.symantec.com www.ponemon.org72010 Annual Study – UK Cost of a Data Breach – www.symantec.com www.ponemon.org [UK figures – updated 20th February 2012]

USA data breach cost with mandatory client notification law6 (all costs in the chart below are in USD and are for cost per record breached)

2008 2009 2010

Detection and escalation 8 8 13

Notification 15 15 15

Response 39 46 51

Lost business 139 135 134

Total 202 204 214

Average cost to the organisation USD7.2m

UK data breach cost with voluntary client notification law7 (all costs in the chart below are in GBP and are for cost per record breached)

2008 2009 2010

Detection and escalation 11 12 14

Notification 3 7 6

Response 14 17 17

Lost business 32 29 34

Total 60 65 71

Average cost to the organisation GBP1.9m


06

Sony Corporation

Earlier this year the Sony Corporation discovered that 77 million PlayStation network and Qriocity user names, email addresses, phone numbers and – reportedly – credit card details had been maliciously breached. The first breach was followed shortly after by a second breach of the personal details of its 24.6 million Sony Online Entertainment customers.

The breaches resulted in a 23-day closure of the PlayStation online network, and Sony has suffered significant financial loss to an estimated tune of USD171m. This estimate cost does not include any lawsuits that Sony will have to defend as a result of class actions being filed against the Corporation by affected customers. The costs do however, include the cost of notifying and assisting customers, IT forensic costs and system overhaul as well as reputation management. The Sony brand and share price took a significant battering dropping 55% in just four months as a result of the breach and resulting negative publicity.

- Estimated financial loss: USD171m- 55% drop in share value in four months post the breach- 23-day shut down of the PlayStation online network

TJX Companies

Another high profile and costly case was TJX Companies, the parent company for TJ Maxx in the USA and TK Maxx in the UK. In 2007, the company discovered that it had been using an unsecured wireless network for around 18 months and during this time a hacker with a laptop and antenna accessed over 45.5 million credit and debit card numbers and the personal data of 451,000 shoppers who had returned goods. The cost of client notification, IT system overhaul, business interruption, fines, credit card repayments and legal costs is estimated to have been over USD1bn. TJX learned a hard lesson, that cyber security and robust protection of customer data is critical in today’s technological trading environment.

- Estimated financial loss: USD1bn - Number of records accessed: 45.5 million

CYBER CRIME EXAMPLES


07

Are retailers taking data breach risks seriously?It is only a matter of time before a major UK retailer suffers a serious data breach. DoS attacks, data compromises and cyber-extortion attempts do happen, so the challenge for retailers is ensuring that they have processes and systems in place to counter the risk.

Given the current economic climate, data protection is not as high up the corporate risk agenda as it should be. Most retailers’ senior management are focused on their bottom line and shareholder confidence, and they assume the IT and risk management team are up to speed on data protection measures. However, the IT teams are under pressure to reduce costs and to develop existing and new retail channels, so their budgets are being squeezed and as a result the latest security measures are unfortunately not always a priority.

It will take a major incident to force boards to concentrate, because this would undoubtedly lead to a fall in consumer trust in online retailing. This would alarm shareholders and senior managers and make cyber risk an agenda item at board meetings.

How should retailers respond to a breach?In a data breach situation companies need to have well-rehearsed plans that immediately swing into action. The retailer needs to communicate with affected customers providing help lines, credit checks and the reassurance that they have the situation in hand. An IT system audit should be immediately undertaken, by external specialists if necessary, to identify the source of the problem and how to plug it.

What tends to happen if there is no contingency plan is that there is an information vacuum, which then creates negative media coverage and unhappy customers. The result is a loss of customer confidence, brand damage and a possible hit to a company’s share price and profitability. However, evidence exists which shows that companies that handle a data breach efficiently and effectively, taking proactive measures to inform and support customers, can emerge with an enhanced brand reputation and a more loyal customer base than before the breach.

Do most retailers take out cyber data liability insurance?Insurance is not yet seen as a critical priority unless retailers have already suffered a cyber attack. However, I anticipate that this situation may be about to change as legislation across the EU is moving towards mandatory client notification, as has been the case in the majority of the states in the USA for several years.

The majority of retailers are looking to expand their business via multi-channel retailing – using a combination of physical and ‘virtual’ shops, retail websites, smartphone apps and mail order as channels to market. With this in mind we asked Andrew McClelland, Chief Operations & Policy Officer, IMRG – the UK’s industry association for global e-retailing – to give us an industry perspective on the cyber risks facing retailers and the key drivers for change.

SPOTLIGHT ON RETAILERS – ARE THEY PREPARED?

Andrew McClellandChief Operations & Policy Officer, IMRG


08 HOW IS THE LAW DEVELOPING?

Data protection and privacy laws vary by country and are very complex. With the increase in the number and value of data breach incidents, regulators across Europe and in the USA are currently reviewing how legislation can be used to force organisations to better protect sensitive data. However, what is increasingly clear is that there is not going to be a single, global ‘one size fits all’ solution. The result is a headache for international companies trying to comply with or anticipate the law, and for risk managers trying to advise on best practice and monitor global compliance.

Europe The European Union’s data protection laws were formed in 1995, and it is recognised that they urgently require updating. Currently, data privacy laws are made at a state level, which has resulted in a variety of different rules applying across the EU’s 27 member states. Viviane Reding, EU Justice Commissioner, has just published her proposals for a new directive and regulations for data privacy, which will apply to any company handling EU citizens’ data inside or outside of Europe. The aim of the regulations is to tighten the rules and create a harmonisation of privacy laws across Europe, simplifying the current situation. The rules need to be approved by the EU member states and ratified by the European Parliament before they can come into effect, a process which could take two to three years, during which time they may be subject to amendment. The current proposal includes the following measures:

• A fine of up to 2% of global annual turnover if companies breach proposed EU data laws.

• A fine of up to 0.5% of global turnover for companies that charge a user for a data request.

• A fine of 1% of global turnover if a company refuses to hand over data or fails to correct wrong information.

• Administrative sanctions of up to €1m for individuals.

• The right for users to be “forgotten” and their personal information deleted if there are no “legitimate grounds” for it to be kept.

• An obligation on organisations to report data breaches to the regulator “as soon as possible” – ideally within 24 hours.

• An obligation where the breach is likely to have an adverse impact, to notify customers “without undue delay”.

• A right for individuals to take companies to court that fail to comply with the new directive.

• A requirement that organisations explicitly ask for permission to process data, rather than assume it.

• Companies with 250 or more employees will have to appoint a data protection officer.

• Companies handling EU personal data that do not have a presence in the EU will have to establish an EU representative in a member state where their customers live.

These proposed new regulations follow on from the E-Privacy Directive 2002/58/EC called Data Breach Notification (DBN), which was introduced in May 2011, which obliges Internet Service Providers (ISPs) and telecom companies to notify both the authorities and individuals potentially affected if a breach occurs. The consultation process has provided ISPs and telecoms companies with the opportunity to provide feedback on existing practices and the impact of the new rules. The EU is now considering how organisations intend to comply with the requirement to notify, and what type of breaches should require notification. It also wants to find out more about cross-border breaches and compliance obligations.

Individual European countries have also introduced their own regulations, and these vary country by country. For example Germany, Austria and Norway now have national laws which require mandatory notification of data breaches. The UK and Ireland have codes of practice on personal data security breaches, but no mandatory client notification, and Finland and the Netherlands are pushing to have mandatory notification laws in place. Cyprus, the Czech Republic, Estonia, Sweden and Hungary have laws which imply a duty to notify, but which is not mandatory.


09

In the UK, the Information Commissioner’s Office (ICO) expects organisations to report all serious data breaches to it. The ICO also requires organisations which process personal data to take strict protective and precautionary security measures and, if these measures are found wanting, the ICO has the power to impose fines of up to £500,000 for data loss.

The Financial Services Authority (FSA) also has the power to issue fines (which have been known to run into millions of pounds) on any financial services company that has been deemed to have put customers’ data at risk.

USA In the USA there is no single law covering data privacy – but the Obama administration has recently announced support for a federal privacy and national data breach notification law. Currently, laws and regulations vary by state. The vast majority (46) of states have laws which impose mandatory data breach notifications on organisations.

Most state notification laws are based on the California Security Breach Notification Act, which came into force in 2007. It makes breach notification mandatory to all customers residing in California affected by the breach. Some states require notification where data is breached, whereas others require notification only if there is potential for harm to come to the individual due to the breach – for example via identity theft. USA law also states that the responsibility for protecting sensitive data lies with the data owner.


10

The underwriters interviewed are operating in the London market, but write USA and international business. They are:

What is cyber liability insurance?

Products cover a wide range of first and third party risks, and wordings are currently very broad. Companies need to ensure that wordings are adapted to suit their business and the geographies in which they operate – for example liability cover is currently much more important in the USA where notification is mandatory.

“If you asked ten different people you would probably get ten different answers as to what is cyber insurance,” commented Ben Maidment. “I think the term cyber liability is to some extent out-dated – and it is now more accurately called data security or privacy liability insurance. The trouble with the cyber tag is that it implies that only losses sustained as a result of a hacker attack, virus infection or other electronic means are covered – but today’s policies cover much more than that.”

Iain Ainslie agrees: “The liability name is not really accurate as most of the immediate costs can be triggered without the need for any specific legal action. Currently without mandatory notification regulations in the UK and most of Europe, companies are not required by law to inform customers of a breach, so it is important that any cover purchased in the UK and Europe includes voluntary notification wording.”

HOW IS THE INSURANCE MARKET RESPONDING TO THE CYBER DATA BREACH CHALLENGE?

To understand how the insurance market is responding to cyber liability and data breach risks, we interviewed four leading specialist cyber and technology underwriters to garner their views on the current market and insurance options, the main drivers for change and the potential for this cover in the future.

Malcolm RandlesUnderwriter at Kiln Enterprise Risks 510RJ Kiln & Co Limited

Ben MaidmentUnderwriter, North American PIProfessional Risks DivisionGlobal Markets Team, Brit Insurance

Paul BantickUnderwriter, Professional LiabilitySpeciality Lines, Beazley

Iain AinslieUnderwriter, Technology and Cyber Liability, Ace Group


11

Malcolm Randles believes that: “Essentially cyber liability insurance covers two areas and there are two products. One addresses data protection risks both first and third party. The other product covers first party business interruption. The first party data protection provides financial cover for notification costs, IT forensic auditing and crisis PR assistance and brand management. The third party liability cover is for privacy and security liability – and this is especially relevant in the USA where there is a risk of class action lawsuits following a high profile data breach, but it is not so relevant for companies in the UK and Europe right now.”

What are the key elements of a loss that clients are looking to cover?

All the underwriters agree that brand reputation is a key element of cyber cover, and that being able to access the appropriate legal and PR advice immediately after a breach can be critical. Offering these services is a win-win for both the client and the insurer – as if a breach is handled promptly and appropriately, the regulator is less likely to take action.

Ben Maidment commented: “In the USA, data security cover is progressively becoming a much easier sell, and this has mainly been driven by the introduction of mandatory data breach notification laws across nearly all states along with a number of high profile breach events, such as that suffered by Sony. Risk managers have recognised the potentially huge cost to their business that data breach events present and the value of purchasing insurance for such a scenario, not solely for the risk transfer but also to access insurers specific expertise and specialist vendor relationships to respond to breach events quickly and cost effectively. However in Europe, where no mandatory obligation to notify currently exists, this is the harder cover to sell with perhaps a greater interest in business interruption risk.”

“We have learnt a lot from the USA. Most clients want insurance to cover the costs of responding to a breach, and the expertise that comes with that as opposed to specific business interruption cover. So primarily we view this product as breach response privacy cover,” commented Paul Bantick.

“In the UK and Europe the main issues are client notification and brand management, and being able to respond to a breach in the appropriate manner. Currently approximately 50% of breaches are due to a lost laptop with unencrypted data on it – or a rogue employee stealing data – and not a malicious hacker. The product in the UK and Europe focuses mainly on client notification costs, and brand reputation PR specialists. In the USA one of the costs covered is credit monitoring services, but this cannot be offered in the UK or Europe currently although other services are available,” added Paul.

Ben MaidmentUnderwriter, North American PIProfessional Risks DivisionGlobal Markets Team, Brit Insurance


12

What is the current state of the cyber liability market at the moment, and are prices realistic?

London and Lloyd’s are leading markets for this form of insurance, and at the moment there is ample capacity, as it is viewed as an attractive proposition by insurers. However, this capacity will be tested as laws in Europe change and the risk environment is transformed. In addition, there are likely to be changes to wordings and pricing in the future as the claims history builds and underwriters become more selective.

Malcolm Randles observes: “London and in particular Lloyd’s is a leading market for cyber data privacy insurance, and there is currently ample capacity. It would be possible to put together a programme with USD100-150m limit, but currently no one in Europe is buying this level of cover.”

Ben Maidment commented: “There are significant levels of capacity at present, with most currently covering risks emanating from the USA, where the lion’s share of demand for the coverage is coming from. If, however, the EU brings in mandatory notification regulations, which are proposed then demand for coverage in Europe will rise and potentially more capacity will be required. With respect to pricing, it is very hard to say whether current pricing levels are realistic. This being a relatively new line of coverage premiums are very much market driven, and only as the market matures will they prove to be adequate or otherwise as insurers understand more about the nature and size of claims to expect. My personal opinion is that insurers are currently underpricing the exposure presented as a reflection of the prevailing market conditions and as they seek to build market share in a growing market, I would anticipate that in the medium to long-term prices will rise.”

Paul Bantick added: “This form of insurance is viewed as an exciting emerging risk class, as it is attractive as it offers a potential new source of short-tail business. However, I think that many have wordings that have jumped the gun, and these could get scaled back as losses emerge. In terms of pricing, rates are aggressive but that is not surprising as rates across most lines are soft and there is plenty of competition for this business. However, as breaches become more public, and the rating cycle changes, prices will undoubtedly go up and underwriters will be more selective over the business they write.”

“I think that Lloyd’s will eventually play a bigger role in this market and a more standardised wording will be developed. As more claims come through there is no doubt that actuaries will start to take more interest in this cover, and prices are likely to stabilise in time,” concluded Iain Ainslie.

What defines a good risk?

Risk management is key and insurers like to see evidence that it is a board level responsibility. In many companies, responsibility for data protection is devolved to the IT department which only focuses on the technological aspects of the risk and not brand reputation or the potential financial impact. Companies that take data security seriously and plan and prepare for a data breach or cyber attack are far more likely to get insurance cover than those that don’t. Insurers are wary of companies that see insurance as a financial backstop.

Malcolm Randles commented: “What we look for is a company that takes data breach and cyber risks seriously, where the board is engaged and there is good management of IT security. It will depend on the client, but our approach and information requirement can get quite granular. Ultimately, what we want to see is that the company has the appropriate risk management procedures to deal with that particular sector’s risks and regulatory requirements. We look at all aspects – kick the tyres and lift the engine hood – when assessing if we want to take a risk on or not.”

“A good risk to us is one where the client is only looking to cover the residual exposure that remains after the client has invested in sophisticated IT security, has comprehensive risk management procedures and a strong compliance culture. A bad risk is a client that is looking for their insurance policy to replace making the required investment in risk management, compliance and IT security to mitigate the risk effectively at the front end,” observed Ben Maidment.


13

Iain Ainslie agrees: “We want to be reassured that there is a strong compliance culture that runs right through our clients’ organisations. All employees need to be aware of the risk as human error still plays a big role in most breaches, so ownership by key stakeholders is vital. We also like to see evidence that the IT department is sophisticated and switched on. For example, sophisticated hackers know that Microsoft releases its anti-virus patches on Tuesday evenings – so the hackers work over Tuesday night to amend their viruses to work around the new patches.”

What trends are you experiencing?

We are seeing more enquiries across the board – from retailers to health companies and financial institutions. In addition new technologies such as smartphones, cloud computing and other developments are creating new risks.

Malcolm Randles commented: “Outsourcing continues to be a major driver for cover, and it is vital that clients do their due diligence when signing up to an outsourced data handler or supplier. Terms and conditions with these companies need to be carefully checked to ensure where the liability lies should something go wrong. Also it is prudent to check in which jurisdiction the data will be held, and what laws apply and also that your customers have given permission for their personal data to be shared with another supplier.”

“The talk at the moment is about the cloud and it is something we are monitoring closely” commented Ben Maidment. “The potential for the cloud is huge, but so are the risks inherent with it, particularly in relation to data privacy and loss aggregation. Another issue is the jurisdictional element, which is difficult to handle from both a legal and risk perspective,” added Ben.

Paul Bantick said: “With an increasing number of high profile data breaches hitting the headlines, we are seeing more interest from retailers, health companies and financial institutions. However, if the USA is anything to go by the biggest driver for cover will likely be mandatory notification and regulation.”

What will be the main driver for coverage in the UK and Europe?

A range of developments are driving the development of covers in the UK and Europe including: recent high profile data breaches, government cyber attack strategies, proposed EU-wide mandatory client notification laws, fines, and the increasing sophistication of hackers.

Regulation has been a major driver in the USA, but in Europe it has been much harder to get all the EU countries to agree on a cross-border solution. With the new EU privacy proposals this situation is likely to change, and greater harmonisation of rules is the aim. In the UK, for the time being the Information Commissioner will continue to focus on using punitive measures, but in Germany there are tough privacy/data protection laws. The move to make mandatory notification for ISPs and telecoms companies has driven enquiries for cover and raised awareness of these insurance solutions with risk managers. However, the damage to brand reputation, especially brands with a retail presence, is also pushing cyber security up the risk management agenda.

Ben Maidment commented: “In the USA, the Obama administration is mooting the idea of a single, consolidated federal breach notification standard, and now draft regulation has been tabled in Europe along the same lines, incorporating mandatory notification. However, I would anticipate it will be a couple of years before it is passed in Europe and becomes binding upon Member States. There will certainly be some opposition from individual governments, including the UK, to the inclusion of the breach notification provisions in their current form, with the feeling that it is overly onerous upon businesses and could potentially lead to ‘notification fatigue’ among consumers. Additionally the UK already takes a punitive approach to try and deter poor data management. The Information Commissioner can fine companies up to £500,000 while the FSA has shown it takes data protection in the financial services industry very seriously, with significant fines levied on Nationwide, HSBC and Zurich Insurance amongst others for poor data security.”

Paul Bantick added: “There is no doubt regulation, PR and knowing what to do in the event of a breach are the major drivers to purchase this form of cover. The other key success element to this product is offering full service risk management advice, access to specialist legal advice and forensics – as this is key to knowing how and when to effectively respond to a breach.”


14

How do you think demand for cover will increase over the next three years?

It is anticipated that demand for cover in the UK and Europe will grow significantly over the next few years. There is already an increase in enquiries from retailers, financial institutions and healthcare companies. With smartphone technology and online retailing moving at such a pace, the risks are only set to increase. In addition there is a move by the Securities Exchange Commission in the USA to insist that all companies list all data breaches in their annual report, which could have legal implications for the board if data breaches have not been dealt with in the appropriate manner.

Malcolm Randles said: “Demand will undoubtedly continue to grow, particularly for the retail sector. There are so many mind-blowing technological developments taking place. In Korea, Tesco is trialling virtual shops in train stations where consumers use their smartphones to scan virtual shelves, order and pay for goods which are then delivered to their home at a convenient time. This move to mobile technology and mobile payment opens up an increasing array of cyber risks, and brands are beginning to get their head around the financial implications to their business.”

Ben Maidment commented: “In the USA we are seeing an uptick in enquires from the healthcare sector. In the UK and Europe, retailers, telecoms companies and financial service providers appear to be the biggest buyers of this cover at the moment. The market is undoubtedly set to grow over the next three years, though the speed of change likely will be driven by regulation and whether the proliferation of high profile breaches and loss activity continues at the same pace as we have seen in the recent past.”

“The cyber insurance market in the USA has gone in six years from being unknown to the fastest growing insurance product,” commented Paul Bantick. “So when the law across the USA and Europe changes, the demand for cover will increase dramatically. We are also experiencing interest in this cover in Latin and Central America – due to new legislation in Brazil and Mexico’s proximity to the USA,” concluded Paul.

Iain Ainslie added: “I anticipate that mandatory notification will be law across all the states in the USA and across the UK and Europe within the next few years – and there is no doubt that this will drive an increase in sales of this product.”

How do you see the cyber insurance products developing over the next few years?

It is likely that data protection and business interruption cyber covers will develop as two different products. It is also probable that wordings will be reviewed, and will become more tailored so that there is a clearer distinction between E&O and cyber risk. Underwriters are likely to take a tougher stance over risk selection, but ultimately this insurance cover will go from being a ‘could have cover’ to a ‘should have cover’.

Malcolm Randles agrees: “I think that the split between data protection and business interruption will continue to become more defined, and the products will probably be more tailored for industry sectors and their specific requirements. Lloyd’s and the London market have a unique flexibility to differentiate products, and I think they will continue to lead the international market in this respect. Increasingly, underwriters are including harsher exclusions, and in particular they are starting to take a lack of encryption on systems very seriously.”

Ben Maidment comments: “The business interruption element of the product has not been sold very successfully up to now and we either need to demonstrate the value of the coverage in its present form more effectively or make the products more attractive by talking to clients and understanding their needs better than we are currently. Also, clients and underwriters are only just getting their heads around the potential and the risks involved in the ever-increasing use of and reliance upon smartphones and mobile technology. There is no doubt that mobile technology is here to stay and this creates a number of fundamental risks which insurers must understand and address.”

Paul Bantick said: “I think wordings will be the major element to change. There also needs to be a clearer definition as to why stand alone cyber cover is required – as some clients seem to think that their property or E&O cover will cover them for these risks – which is not really the case, but better clarity of cover overlap is required.”


15

Will there be standardised products that all businesses will buy in the future?

Due to the nature of technology risks, it is unlikely that products will be fully standardised. A lot will depend on the nature and size of the company, the sophistication of its risk management and its risk appetite. For smaller companies, there is likely to be some form of commoditisation of these products, but for larger international companies this is not likely to be the case. Instead it is likely that a suite of products will be produced with flexible wordings instead of a one size fits all product.

Malcolm Randles thinks: “There will be more standardised products emerging for small to small medium companies, but the pace and scale of change means a one size fits all approach will not suit the majority of our clients. An example of this is that cookies and super cookies might be breaching some privacy laws if the cookie owner does not indemnify itself on its wording on its website. Another is that smartphones might be tracking owner location without their knowledge and consent – which technically is illegal. So I am sure that the majority of businesses will require data privacy insurance in some form or other but it won’t be easy to commoditise these covers to suit all clients.”

Ben Maidment commented: “The basic elements can be covered by a standard product, but trying to predict where technology is going is hard, and it is equally hard trying to predict where the next attack will emanate from, how it will manifest itself and how insurance should respond.”

Iain Ainslie believes that: “The insurance markets will develop a suite of products to suit the differing needs of clients dependent on the size and scope of their business operations and where and how their data is held online.”

Strong agreement on insurance trends

A number of common themes emerged from our underwriter interviews:

• There is likely to be a lack of clarity on what cyber liability insurance is and the current product is likely to change over the next couple of years;

• The majority of companies in the UK and Europe are not currently purchasing this cover and the need for cover will be driven by new mandatory notification laws;

• Insurers identify cyber as a significant emerging risk sector and a particularly attractive one as it is short-tail business with massive growth potential;

• Prices are unrealistically low and wordings broad, but until there is more historical claims data available this situation is unlikely to change;

• This is a highly reactive insurance – with insurers providing clients with access to specialist legal advice, best practice risk mitigation guidance, and advisers to help clients minimise the impact of the breach on their customers and ultimately their business. This is a vital selling point of this insurance; and

• There will be some standardised products emerging but outsourcing, cloud and smartphone technology will raise the stakes in terms of cyber risks. Insurance products will need to keep evolving in line with the risks.


A division of Lockton Companies LLP. Authorised and regulated by the Financial Services Authority. A Lloyd’s broker Registered in England & Wales at The St Botolph Building, 138 Houndsditch, London, EC3A 7AG.

Company No. OC353198www.lockton.com

Our MissionTo be the worldwide value and service leader in insurance brokerage and risk management

Our GoalTo be the best place to do business and to work

Documents

Cyber risks decoded Cyber … · Cyber risks decoded A report on data risks, the law, risk mitigation and insurance ... any release of information on the nature and extent of cyber