1. Cyber risks decoded
A report on data risks, the law, risk
mitigation and insurance
February 2012
2. TABLE OF CONTENTS
EXECUTIVE SUMMARY 01
WHAT ARE THE MAIN CYBER RISKS? 03
WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05
CYBER CRIME EXAMPLES 06
SPOTLIGHT ON RETAILERS – ARE THEY PREPARED? 07
HOW IS THE LAW DEVELOPING? 08
HOW IS THE INSURANCE MARKET RESPONDING TO 10
THE CYBER DATA BREACH CHALLENGE?
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
3. EXECUTIVE SUMMARY 01
Cyber crime is not a fictional concept; it is a very real problem. Last year the cost
of global cyber crime was estimated to be USD388bn1 – with an individual falling
victim to a form of online crime every 19 seconds.
In today’s multi-channel, mobile and inter-connected world, every element of society including government, industry,
commerce, charity, health, education and individual citizens is increasingly at risk as more and more sensitive data is stored
on a computer system somewhere in the world. The risks are constantly evolving as technology develops, and they are
likely to become more acute as a new generation of smartphones effectively become mobile wallets, which will place ever
greater volumes of personal and financial data at risk.
To understand these issues better, we interviewed IMRG – the UK’s industry association for global e-retailing, four leading
cyber and data protection underwriters, and members of the Lockton specialist technology and privacy practice in November
and December 2011. We also undertook a variety of desk research. Our goals were to:
• Define the cyber threats to domestic and global businesses
• Quantify the costs of a data breach
• Understand current and future legal requirements
• Outline the insurance solutions available
Threat is growing
Criminals looking to steal and exploit data for financial gain are in an increasingly strong position. Not only does new
technology and growing access to that technology provide ever more opportunity, but governments and private enterprises
are aware that they can no longer keep quiet about data leaks and malicious attacks on their IT systems. While it is good
to keep the public informed, any release of information on the nature and extent of cyber attacks and how to prevent them
also educates the fraudsters and raises the threat level further.
Regulatory change is happening
Regulators across the world are waking up to the fact that changes in data privacy laws are required. The Obama
administration in the USA, and the European Justice Commissioner, Viviane Reding, are both proposing new national and
cross-border data breach notification and data privacy laws. These will have a major impact on companies, forcing them
to notify regulators and consumers every time a data breach occurs, even if no records have been accessed. The EU data
privacy proposals include fines of up to 2% of global annual turnover if a company breaches the proposed data laws, and a
requirement for companies with over 250 employees to appoint a data protection officer, and for all breaches to be reported
to the regulator – ideally within 24 hours.
These regulations present a significant new compliance burden for risk managers.
Cost of data breach is rising
One certainty in this complex and fast moving area is that data breaches are becoming more common and dealing with
them increasingly costly, complex and damaging for the organisation that ‘owns’ the data. Norton’s Cybercrime Report
for 2011 estimates that the cost of stolen cash and the cost of time spent on identifying and resolving data breaches to
businesses and governments is around USD388bn globally.
1
Norton Cybercrime Report 2011 - http://community.norton.com
4. 02
Three key causes of loss
As severity and frequency rise, risk managers and finance directors are realising that they need to develop a greater
understanding of how to predict and prevent data breaches. According to NetDiligence’s recent study of cyber and data
breach2 insurance claims published in June 2011, the reasons for data loss break down into three main areas.
• Hackers and criminals were responsible for 32% of breach events
• Rogue employees were the cause of 19% of data breaches – and the poor economic climate is expected to exacerbate
this problem going forward
• Theft of mobile computer equipment such as laptops and memory sticks carrying unencrypted data was responsible for
33% of breaches
Insurance market is responding
As the frequency and severity of cyber data risk increases, so the insurance world is becoming more concerned about the
financial risks associated with a data breach and cyber crime. There is a growing insurance market for both first and third
party data liability business, and also first party business interruption cover. These products and covers are likely to continue
to develop over the coming years.
London is a pre-eminent market for this business due to high levels of innovation and its ability to provide specialist and
tailored cover. We expect that the introduction of mandatory reporting of data breaches for companies handling EU citizen’s
data inside or outside Europe will significantly speed up the rate of new product development in 2012 and beyond.
Data privacy is the top emerging risk for the 21st century
In our opinion data privacy is, and will continue to be, the biggest emerging risk for businesses in the 21st century. Any
company that does not put appropriate risk management and mitigation measures in place to deal with a potential data
breach will suffer significant financial loss and irreversible damage to their brand reputation. However, companies that
do plan for a breach, have robust risk management measures and systems in place and respond in a responsible and
appropriate manner can emerge from a data breach incident relatively unscathed. Insurance can provide essential financial
assistance and access to highly experienced legal, IT forensic and crisis PR advice – which can help companies preserve
reputation and get back to trading as rapidly as possible.
We hope that you find this report informative and interesting. Please contact a member of Lockton’s global technology and
privacy practice if you would like to discuss any of our findings.
Ben Beeson, Partner, Lockton Companies LLP, Global Technology and Privacy Practice
NetDiligence – Study of cyber and data breach insurance claims – June 2011 - http://www.netdiligence.com
2
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
5. WHAT ARE THE MAIN CYBER RISKS? 03
The connectivity that technology creates brings many business benefits, but
there is a flip side. With the proliferation of mobile devices including Blackberries,
iPhones, smartphones, notebooks and iPads, commercial organisations are
opening themselves up to new and growing threats from the risk of cyber crime
and data loss.
As many entities, including Sony, TJX, T-Mobile and • 92% from external agents (+ 22%4 )
HM Revenue and Customs have discovered, the reality of
dealing with an online attack targeting personal details of • 17% from business insiders (-31% )
customers is very expensive and damaging to a brand’s
• 1% from business partners (-10%)
reputation. In this section of the report, we review the
various threats facing businesses. We also shine a spotlight • 9% involved multiple parties (-18%)
on the retail sector and examine how seriously retailers are
taking the threats and what steps they are taking to protect The DBIR examined how breaches occurred, discovering
their business. that:
Cyber risk takes many forms – from human error, mischief, • 50% utilised some form of hacking (+10%)
revenge, fraud, extortion and espionage through to
terrorism.
• 49% incorporated malware (+11%)
• 29% involved physical attacks (+14%)
Human error
• 17% resulted from privilege misuse (-31%)
The majority of data breaches occur because of human • 11% employed social tactics (-17%)
error or a glitch in the system. These errors are often
compounded when organisations fail to observe basic From these statistics it is easy to see that the external risks
security procedures and to encrypt sensitive information. from professional hackers and criminals are increasing, and
The most common reasons for data going astray are: that these criminals are becoming increasingly sophisticated
in the tactics they are using to steal data.
• Stolen or lost laptops, data sticks, flash drives, back-up
tapes and CD-ROMs carrying unencrypted information
• Emails with sensitive customer data being sent in error Spear phishing
If data including emails addresses is stolen, there is a
• Databases not being effectively protected danger that the contacts could become the victims of a
spear phishing scam. Spear phishers send email purporting
• Loss of unencrypted data in transit from one
to come from a reputable source in order to acquire
organisation to another
personal information such as bank details, passwords or
user names. Because the email looks genuine, consumers
Theft are fooled into giving away personal information which can
Personal and financial data has a value. In these uncertain enable fraudsters to steal their identity and so gain access
and tough economic times there has been a significant to their bank accounts, credit or store cards.
increase in the number of individuals as well as organised
There have been a number of high profile hacking cases
criminal gangs stealing personal data. Some of the theft is
this year where outsourced data management companies
achieved through the use of computer viruses and malware
(that manage online marketing for a number of high profile
– special software designed with the intention of breaching
companies such as Marks & Spencer, Hilton Hotels, Marriot
another computer system to allow access to sensitive data.
Hotels and Play.com), have been targeted and customer
In 2011, the Data Breach Investigations Report (DBIR3 ) email addresses have been stolen, with the intention of
identified the main causes of data theft as follows: using them in spear phishing scams.
3
2011 Data Breach Investigations Report produced for Verizon – www.verizonbusiness.com which uses data from
Verizon, the United States Secret Service and the Dutch National High Tech Crime Unit.
4
(+ / - on 2010 DBIR figures)
6. 04
Hacktivism Cloud computing
This is a relatively new trend where an organisation’s There is a move for organisations to outsource data storage
computer system is hacked into in order to protest or and related IT service to a third party cloud computing
to promote a political viewpoint. This form of hacking is supplier. Not only does this provide access to cheaper,
not usually done for any personal gain, instead it is done scalable and up-to-date systems, it also enables employees
with an ideological goal in mind and often results in to access the organisation’s computer system remotely via
websites being defaced, or taken over, email campaigns the internet – allowing for flexible and home working. The
or anonymous blogging – all of which can be extremely business benefits are obvious, but there are also significant
damaging to a corporate reputation. risks, of which many companies may be unaware.
Working with a cloud provider means that companies
are essentially handing over responsibility for all their
Denial of service (DoS) company data to a third party, whose servers or internet
DoS attacks have been in the news this year when the space are often not located in the same country or
Amazon and PayPal sites, among others, were bombarded jurisdiction as their client. Because of the global nature
with large numbers of site requests at the same time by of the internet, many cloud suppliers are unable to clarify
people protesting about Wikileaks’ founder Julian Assange’s where particular data sets are held at any given time,
arrest. As a result of the heightened volume of traffic, the making it difficult or impossible for data owners to ensure
system overloads and the site crashes before being taken that they are compliant with the relevant local legislation.
offline for a number of days until the attack dies down. DoS Many of the cloud operators are large international
attacks forced Amazon and PayPal to stop online trading companies and have developed very stringent terms and
for a time. The attacks created a major disruption to these conditions which indemnify the provider against the
businesses, damaged consumer trust and harmed their majority of liabilities associated with data loss or a data
brand’s reputation, negatively affecting their share price. breach from their system.
Cyber-extortion Emerging themes
Sometimes attackers threaten, or carry out, a DoS attack Our research shows that there are a number of
as a means of extortion. These attacks usually do not commonalities between data breach incidents, and
get reported in the press for fear of the impact on the that many systems are easy to breach. Breaches are often
company’s share price, and also to reduce the potential discovered by third parties, not the data owner, suggesting
for copycat attacks. Because these attacks are often kept that online security and risk management controls are
quiet, the true scale of the problem is hard to assess, often inadequate.
but anecdotal evidence would point to this being a
growing issue.
Another method is to use a ‘Trojan’ virus to encrypt the
target’s data within its computer systems. Once the attacker
is in the system and has locked up the target’s data, it is
in a powerful position to try and extort money from the
company. The attackers tend to operate internationally and
use fake email addresses making identification and arrest
very difficult to achieve.
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
7. WHAT ARE THE COSTS OF CYBER CRIME AND DATA BREACHES? 05
There are laws in place in the majority of states in the USA and some parts of
Europe which force companies to notify their customers of a data breach. The
cost of dealing with a data breach is significantly more expensive in countries
which have mandatory client notification, and this appears to be the way in
which most regulators are heading (for more information on this see the law
section of this report). Using the USA as a benchmark gives us a good indication
of the likely costs of a data breach in other countries in the future.
The two charts below clearly show the impact that mandatory notification legislation has in terms of cost
and lost business.
USA data breach costs
USA data breach cost with mandatory client notification law6 (all costs in the chart below are in USD and are for cost
per record breached)
2008 2009 2010
Detection and escalation 8 8 13
Notification 15 15 15
Response 39 46 51
Lost business 139 135 134
Total 202 204 214
Average cost to the organisation USD7.2m
The USA figures are particularly high because 46 out of 50 states have compulsory notification laws in place.
UK data breach costs
In the UK, where notification is not currently mandatory, the costs of a data breach are currently much lower. In the
2010 Annual Study into the cost of UK data breaches, the Ponemon Institute assessed the cost of UK data breaches
involving the loss of between 6,900 and 72,000 records. It found that the average cost per record had increased from
GBP65.00 in 2009 to GBP71.00 in 2010.
UK data breach cost with voluntary client notification law7 (all costs in the chart below are in GBP and are for cost
per record breached)
2008 2009 2010
Detection and escalation 11 12 14
Notification 3 7 6
Response 14 17 17
Lost business 32 29 34
Total 60 65 71
Average cost to the organisation GBP1.9m
2010 Annual Study – U.S. Cost of a Data Breach – www.symantec.com www.ponemon.org
6
2010 Annual Study – UK Cost of a Data Breach – www.symantec.com www.ponemon.org [UK figures – updated 20th February 2012]
7
8. 06 CYBER CRIME EXAMPLES
Sony Corporation
Earlier this year the Sony Corporation discovered that 77 million PlayStation
network and Qriocity user names, email addresses, phone numbers and –
reportedly – credit card details had been maliciously breached. The first breach
was followed shortly after by a second breach of the personal details of its 24.6
million Sony Online Entertainment customers.
The breaches resulted in a 23-day closure of the PlayStation online network, and
Sony has suffered significant financial loss to an estimated tune of USD171m.
This estimate cost does not include any lawsuits that Sony will have to defend as
a result of class actions being filed against the Corporation by affected
customers. The costs do however, include the cost of notifying and assisting
customers, IT forensic costs and system overhaul as well as reputation
management. The Sony brand and share price took a significant battering
dropping 55% in just four months as a result of the breach and resulting
negative publicity.
- Estimated financial loss: USD171m
- 55% drop in share value in four months post the breach
- 23-day shut down of the PlayStation online network
TJX Companies
Another high profile and costly case was TJX Companies, the parent company
for TJ Maxx in the USA and TK Maxx in the UK. In 2007, the company discovered
that it had been using an unsecured wireless network for around 18 months and
during this time a hacker with a laptop and antenna accessed over 45.5 million
credit and debit card numbers and the personal data of 451,000 shoppers who
had returned goods.
The cost of client notification, IT system overhaul, business interruption, fines,
credit card repayments and legal costs is estimated to have been over USD1bn.
TJX learned a hard lesson, that cyber security and robust protection of customer
data is critical in today’s technological trading environment.
- Estimated financial loss: USD1bn
- Number of records accessed: 45.5 million
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
9. SPOTLIGHT ON RETAILERS – ARE THEY PREPARED? 07
The majority of retailers are looking to expand their business via multi-channel
retailing – using a combination of physical and ‘virtual’ shops, retail websites,
smartphone apps and mail order as channels to market. With this in mind we
asked Andrew McClelland, Chief Operations & Policy Officer, IMRG – the UK’s
industry association for global e-retailing – to give us an industry perspective on
the cyber risks facing retailers and the key drivers for change.
Are retailers taking data breach risks seriously?
It is only a matter of time before a major UK retailer suffers a serious data
breach. DoS attacks, data compromises and cyber-extortion attempts do happen,
so the challenge for retailers is ensuring that they have processes and systems in
place to counter the risk.
Given the current economic climate, data protection is not as high up the
corporate risk agenda as it should be. Most retailers’ senior management are
focused on their bottom line and shareholder confidence, and they assume the IT
and risk management team are up to speed on data protection measures.
However, the IT teams are under pressure to reduce costs and to develop
existing and new retail channels, so their budgets are being squeezed and as a
result the latest security measures are unfortunately not always a priority.
Andrew McClelland
Chief Operations & Policy It will take a major incident to force boards to concentrate, because this would
Officer, IMRG
undoubtedly lead to a fall in consumer trust in online retailing. This would alarm
shareholders and senior managers and make cyber risk an agenda item at
board meetings.
How should retailers respond to a breach?
In a data breach situation companies need to have well-rehearsed plans that
immediately swing into action. The retailer needs to communicate with affected
customers providing help lines, credit checks and the reassurance that they have
the situation in hand. An IT system audit should be immediately undertaken, by
external specialists if necessary, to identify the source of the problem and how
to plug it.
What tends to happen if there is no contingency plan is that there is an
information vacuum, which then creates negative media coverage and unhappy
customers. The result is a loss of customer confidence, brand damage and a
possible hit to a company’s share price and profitability. However, evidence exists
which shows that companies that handle a data breach efficiently and effectively,
taking proactive measures to inform and support customers, can emerge
with an enhanced brand reputation and a more loyal customer base than
before the breach.
Do most retailers take out cyber data liability insurance?
Insurance is not yet seen as a critical priority unless retailers have already
suffered a cyber attack. However, I anticipate that this situation may be about
to change as legislation across the EU is moving towards mandatory client
notification, as has been the case in the majority of the states in the USA for
several years.
10. 08 HOW IS THE LAW DEVELOPING?
Data protection and privacy laws vary by country and are very complex. With the
increase in the number and value of data breach incidents, regulators across
Europe and in the USA are currently reviewing how legislation can be used to
force organisations to better protect sensitive data. However, what is
increasingly clear is that there is not going to be a single, global ‘one size fits all’
solution. The result is a headache for international companies trying to comply
with or anticipate the law, and for risk managers trying to advise on best practice
and monitor global compliance.
Europe • A right for individuals to take companies to court that
The European Union’s data protection laws were formed fail to comply with the new directive.
in 1995, and it is recognised that they urgently require
updating. Currently, data privacy laws are made at a state • A requirement that organisations explicitly ask for
level, which has resulted in a variety of different rules permission to process data, rather than assume it.
applying across the EU’s 27 member states. Viviane Reding, • Companies with 250 or more employees will have to
EU Justice Commissioner, has just published her proposals appoint a data protection officer.
for a new directive and regulations for data privacy, which
will apply to any company handling EU citizens’ data inside • Companies handling EU personal data that do not
or outside of Europe. The aim of the regulations is to have a presence in the EU will have to establish an
tighten the rules and create a harmonisation of privacy laws EU representative in a member state where their
across Europe, simplifying the current situation. The rules customers live.
need to be approved by the EU member states and ratified
by the European Parliament before they can come into These proposed new regulations follow on from the
effect, a process which could take two to three years, during E-Privacy Directive 2002/58/EC called Data Breach
which time they may be subject to amendment. The current Notification (DBN), which was introduced in May 2011,
proposal includes the following measures: which obliges Internet Service Providers (ISPs) and telecom
companies to notify both the authorities and individuals
• A fine of up to 2% of global annual turnover if potentially affected if a breach occurs. The consultation
companies breach proposed EU data laws. process has provided ISPs and telecoms companies with
the opportunity to provide feedback on existing practices
• A fine of up to 0.5% of global turnover for companies and the impact of the new rules. The EU is now considering
that charge a user for a data request. how organisations intend to comply with the requirement to
• A fine of 1% of global turnover if a company refuses to notify, and what type of breaches should require notification.
hand over data or fails to correct wrong information. It also wants to find out more about cross-border breaches
and compliance obligations.
• Administrative sanctions of up to €1m for individuals.
Individual European countries have also introduced their
• The right for users to be “forgotten” and their personal own regulations, and these vary country by country. For
information deleted if there are no “legitimate grounds” example Germany, Austria and Norway now have national
for it to be kept. laws which require mandatory notification of data breaches.
The UK and Ireland have codes of practice on personal data
• An obligation on organisations to report data breaches security breaches, but no mandatory client notification, and
to the regulator “as soon as possible” – ideally within Finland and the Netherlands are pushing to have mandatory
24 hours. notification laws in place. Cyprus, the Czech Republic,
Estonia, Sweden and Hungary have laws which imply a duty
• An obligation where the breach is likely to have an
to notify, but which is not mandatory.
adverse impact, to notify customers “without
undue delay”.
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
11. 09
In the UK, the Information Commissioner’s Office (ICO) Most state notification laws are based on the California
expects organisations to report all serious data breaches Security Breach Notification Act, which came into force
to it. The ICO also requires organisations which process in 2007. It makes breach notification mandatory to all
personal data to take strict protective and precautionary customers residing in California affected by the breach.
security measures and, if these measures are found Some states require notification where data is breached,
wanting, the ICO has the power to impose fines of up to whereas others require notification only if there is potential
£500,000 for data loss. for harm to come to the individual due to the breach – for
example via identity theft. USA law also states that the
The Financial Services Authority (FSA) also has the power responsibility for protecting sensitive data lies with the data
to issue fines (which have been known to run into millions owner.
of pounds) on any financial services company that has been
deemed to have put customers’ data at risk.
USA
In the USA there is no single law covering data privacy – but
the Obama administration has recently announced support
for a federal privacy and national data breach notification
law. Currently, laws and regulations vary by state. The vast
majority (46) of states have laws which impose mandatory
data breach notifications on organisations.
12. 10 HOW IS THE INSURANCE MARKET RESPONDING TO THE CYBER DATA
BREACH CHALLENGE?
To understand how the insurance market is responding to cyber liability and data
breach risks, we interviewed four leading specialist cyber and technology
underwriters to garner their views on the current market and insurance options,
the main drivers for change and the potential for this cover in the future.
The underwriters interviewed are operating in the London market, but write USA and international business. They are:
Malcolm Randles Ben Maidment
Underwriter at Kiln Enterprise Risks 510 Underwriter, North American PI
RJ Kiln & Co Limited Professional Risks Division
Global Markets Team, Brit Insurance
Paul Bantick Iain Ainslie
Underwriter, Professional Liability Underwriter, Technology and
Speciality Lines, Beazley Cyber Liability, Ace Group
What is cyber liability insurance?
Products cover a wide range of first and third party risks, and wordings are currently very broad.
Companies need to ensure that wordings are adapted to suit their business and the geographies in which
they operate – for example liability cover is currently much more important in the USA where notification
is mandatory.
“If you asked ten different people you would probably get ten different answers as to what is cyber insurance,”
commented Ben Maidment. “I think the term cyber liability is to some extent out-dated – and it is now more accurately
called data security or privacy liability insurance. The trouble with the cyber tag is that it implies that only losses
sustained as a result of a hacker attack, virus infection or other electronic means are covered – but today’s policies cover
much more than that.”
Iain Ainslie agrees: “The liability name is not really accurate as most of the immediate costs can be triggered without the
need for any specific legal action. Currently without mandatory notification regulations in the UK and most of Europe,
companies are not required by law to inform customers of a breach, so it is important that any cover purchased in the
UK and Europe includes voluntary notification wording.”
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
13. 11
Malcolm Randles believes that: “Essentially cyber liability insurance covers two areas and there are two products. One
addresses data protection risks both first and third party. The other product covers first party business interruption. The
first party data protection provides financial cover for notification costs, IT forensic auditing and crisis PR assistance and
brand management. The third party liability cover is for privacy and security liability – and this is especially relevant in
the USA where there is a risk of class action lawsuits following a high profile data breach, but it is not so relevant for
companies in the UK and Europe right now.”
What are the key elements of a loss that clients are looking to cover?
All the underwriters agree that brand reputation is a key element of cyber cover, and that being able
to access the appropriate legal and PR advice immediately after a breach can be critical. Offering
these services is a win-win for both the client and the insurer – as if a breach is handled promptly and
appropriately, the regulator is less likely to take action.
Ben Maidment commented: “In the USA, data security cover is progressively becoming a much easier sell, and this has
mainly been driven by the introduction of mandatory data breach notification laws across nearly all states along with a
number of high profile breach events, such as that suffered by Sony. Risk managers have recognised the potentially huge
cost to their business that data breach events present and the value of purchasing insurance for such a scenario, not
solely for the risk transfer but also to access insurers specific expertise and specialist vendor relationships to respond to
breach events quickly and cost effectively. However in Europe, where no mandatory obligation to notify currently exists,
this is the harder cover to sell with perhaps a greater interest in business interruption risk.”
“We have learnt a lot from the USA. Most clients want insurance to cover the costs of responding to a breach, and the
expertise that comes with that as opposed to specific business interruption cover. So primarily we view this product as
breach response privacy cover,” commented Paul Bantick.
“In the UK and Europe the main issues are client notification and brand management, and being able to respond to a
breach in the appropriate manner. Currently approximately 50% of breaches are due to a lost laptop with unencrypted
data on it – or a rogue employee stealing data – and not a malicious hacker. The product in the UK and Europe focuses
mainly on client notification costs, and brand reputation PR specialists. In the USA one of the costs covered is credit
monitoring services, but this cannot be offered in the UK or Europe currently although other services are available,”
added Paul.
14. 12
What is the current state of the cyber liability market at the moment, and are prices realistic?
London and Lloyd’s are leading markets for this form of insurance, and at the moment there is ample
capacity, as it is viewed as an attractive proposition by insurers. However, this capacity will be tested as
laws in Europe change and the risk environment is transformed. In addition, there are likely to be changes
to wordings and pricing in the future as the claims history builds and underwriters become more selective.
Malcolm Randles observes: “London and in particular Lloyd’s is a leading market for cyber data privacy insurance, and
there is currently ample capacity. It would be possible to put together a programme with USD100-150m limit, but
currently no one in Europe is buying this level of cover.”
Ben Maidment commented: “There are significant levels of capacity at present, with most currently covering risks
emanating from the USA, where the lion’s share of demand for the coverage is coming from. If, however, the EU brings
in mandatory notification regulations, which are proposed then demand for coverage in Europe will rise and potentially
more capacity will be required. With respect to pricing, it is very hard to say whether current pricing levels are realistic.
This being a relatively new line of coverage premiums are very much market driven, and only as the market matures
will they prove to be adequate or otherwise as insurers understand more about the nature and size of claims to expect.
My personal opinion is that insurers are currently underpricing the exposure presented as a reflection of the prevailing
market conditions and as they seek to build market share in a growing market, I would anticipate that in the medium to
long-term prices will rise.”
Paul Bantick added: “This form of insurance is viewed as an exciting emerging risk class, as it is attractive as it offers a
potential new source of short-tail business. However, I think that many have wordings that have jumped the gun, and
these could get scaled back as losses emerge. In terms of pricing, rates are aggressive but that is not surprising as
rates across most lines are soft and there is plenty of competition for this business. However, as breaches become more
public, and the rating cycle changes, prices will undoubtedly go up and underwriters will be more selective over the
business they write.”
“I think that Lloyd’s will eventually play a bigger role in this market and a more standardised wording will be developed.
As more claims come through there is no doubt that actuaries will start to take more interest in this cover, and prices are
likely to stabilise in time,” concluded Iain Ainslie.
What defines a good risk?
Risk management is key and insurers like to see evidence that it is a board level responsibility. In many
companies, responsibility for data protection is devolved to the IT department which only focuses on the
technological aspects of the risk and not brand reputation or the potential financial impact. Companies
that take data security seriously and plan and prepare for a data breach or cyber attack are far more likely
to get insurance cover than those that don’t. Insurers are wary of companies that see insurance as a
financial backstop.
Malcolm Randles commented: “What we look for is a company that takes data breach and cyber risks seriously, where
the board is engaged and there is good management of IT security. It will depend on the client, but our approach and
information requirement can get quite granular. Ultimately, what we want to see is that the company has the appropriate
risk management procedures to deal with that particular sector’s risks and regulatory requirements. We look at all
aspects – kick the tyres and lift the engine hood – when assessing if we want to take a risk on or not.”
“A good risk to us is one where the client is only looking to cover the residual exposure that remains after the client
has invested in sophisticated IT security, has comprehensive risk management procedures and a strong compliance
culture. A bad risk is a client that is looking for their insurance policy to replace making the required investment in risk
management, compliance and IT security to mitigate the risk effectively at the front end,” observed Ben Maidment.
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
15. 13
Iain Ainslie agrees: “We want to be reassured that there is a strong compliance culture that runs right through our
clients’ organisations. All employees need to be aware of the risk as human error still plays a big role in most breaches,
so ownership by key stakeholders is vital. We also like to see evidence that the IT department is sophisticated and
switched on. For example, sophisticated hackers know that Microsoft releases its anti-virus patches on Tuesday evenings
– so the hackers work over Tuesday night to amend their viruses to work around the new patches.”
What trends are you experiencing?
We are seeing more enquiries across the board – from retailers to health companies and financial
institutions. In addition new technologies such as smartphones, cloud computing and other developments
are creating new risks.
Malcolm Randles commented: “Outsourcing continues to be a major driver for cover, and it is vital that clients do their
due diligence when signing up to an outsourced data handler or supplier. Terms and conditions with these companies
need to be carefully checked to ensure where the liability lies should something go wrong. Also it is prudent to check
in which jurisdiction the data will be held, and what laws apply and also that your customers have given permission for
their personal data to be shared with another supplier.”
“The talk at the moment is about the cloud and it is something we are monitoring closely” commented Ben Maidment.
“The potential for the cloud is huge, but so are the risks inherent with it, particularly in relation to data privacy and
loss aggregation. Another issue is the jurisdictional element, which is difficult to handle from both a legal and risk
perspective,” added Ben.
Paul Bantick said: “With an increasing number of high profile data breaches hitting the headlines, we are seeing more
interest from retailers, health companies and financial institutions. However, if the USA is anything to go by the biggest
driver for cover will likely be mandatory notification and regulation.”
What will be the main driver for coverage in the UK and Europe?
A range of developments are driving the development of covers in the UK and Europe including: recent
high profile data breaches, government cyber attack strategies, proposed EU-wide mandatory client
notification laws, fines, and the increasing sophistication of hackers.
Regulation has been a major driver in the USA, but in Europe it has been much harder to get all the EU countries to
agree on a cross-border solution. With the new EU privacy proposals this situation is likely to change, and greater
harmonisation of rules is the aim. In the UK, for the time being the Information Commissioner will continue to focus on
using punitive measures, but in Germany there are tough privacy/data protection laws. The move to make mandatory
notification for ISPs and telecoms companies has driven enquiries for cover and raised awareness of these insurance
solutions with risk managers. However, the damage to brand reputation, especially brands with a retail presence, is also
pushing cyber security up the risk management agenda.
Ben Maidment commented: “In the USA, the Obama administration is mooting the idea of a single, consolidated federal
breach notification standard, and now draft regulation has been tabled in Europe along the same lines, incorporating
mandatory notification. However, I would anticipate it will be a couple of years before it is passed in Europe and
becomes binding upon Member States. There will certainly be some opposition from individual governments, including
the UK, to the inclusion of the breach notification provisions in their current form, with the feeling that it is overly
onerous upon businesses and could potentially lead to ‘notification fatigue’ among consumers. Additionally the UK
already takes a punitive approach to try and deter poor data management. The Information Commissioner can fine
companies up to £500,000 while the FSA has shown it takes data protection in the financial services industry very
seriously, with significant fines levied on Nationwide, HSBC and Zurich Insurance amongst others for poor data security.”
Paul Bantick added: “There is no doubt regulation, PR and knowing what to do in the event of a breach are the
major drivers to purchase this form of cover. The other key success element to this product is offering full service
risk management advice, access to specialist legal advice and forensics – as this is key to knowing how and when to
effectively respond to a breach.”
16. 14
How do you think demand for cover will increase over the next three years?
It is anticipated that demand for cover in the UK and Europe will grow significantly over the next few
years. There is already an increase in enquiries from retailers, financial institutions and healthcare
companies. With smartphone technology and online retailing moving at such a pace, the risks are only
set to increase. In addition there is a move by the Securities Exchange Commission in the USA to insist
that all companies list all data breaches in their annual report, which could have legal implications for the
board if data breaches have not been dealt with in the appropriate manner.
Malcolm Randles said: “Demand will undoubtedly continue to grow, particularly for the retail sector. There are so many
mind-blowing technological developments taking place. In Korea, Tesco is trialling virtual shops in train stations where
consumers use their smartphones to scan virtual shelves, order and pay for goods which are then delivered to their
home at a convenient time. This move to mobile technology and mobile payment opens up an increasing array of cyber
risks, and brands are beginning to get their head around the financial implications to their business.”
Ben Maidment commented: “In the USA we are seeing an uptick in enquires from the healthcare sector. In the UK and
Europe, retailers, telecoms companies and financial service providers appear to be the biggest buyers of this cover at
the moment. The market is undoubtedly set to grow over the next three years, though the speed of change likely will be
driven by regulation and whether the proliferation of high profile breaches and loss activity continues at the same pace
as we have seen in the recent past.”
“The cyber insurance market in the USA has gone in six years from being unknown to the fastest growing insurance
product,” commented Paul Bantick. “So when the law across the USA and Europe changes, the demand for cover
will increase dramatically. We are also experiencing interest in this cover in Latin and Central America – due to new
legislation in Brazil and Mexico’s proximity to the USA,” concluded Paul.
Iain Ainslie added: “I anticipate that mandatory notification will be law across all the states in the USA and across the UK
and Europe within the next few years – and there is no doubt that this will drive an increase in sales of this product.”
How do you see the cyber insurance products developing over the next few years?
It is likely that data protection and business interruption cyber covers will develop as two different
products. It is also probable that wordings will be reviewed, and will become more tailored so that there
is a clearer distinction between E&O and cyber risk. Underwriters are likely to take a tougher stance over
risk selection, but ultimately this insurance cover will go from being a ‘could have cover’ to a ‘should have
cover’.
Malcolm Randles agrees: “I think that the split between data protection and business interruption will continue
to become more defined, and the products will probably be more tailored for industry sectors and their specific
requirements. Lloyd’s and the London market have a unique flexibility to differentiate products, and I think they will
continue to lead the international market in this respect. Increasingly, underwriters are including harsher exclusions, and
in particular they are starting to take a lack of encryption on systems very seriously.”
Ben Maidment comments: “The business interruption element of the product has not been sold very successfully up
to now and we either need to demonstrate the value of the coverage in its present form more effectively or make the
products more attractive by talking to clients and understanding their needs better than we are currently. Also, clients
and underwriters are only just getting their heads around the potential and the risks involved in the ever-increasing use
of and reliance upon smartphones and mobile technology. There is no doubt that mobile technology is here to stay and
this creates a number of fundamental risks which insurers must understand and address.”
Paul Bantick said: “I think wordings will be the major element to change. There also needs to be a clearer definition as
to why stand alone cyber cover is required – as some clients seem to think that their property or E&O cover will cover
them for these risks – which is not really the case, but better clarity of cover overlap is required.”
Cyber risks decoded: A report on data risks, the law and risk mitigation and insurance
17. 15
Will there be standardised products that all businesses will buy in the future?
Due to the nature of technology risks, it is unlikely that products will be fully standardised. A lot will
depend on the nature and size of the company, the sophistication of its risk management and its risk
appetite. For smaller companies, there is likely to be some form of commoditisation of these products,
but for larger international companies this is not likely to be the case. Instead it is likely that a suite of
products will be produced with flexible wordings instead of a one size fits all product.
Malcolm Randles thinks: “There will be more standardised products emerging for small to small medium companies, but
the pace and scale of change means a one size fits all approach will not suit the majority of our clients. An example of
this is that cookies and super cookies might be breaching some privacy laws if the cookie owner does not indemnify itself
on its wording on its website. Another is that smartphones might be tracking owner location without their knowledge and
consent – which technically is illegal. So I am sure that the majority of businesses will require data privacy insurance in
some form or other but it won’t be easy to commoditise these covers to suit all clients.”
Ben Maidment commented: “The basic elements can be covered by a standard product, but trying to predict where
technology is going is hard, and it is equally hard trying to predict where the next attack will emanate from, how it will
manifest itself and how insurance should respond.”
Iain Ainslie believes that: “The insurance markets will develop a suite of products to suit the differing needs of clients
dependent on the size and scope of their business operations and where and how their data is held online.”
Strong agreement on insurance trends
A number of common themes emerged from our underwriter interviews:
• There is likely to be a lack of clarity on what cyber liability insurance is and the current product is likely to change
over the next couple of years;
• The majority of companies in the UK and Europe are not currently purchasing this cover and the need for cover will
be driven by new mandatory notification laws;
• Insurers identify cyber as a significant emerging risk sector and a particularly attractive one as it is short-tail
business with massive growth potential;
• Prices are unrealistically low and wordings broad, but until there is more historical claims data available this situation
is unlikely to change;
• This is a highly reactive insurance – with insurers providing clients with access to specialist legal advice, best
practice risk mitigation guidance, and advisers to help clients minimise the impact of the breach on their customers
and ultimately their business. This is a vital selling point of this insurance; and
• There will be some standardised products emerging but outsourcing, cloud and smartphone technology will raise the
stakes in terms of cyber risks. Insurance products will need to keep evolving in line with the risks.
18. Our Mission
To be the worldwide value and service leader in insurance brokerage and risk management
Our Goal
To be the best place to do business and to work
A division of Lockton Companies LLP. Authorised and regulated by the Financial Services Authority.
A Lloyd’s broker Registered in England & Wales at The St Botolph Building, 138 Houndsditch, London, EC3A 7AG.
Company No. OC353198
www.lockton.com