Cyber risks decodedA report on data risks, the law, riskmitigation and insuranceFebruary 2012
TABLE OF CONTENTS EXECUTIVE SUMMARY 01 WHAT ARE THE MAIN CYBER RISKS? 03 WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05 CYBER CRIME EXAMPLES 06 SPOTLIGHT ON RETAILERS – ARE THEY PREPARED? 07 HOW IS THE LAW DEVELOPING? 08 HOW IS THE INSURANCE MARKET RESPONDING TO 10 THE CYBER DATA BREACH CHALLENGE?Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
EXECUTIVE SUMMARY 01Cyber crime is not a fictional concept; it is a very real problem. Last year the costof global cyber crime was estimated to be USD388bn1 – with an individual fallingvictim to a form of online crime every 19 seconds.In today’s multi-channel, mobile and inter-connected world, every element of society including government, industry,commerce, charity, health, education and individual citizens is increasingly at risk as more and more sensitive data is storedon a computer system somewhere in the world. The risks are constantly evolving as technology develops, and they arelikely to become more acute as a new generation of smartphones effectively become mobile wallets, which will place evergreater volumes of personal and financial data at risk.To understand these issues better, we interviewed IMRG – the UK’s industry association for global e-retailing, four leadingcyber and data protection underwriters, and members of the Lockton specialist technology and privacy practice in Novemberand December 2011. We also undertook a variety of desk research. Our goals were to:• Define the cyber threats to domestic and global businesses• Quantify the costs of a data breach• Understand current and future legal requirements• Outline the insurance solutions availableThreat is growingCriminals looking to steal and exploit data for financial gain are in an increasingly strong position. Not only does newtechnology and growing access to that technology provide ever more opportunity, but governments and private enterprisesare aware that they can no longer keep quiet about data leaks and malicious attacks on their IT systems. While it is goodto keep the public informed, any release of information on the nature and extent of cyber attacks and how to prevent themalso educates the fraudsters and raises the threat level further.Regulatory change is happeningRegulators across the world are waking up to the fact that changes in data privacy laws are required. The Obamaadministration in the USA, and the European Justice Commissioner, Viviane Reding, are both proposing new national andcross-border data breach notification and data privacy laws. These will have a major impact on companies, forcing themto notify regulators and consumers every time a data breach occurs, even if no records have been accessed. The EU dataprivacy proposals include fines of up to 2% of global annual turnover if a company breaches the proposed data laws, and arequirement for companies with over 250 employees to appoint a data protection officer, and for all breaches to be reportedto the regulator – ideally within 24 hours.These regulations present a significant new compliance burden for risk managers.Cost of data breach is risingOne certainty in this complex and fast moving area is that data breaches are becoming more common and dealing withthem increasingly costly, complex and damaging for the organisation that ‘owns’ the data. Norton’s Cybercrime Reportfor 2011 estimates that the cost of stolen cash and the cost of time spent on identifying and resolving data breaches tobusinesses and governments is around USD388bn globally.1 Norton Cybercrime Report 2011 - http://community.norton.com
02 Three key causes of loss As severity and frequency rise, risk managers and finance directors are realising that they need to develop a greater understanding of how to predict and prevent data breaches. According to NetDiligence’s recent study of cyber and data breach2 insurance claims published in June 2011, the reasons for data loss break down into three main areas. • Hackers and criminals were responsible for 32% of breach events • Rogue employees were the cause of 19% of data breaches – and the poor economic climate is expected to exacerbate this problem going forward • Theft of mobile computer equipment such as laptops and memory sticks carrying unencrypted data was responsible for 33% of breaches Insurance market is responding As the frequency and severity of cyber data risk increases, so the insurance world is becoming more concerned about the financial risks associated with a data breach and cyber crime. There is a growing insurance market for both first and third party data liability business, and also first party business interruption cover. These products and covers are likely to continue to develop over the coming years. London is a pre-eminent market for this business due to high levels of innovation and its ability to provide specialist and tailored cover. We expect that the introduction of mandatory reporting of data breaches for companies handling EU citizen’s data inside or outside Europe will significantly speed up the rate of new product development in 2012 and beyond. Data privacy is the top emerging risk for the 21st century In our opinion data privacy is, and will continue to be, the biggest emerging risk for businesses in the 21st century. Any company that does not put appropriate risk management and mitigation measures in place to deal with a potential data breach will suffer significant financial loss and irreversible damage to their brand reputation. However, companies that do plan for a breach, have robust risk management measures and systems in place and respond in a responsible and appropriate manner can emerge from a data breach incident relatively unscathed. Insurance can provide essential financial assistance and access to highly experienced legal, IT forensic and crisis PR advice – which can help companies preserve reputation and get back to trading as rapidly as possible. We hope that you find this report informative and interesting. Please contact a member of Lockton’s global technology and privacy practice if you would like to discuss any of our findings. Ben Beeson, Partner, Lockton Companies LLP, Global Technology and Privacy Practice NetDiligence – Study of cyber and data breach insurance claims – June 2011 - http://www.netdiligence.com 2Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
WHAT ARE THE MAIN CYBER RISKS? 03The connectivity that technology creates brings many business benefits, butthere is a flip side. With the proliferation of mobile devices including Blackberries,iPhones, smartphones, notebooks and iPads, commercial organisations areopening themselves up to new and growing threats from the risk of cyber crimeand data loss.As many entities, including Sony, TJX, T-Mobile and • 92% from external agents (+ 22%4 )HM Revenue and Customs have discovered, the reality ofdealing with an online attack targeting personal details of • 17% from business insiders (-31% )customers is very expensive and damaging to a brand’s • 1% from business partners (-10%)reputation. In this section of the report, we review thevarious threats facing businesses. We also shine a spotlight • 9% involved multiple parties (-18%)on the retail sector and examine how seriously retailers aretaking the threats and what steps they are taking to protect The DBIR examined how breaches occurred, discoveringtheir business. that:Cyber risk takes many forms – from human error, mischief, • 50% utilised some form of hacking (+10%)revenge, fraud, extortion and espionage through toterrorism. • 49% incorporated malware (+11%) • 29% involved physical attacks (+14%)Human error • 17% resulted from privilege misuse (-31%)The majority of data breaches occur because of human • 11% employed social tactics (-17%)error or a glitch in the system. These errors are oftencompounded when organisations fail to observe basic From these statistics it is easy to see that the external riskssecurity procedures and to encrypt sensitive information. from professional hackers and criminals are increasing, andThe most common reasons for data going astray are: that these criminals are becoming increasingly sophisticated in the tactics they are using to steal data.• Stolen or lost laptops, data sticks, flash drives, back-up tapes and CD-ROMs carrying unencrypted information• Emails with sensitive customer data being sent in error Spear phishing If data including emails addresses is stolen, there is a• Databases not being effectively protected danger that the contacts could become the victims of a spear phishing scam. Spear phishers send email purporting• Loss of unencrypted data in transit from one to come from a reputable source in order to acquire organisation to another personal information such as bank details, passwords or user names. Because the email looks genuine, consumersTheft are fooled into giving away personal information which canPersonal and financial data has a value. In these uncertain enable fraudsters to steal their identity and so gain accessand tough economic times there has been a significant to their bank accounts, credit or store cards.increase in the number of individuals as well as organised There have been a number of high profile hacking casescriminal gangs stealing personal data. Some of the theft is this year where outsourced data management companiesachieved through the use of computer viruses and malware (that manage online marketing for a number of high profile– special software designed with the intention of breaching companies such as Marks & Spencer, Hilton Hotels, Marriotanother computer system to allow access to sensitive data. Hotels and Play.com), have been targeted and customerIn 2011, the Data Breach Investigations Report (DBIR3 ) email addresses have been stolen, with the intention ofidentified the main causes of data theft as follows: using them in spear phishing scams.3 2011 Data Breach Investigations Report produced for Verizon – www.verizonbusiness.com which uses data fromVerizon, the United States Secret Service and the Dutch National High Tech Crime Unit.4 (+ / - on 2010 DBIR figures)
04 Hacktivism Cloud computing This is a relatively new trend where an organisation’s There is a move for organisations to outsource data storage computer system is hacked into in order to protest or and related IT service to a third party cloud computing to promote a political viewpoint. This form of hacking is supplier. Not only does this provide access to cheaper, not usually done for any personal gain, instead it is done scalable and up-to-date systems, it also enables employees with an ideological goal in mind and often results in to access the organisation’s computer system remotely via websites being defaced, or taken over, email campaigns the internet – allowing for flexible and home working. The or anonymous blogging – all of which can be extremely business benefits are obvious, but there are also significant damaging to a corporate reputation. risks, of which many companies may be unaware. Working with a cloud provider means that companies are essentially handing over responsibility for all their Denial of service (DoS) company data to a third party, whose servers or internet DoS attacks have been in the news this year when the space are often not located in the same country or Amazon and PayPal sites, among others, were bombarded jurisdiction as their client. Because of the global nature with large numbers of site requests at the same time by of the internet, many cloud suppliers are unable to clarify people protesting about Wikileaks’ founder Julian Assange’s where particular data sets are held at any given time, arrest. As a result of the heightened volume of traffic, the making it difficult or impossible for data owners to ensure system overloads and the site crashes before being taken that they are compliant with the relevant local legislation. offline for a number of days until the attack dies down. DoS Many of the cloud operators are large international attacks forced Amazon and PayPal to stop online trading companies and have developed very stringent terms and for a time. The attacks created a major disruption to these conditions which indemnify the provider against the businesses, damaged consumer trust and harmed their majority of liabilities associated with data loss or a data brand’s reputation, negatively affecting their share price. breach from their system. Cyber-extortion Emerging themes Sometimes attackers threaten, or carry out, a DoS attack Our research shows that there are a number of as a means of extortion. These attacks usually do not commonalities between data breach incidents, and get reported in the press for fear of the impact on the that many systems are easy to breach. Breaches are often company’s share price, and also to reduce the potential discovered by third parties, not the data owner, suggesting for copycat attacks. Because these attacks are often kept that online security and risk management controls are quiet, the true scale of the problem is hard to assess, often inadequate. but anecdotal evidence would point to this being a growing issue. Another method is to use a ‘Trojan’ virus to encrypt the target’s data within its computer systems. Once the attacker is in the system and has locked up the target’s data, it is in a powerful position to try and extort money from the company. The attackers tend to operate internationally and use fake email addresses making identification and arrest very difficult to achieve.Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05There are laws in place in the majority of states in the USA and some parts ofEurope which force companies to notify their customers of a data breach. Thecost of dealing with a data breach is significantly more expensive in countrieswhich have mandatory client notification, and this appears to be the way inwhich most regulators are heading (for more information on this see the lawsection of this report). Using the USA as a benchmark gives us a good indicationof the likely costs of a data breach in other countries in the future.The two charts below clearly show the impact that mandatory notification legislation has in terms of costand lost business.USA data breach costs USA data breach cost with mandatory client notification law6 (all costs in the chart below are in USD and are for cost per record breached) 2008 2009 2010 Detection and escalation 8 8 13 Notification 15 15 15 Response 39 46 51 Lost business 139 135 134 Total 202 204 214 Average cost to the organisation USD7.2mThe USA figures are particularly high because 46 out of 50 states have compulsory notification laws in place.UK data breach costsIn the UK, where notification is not currently mandatory, the costs of a data breach are currently much lower. In the2010 Annual Study into the cost of UK data breaches, the Ponemon Institute assessed the cost of UK data breachesinvolving the loss of between 6,900 and 72,000 records. It found that the average cost per record had increased fromGBP65.00 in 2009 to GBP71.00 in 2010. UK data breach cost with voluntary client notification law7 (all costs in the chart below are in GBP and are for cost per record breached) 2008 2009 2010 Detection and escalation 11 12 14 Notification 3 7 6 Response 14 17 17 Lost business 32 29 34 Total 60 65 71 Average cost to the organisation GBP1.9m2010 Annual Study – U.S. Cost of a Data Breach – www.symantec.com www.ponemon.org62010 Annual Study – UK Cost of a Data Breach – www.symantec.com www.ponemon.org [UK figures – updated 20th February 2012]7
06 CYBER CRIME EXAMPLES Sony Corporation Earlier this year the Sony Corporation discovered that 77 million PlayStation network and Qriocity user names, email addresses, phone numbers and – reportedly – credit card details had been maliciously breached. The first breach was followed shortly after by a second breach of the personal details of its 24.6 million Sony Online Entertainment customers. The breaches resulted in a 23-day closure of the PlayStation online network, and Sony has suffered significant financial loss to an estimated tune of USD171m. This estimate cost does not include any lawsuits that Sony will have to defend as a result of class actions being filed against the Corporation by affected customers. The costs do however, include the cost of notifying and assisting customers, IT forensic costs and system overhaul as well as reputation management. The Sony brand and share price took a significant battering dropping 55% in just four months as a result of the breach and resulting negative publicity. - Estimated financial loss: USD171m - 55% drop in share value in four months post the breach - 23-day shut down of the PlayStation online network TJX Companies Another high profile and costly case was TJX Companies, the parent company for TJ Maxx in the USA and TK Maxx in the UK. In 2007, the company discovered that it had been using an unsecured wireless network for around 18 months and during this time a hacker with a laptop and antenna accessed over 45.5 million credit and debit card numbers and the personal data of 451,000 shoppers who had returned goods. The cost of client notification, IT system overhaul, business interruption, fines, credit card repayments and legal costs is estimated to have been over USD1bn. TJX learned a hard lesson, that cyber security and robust protection of customer data is critical in today’s technological trading environment. - Estimated financial loss: USD1bn - Number of records accessed: 45.5 millionCyber risks decoded: A report on data risks, the law and risk mitigation and insurance
SPOTLIGHT ON RETAILERS – ARE THEY PREPARED? 07The majority of retailers are looking to expand their business via multi-channelretailing – using a combination of physical and ‘virtual’ shops, retail websites,smartphone apps and mail order as channels to market. With this in mind weasked Andrew McClelland, Chief Operations & Policy Officer, IMRG – the UK’sindustry association for global e-retailing – to give us an industry perspective onthe cyber risks facing retailers and the key drivers for change. Are retailers taking data breach risks seriously? It is only a matter of time before a major UK retailer suffers a serious data breach. DoS attacks, data compromises and cyber-extortion attempts do happen, so the challenge for retailers is ensuring that they have processes and systems in place to counter the risk. Given the current economic climate, data protection is not as high up the corporate risk agenda as it should be. Most retailers’ senior management are focused on their bottom line and shareholder confidence, and they assume the IT and risk management team are up to speed on data protection measures. However, the IT teams are under pressure to reduce costs and to develop existing and new retail channels, so their budgets are being squeezed and as a result the latest security measures are unfortunately not always a priority.Andrew McClellandChief Operations & Policy It will take a major incident to force boards to concentrate, because this wouldOfficer, IMRG undoubtedly lead to a fall in consumer trust in online retailing. This would alarm shareholders and senior managers and make cyber risk an agenda item at board meetings. How should retailers respond to a breach? In a data breach situation companies need to have well-rehearsed plans that immediately swing into action. The retailer needs to communicate with affected customers providing help lines, credit checks and the reassurance that they have the situation in hand. An IT system audit should be immediately undertaken, by external specialists if necessary, to identify the source of the problem and how to plug it. What tends to happen if there is no contingency plan is that there is an information vacuum, which then creates negative media coverage and unhappy customers. The result is a loss of customer confidence, brand damage and a possible hit to a company’s share price and profitability. However, evidence exists which shows that companies that handle a data breach efficiently and effectively, taking proactive measures to inform and support customers, can emerge with an enhanced brand reputation and a more loyal customer base than before the breach. Do most retailers take out cyber data liability insurance? Insurance is not yet seen as a critical priority unless retailers have already suffered a cyber attack. However, I anticipate that this situation may be about to change as legislation across the EU is moving towards mandatory client notification, as has been the case in the majority of the states in the USA for several years.
08 HOW IS THE LAW DEVELOPING? Data protection and privacy laws vary by country and are very complex. With the increase in the number and value of data breach incidents, regulators across Europe and in the USA are currently reviewing how legislation can be used to force organisations to better protect sensitive data. However, what is increasingly clear is that there is not going to be a single, global ‘one size fits all’ solution. The result is a headache for international companies trying to comply with or anticipate the law, and for risk managers trying to advise on best practice and monitor global compliance. Europe • A right for individuals to take companies to court that The European Union’s data protection laws were formed fail to comply with the new directive. in 1995, and it is recognised that they urgently require updating. Currently, data privacy laws are made at a state • A requirement that organisations explicitly ask for level, which has resulted in a variety of different rules permission to process data, rather than assume it. applying across the EU’s 27 member states. Viviane Reding, • Companies with 250 or more employees will have to EU Justice Commissioner, has just published her proposals appoint a data protection officer. for a new directive and regulations for data privacy, which will apply to any company handling EU citizens’ data inside • Companies handling EU personal data that do not or outside of Europe. The aim of the regulations is to have a presence in the EU will have to establish an tighten the rules and create a harmonisation of privacy laws EU representative in a member state where their across Europe, simplifying the current situation. The rules customers live. need to be approved by the EU member states and ratified by the European Parliament before they can come into These proposed new regulations follow on from the effect, a process which could take two to three years, during E-Privacy Directive 2002/58/EC called Data Breach which time they may be subject to amendment. The current Notification (DBN), which was introduced in May 2011, proposal includes the following measures: which obliges Internet Service Providers (ISPs) and telecom companies to notify both the authorities and individuals • A fine of up to 2% of global annual turnover if potentially affected if a breach occurs. The consultation companies breach proposed EU data laws. process has provided ISPs and telecoms companies with the opportunity to provide feedback on existing practices • A fine of up to 0.5% of global turnover for companies and the impact of the new rules. The EU is now considering that charge a user for a data request. how organisations intend to comply with the requirement to • A fine of 1% of global turnover if a company refuses to notify, and what type of breaches should require notification. hand over data or fails to correct wrong information. It also wants to find out more about cross-border breaches and compliance obligations. • Administrative sanctions of up to €1m for individuals. Individual European countries have also introduced their • The right for users to be “forgotten” and their personal own regulations, and these vary country by country. For information deleted if there are no “legitimate grounds” example Germany, Austria and Norway now have national for it to be kept. laws which require mandatory notification of data breaches. The UK and Ireland have codes of practice on personal data • An obligation on organisations to report data breaches security breaches, but no mandatory client notification, and to the regulator “as soon as possible” – ideally within Finland and the Netherlands are pushing to have mandatory 24 hours. notification laws in place. Cyprus, the Czech Republic, Estonia, Sweden and Hungary have laws which imply a duty • An obligation where the breach is likely to have an to notify, but which is not mandatory. adverse impact, to notify customers “without undue delay”.Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
09In the UK, the Information Commissioner’s Office (ICO) Most state notification laws are based on the Californiaexpects organisations to report all serious data breaches Security Breach Notification Act, which came into forceto it. The ICO also requires organisations which process in 2007. It makes breach notification mandatory to allpersonal data to take strict protective and precautionary customers residing in California affected by the breach.security measures and, if these measures are found Some states require notification where data is breached,wanting, the ICO has the power to impose fines of up to whereas others require notification only if there is potential£500,000 for data loss. for harm to come to the individual due to the breach – for example via identity theft. USA law also states that theThe Financial Services Authority (FSA) also has the power responsibility for protecting sensitive data lies with the datato issue fines (which have been known to run into millions owner.of pounds) on any financial services company that has beendeemed to have put customers’ data at risk.USAIn the USA there is no single law covering data privacy – butthe Obama administration has recently announced supportfor a federal privacy and national data breach notificationlaw. Currently, laws and regulations vary by state. The vastmajority (46) of states have laws which impose mandatorydata breach notifications on organisations.
10 HOW IS THE INSURANCE MARKET RESPONDING TO THE CYBER DATA BREACH CHALLENGE? To understand how the insurance market is responding to cyber liability and data breach risks, we interviewed four leading specialist cyber and technology underwriters to garner their views on the current market and insurance options, the main drivers for change and the potential for this cover in the future. The underwriters interviewed are operating in the London market, but write USA and international business. They are: Malcolm Randles Ben Maidment Underwriter at Kiln Enterprise Risks 510 Underwriter, North American PI RJ Kiln & Co Limited Professional Risks Division Global Markets Team, Brit Insurance Paul Bantick Iain Ainslie Underwriter, Professional Liability Underwriter, Technology and Speciality Lines, Beazley Cyber Liability, Ace Group What is cyber liability insurance? Products cover a wide range of first and third party risks, and wordings are currently very broad. Companies need to ensure that wordings are adapted to suit their business and the geographies in which they operate – for example liability cover is currently much more important in the USA where notification is mandatory. “If you asked ten different people you would probably get ten different answers as to what is cyber insurance,” commented Ben Maidment. “I think the term cyber liability is to some extent out-dated – and it is now more accurately called data security or privacy liability insurance. The trouble with the cyber tag is that it implies that only losses sustained as a result of a hacker attack, virus infection or other electronic means are covered – but today’s policies cover much more than that.” Iain Ainslie agrees: “The liability name is not really accurate as most of the immediate costs can be triggered without the need for any specific legal action. Currently without mandatory notification regulations in the UK and most of Europe, companies are not required by law to inform customers of a breach, so it is important that any cover purchased in the UK and Europe includes voluntary notification wording.”Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
11Malcolm Randles believes that: “Essentially cyber liability insurance covers two areas and there are two products. Oneaddresses data protection risks both first and third party. The other product covers first party business interruption. Thefirst party data protection provides financial cover for notification costs, IT forensic auditing and crisis PR assistance andbrand management. The third party liability cover is for privacy and security liability – and this is especially relevant inthe USA where there is a risk of class action lawsuits following a high profile data breach, but it is not so relevant forcompanies in the UK and Europe right now.”What are the key elements of a loss that clients are looking to cover?All the underwriters agree that brand reputation is a key element of cyber cover, and that being ableto access the appropriate legal and PR advice immediately after a breach can be critical. Offeringthese services is a win-win for both the client and the insurer – as if a breach is handled promptly andappropriately, the regulator is less likely to take action.Ben Maidment commented: “In the USA, data security cover is progressively becoming a much easier sell, and this hasmainly been driven by the introduction of mandatory data breach notification laws across nearly all states along with anumber of high profile breach events, such as that suffered by Sony. Risk managers have recognised the potentially hugecost to their business that data breach events present and the value of purchasing insurance for such a scenario, notsolely for the risk transfer but also to access insurers specific expertise and specialist vendor relationships to respond tobreach events quickly and cost effectively. However in Europe, where no mandatory obligation to notify currently exists,this is the harder cover to sell with perhaps a greater interest in business interruption risk.” “We have learnt a lot from the USA. Most clients want insurance to cover the costs of responding to a breach, and theexpertise that comes with that as opposed to specific business interruption cover. So primarily we view this product asbreach response privacy cover,” commented Paul Bantick.“In the UK and Europe the main issues are client notification and brand management, and being able to respond to abreach in the appropriate manner. Currently approximately 50% of breaches are due to a lost laptop with unencrypteddata on it – or a rogue employee stealing data – and not a malicious hacker. The product in the UK and Europe focusesmainly on client notification costs, and brand reputation PR specialists. In the USA one of the costs covered is creditmonitoring services, but this cannot be offered in the UK or Europe currently although other services are available,”added Paul.
12 What is the current state of the cyber liability market at the moment, and are prices realistic? London and Lloyd’s are leading markets for this form of insurance, and at the moment there is ample capacity, as it is viewed as an attractive proposition by insurers. However, this capacity will be tested as laws in Europe change and the risk environment is transformed. In addition, there are likely to be changes to wordings and pricing in the future as the claims history builds and underwriters become more selective. Malcolm Randles observes: “London and in particular Lloyd’s is a leading market for cyber data privacy insurance, and there is currently ample capacity. It would be possible to put together a programme with USD100-150m limit, but currently no one in Europe is buying this level of cover.” Ben Maidment commented: “There are significant levels of capacity at present, with most currently covering risks emanating from the USA, where the lion’s share of demand for the coverage is coming from. If, however, the EU brings in mandatory notification regulations, which are proposed then demand for coverage in Europe will rise and potentially more capacity will be required. With respect to pricing, it is very hard to say whether current pricing levels are realistic. This being a relatively new line of coverage premiums are very much market driven, and only as the market matures will they prove to be adequate or otherwise as insurers understand more about the nature and size of claims to expect. My personal opinion is that insurers are currently underpricing the exposure presented as a reflection of the prevailing market conditions and as they seek to build market share in a growing market, I would anticipate that in the medium to long-term prices will rise.” Paul Bantick added: “This form of insurance is viewed as an exciting emerging risk class, as it is attractive as it offers a potential new source of short-tail business. However, I think that many have wordings that have jumped the gun, and these could get scaled back as losses emerge. In terms of pricing, rates are aggressive but that is not surprising as rates across most lines are soft and there is plenty of competition for this business. However, as breaches become more public, and the rating cycle changes, prices will undoubtedly go up and underwriters will be more selective over the business they write.” “I think that Lloyd’s will eventually play a bigger role in this market and a more standardised wording will be developed. As more claims come through there is no doubt that actuaries will start to take more interest in this cover, and prices are likely to stabilise in time,” concluded Iain Ainslie. What defines a good risk? Risk management is key and insurers like to see evidence that it is a board level responsibility. In many companies, responsibility for data protection is devolved to the IT department which only focuses on the technological aspects of the risk and not brand reputation or the potential financial impact. Companies that take data security seriously and plan and prepare for a data breach or cyber attack are far more likely to get insurance cover than those that don’t. Insurers are wary of companies that see insurance as a financial backstop. Malcolm Randles commented: “What we look for is a company that takes data breach and cyber risks seriously, where the board is engaged and there is good management of IT security. It will depend on the client, but our approach and information requirement can get quite granular. Ultimately, what we want to see is that the company has the appropriate risk management procedures to deal with that particular sector’s risks and regulatory requirements. We look at all aspects – kick the tyres and lift the engine hood – when assessing if we want to take a risk on or not.” “A good risk to us is one where the client is only looking to cover the residual exposure that remains after the client has invested in sophisticated IT security, has comprehensive risk management procedures and a strong compliance culture. A bad risk is a client that is looking for their insurance policy to replace making the required investment in risk management, compliance and IT security to mitigate the risk effectively at the front end,” observed Ben Maidment.Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
13Iain Ainslie agrees: “We want to be reassured that there is a strong compliance culture that runs right through ourclients’ organisations. All employees need to be aware of the risk as human error still plays a big role in most breaches,so ownership by key stakeholders is vital. We also like to see evidence that the IT department is sophisticated andswitched on. For example, sophisticated hackers know that Microsoft releases its anti-virus patches on Tuesday evenings– so the hackers work over Tuesday night to amend their viruses to work around the new patches.”What trends are you experiencing?We are seeing more enquiries across the board – from retailers to health companies and financialinstitutions. In addition new technologies such as smartphones, cloud computing and other developmentsare creating new risks.Malcolm Randles commented: “Outsourcing continues to be a major driver for cover, and it is vital that clients do theirdue diligence when signing up to an outsourced data handler or supplier. Terms and conditions with these companiesneed to be carefully checked to ensure where the liability lies should something go wrong. Also it is prudent to checkin which jurisdiction the data will be held, and what laws apply and also that your customers have given permission fortheir personal data to be shared with another supplier.”“The talk at the moment is about the cloud and it is something we are monitoring closely” commented Ben Maidment.“The potential for the cloud is huge, but so are the risks inherent with it, particularly in relation to data privacy andloss aggregation. Another issue is the jurisdictional element, which is difficult to handle from both a legal and riskperspective,” added Ben.Paul Bantick said: “With an increasing number of high profile data breaches hitting the headlines, we are seeing moreinterest from retailers, health companies and financial institutions. However, if the USA is anything to go by the biggestdriver for cover will likely be mandatory notification and regulation.”What will be the main driver for coverage in the UK and Europe?A range of developments are driving the development of covers in the UK and Europe including: recenthigh profile data breaches, government cyber attack strategies, proposed EU-wide mandatory clientnotification laws, fines, and the increasing sophistication of hackers.Regulation has been a major driver in the USA, but in Europe it has been much harder to get all the EU countries toagree on a cross-border solution. With the new EU privacy proposals this situation is likely to change, and greaterharmonisation of rules is the aim. In the UK, for the time being the Information Commissioner will continue to focus onusing punitive measures, but in Germany there are tough privacy/data protection laws. The move to make mandatorynotification for ISPs and telecoms companies has driven enquiries for cover and raised awareness of these insurancesolutions with risk managers. However, the damage to brand reputation, especially brands with a retail presence, is alsopushing cyber security up the risk management agenda.Ben Maidment commented: “In the USA, the Obama administration is mooting the idea of a single, consolidated federalbreach notification standard, and now draft regulation has been tabled in Europe along the same lines, incorporatingmandatory notification. However, I would anticipate it will be a couple of years before it is passed in Europe andbecomes binding upon Member States. There will certainly be some opposition from individual governments, includingthe UK, to the inclusion of the breach notification provisions in their current form, with the feeling that it is overlyonerous upon businesses and could potentially lead to ‘notification fatigue’ among consumers. Additionally the UKalready takes a punitive approach to try and deter poor data management. The Information Commissioner can finecompanies up to £500,000 while the FSA has shown it takes data protection in the financial services industry veryseriously, with significant fines levied on Nationwide, HSBC and Zurich Insurance amongst others for poor data security.”Paul Bantick added: “There is no doubt regulation, PR and knowing what to do in the event of a breach are themajor drivers to purchase this form of cover. The other key success element to this product is offering full servicerisk management advice, access to specialist legal advice and forensics – as this is key to knowing how and when toeffectively respond to a breach.”
14 How do you think demand for cover will increase over the next three years? It is anticipated that demand for cover in the UK and Europe will grow significantly over the next few years. There is already an increase in enquiries from retailers, financial institutions and healthcare companies. With smartphone technology and online retailing moving at such a pace, the risks are only set to increase. In addition there is a move by the Securities Exchange Commission in the USA to insist that all companies list all data breaches in their annual report, which could have legal implications for the board if data breaches have not been dealt with in the appropriate manner. Malcolm Randles said: “Demand will undoubtedly continue to grow, particularly for the retail sector. There are so many mind-blowing technological developments taking place. In Korea, Tesco is trialling virtual shops in train stations where consumers use their smartphones to scan virtual shelves, order and pay for goods which are then delivered to their home at a convenient time. This move to mobile technology and mobile payment opens up an increasing array of cyber risks, and brands are beginning to get their head around the financial implications to their business.” Ben Maidment commented: “In the USA we are seeing an uptick in enquires from the healthcare sector. In the UK and Europe, retailers, telecoms companies and financial service providers appear to be the biggest buyers of this cover at the moment. The market is undoubtedly set to grow over the next three years, though the speed of change likely will be driven by regulation and whether the proliferation of high profile breaches and loss activity continues at the same pace as we have seen in the recent past.” “The cyber insurance market in the USA has gone in six years from being unknown to the fastest growing insurance product,” commented Paul Bantick. “So when the law across the USA and Europe changes, the demand for cover will increase dramatically. We are also experiencing interest in this cover in Latin and Central America – due to new legislation in Brazil and Mexico’s proximity to the USA,” concluded Paul. Iain Ainslie added: “I anticipate that mandatory notification will be law across all the states in the USA and across the UK and Europe within the next few years – and there is no doubt that this will drive an increase in sales of this product.” How do you see the cyber insurance products developing over the next few years? It is likely that data protection and business interruption cyber covers will develop as two different products. It is also probable that wordings will be reviewed, and will become more tailored so that there is a clearer distinction between E&O and cyber risk. Underwriters are likely to take a tougher stance over risk selection, but ultimately this insurance cover will go from being a ‘could have cover’ to a ‘should have cover’. Malcolm Randles agrees: “I think that the split between data protection and business interruption will continue to become more defined, and the products will probably be more tailored for industry sectors and their specific requirements. Lloyd’s and the London market have a unique flexibility to differentiate products, and I think they will continue to lead the international market in this respect. Increasingly, underwriters are including harsher exclusions, and in particular they are starting to take a lack of encryption on systems very seriously.” Ben Maidment comments: “The business interruption element of the product has not been sold very successfully up to now and we either need to demonstrate the value of the coverage in its present form more effectively or make the products more attractive by talking to clients and understanding their needs better than we are currently. Also, clients and underwriters are only just getting their heads around the potential and the risks involved in the ever-increasing use of and reliance upon smartphones and mobile technology. There is no doubt that mobile technology is here to stay and this creates a number of fundamental risks which insurers must understand and address.” Paul Bantick said: “I think wordings will be the major element to change. There also needs to be a clearer definition as to why stand alone cyber cover is required – as some clients seem to think that their property or E&O cover will cover them for these risks – which is not really the case, but better clarity of cover overlap is required.”Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
15Will there be standardised products that all businesses will buy in the future?Due to the nature of technology risks, it is unlikely that products will be fully standardised. A lot willdepend on the nature and size of the company, the sophistication of its risk management and its riskappetite. For smaller companies, there is likely to be some form of commoditisation of these products,but for larger international companies this is not likely to be the case. Instead it is likely that a suite ofproducts will be produced with flexible wordings instead of a one size fits all product.Malcolm Randles thinks: “There will be more standardised products emerging for small to small medium companies, butthe pace and scale of change means a one size fits all approach will not suit the majority of our clients. An example ofthis is that cookies and super cookies might be breaching some privacy laws if the cookie owner does not indemnify itselfon its wording on its website. Another is that smartphones might be tracking owner location without their knowledge andconsent – which technically is illegal. So I am sure that the majority of businesses will require data privacy insurance insome form or other but it won’t be easy to commoditise these covers to suit all clients.”Ben Maidment commented: “The basic elements can be covered by a standard product, but trying to predict wheretechnology is going is hard, and it is equally hard trying to predict where the next attack will emanate from, how it willmanifest itself and how insurance should respond.”Iain Ainslie believes that: “The insurance markets will develop a suite of products to suit the differing needs of clientsdependent on the size and scope of their business operations and where and how their data is held online.”Strong agreement on insurance trendsA number of common themes emerged from our underwriter interviews:• There is likely to be a lack of clarity on what cyber liability insurance is and the current product is likely to change over the next couple of years;• The majority of companies in the UK and Europe are not currently purchasing this cover and the need for cover will be driven by new mandatory notification laws;• Insurers identify cyber as a significant emerging risk sector and a particularly attractive one as it is short-tail business with massive growth potential;• Prices are unrealistically low and wordings broad, but until there is more historical claims data available this situation is unlikely to change;• This is a highly reactive insurance – with insurers providing clients with access to specialist legal advice, best practice risk mitigation guidance, and advisers to help clients minimise the impact of the breach on their customers and ultimately their business. This is a vital selling point of this insurance; and• There will be some standardised products emerging but outsourcing, cloud and smartphone technology will raise the stakes in terms of cyber risks. Insurance products will need to keep evolving in line with the risks.
Our MissionTo be the worldwide value and service leader in insurance brokerage and risk management Our Goal To be the best place to do business and to work A division of Lockton Companies LLP. Authorised and regulated by the Financial Services Authority. A Lloyd’s broker Registered in England & Wales at The St Botolph Building, 138 Houndsditch, London, EC3A 7AG. Company No. OC353198 www.lockton.com