Data & Cyber Risks
big data
Introduction
“The biggest threat to our economy”
Politicians have signalled that theybelieve the law needs an overhaul following a recent cyber-attack at telecom firm TalkTalk.
Former home office minister Hazel Blears described the TalkTalk data breach as “a wake-up call” that should prompt a debate about whether further regulation was needed, suggesting cyber crime was “probably the biggest threat to our economy”.
Cyber security and information protection can be challenging for companies of all sizes. Hackers are not the only threat – today’s businesses rely on the internet for services such as online marketing, administrative functions, credit card processing and distribution controls. Any intrusion that disrupts delivery of these services can lead to brand and reputation damage, regulatory scrutiny, stakeholder dissatisfaction, and financial losses.
W Denis can help. We offer a range of risk management and risk transfer solutions that will enable you to assess, manage, and respond effectively to the cyber threats that your organisation faces.
Data & cyber risks – the facts
2
Cyber and data insurance
3
General data protection regulation 5
What can a cyber policy insure?
6
Claim scenarios
9
Quotation procedure
11
Data & cyber risks – the facts
Data privacy and protection are key cyber risks and related legislation is set to toughen globally. More notifications of, and significant fines for, data breaches can be expected in the future. Legislation has already become much tougher in the US, Hong Kong, Singapore and Australia, while the
European Union is looking to agree pan-European data protection rules. Tougher guidelines on a country-by-country basis can be expected.
The risk of business interruption (BI), intellectual property theft and cyber-extortion – both for financial and non-financial gain – are increasing. BI costs could be equal to or even exceed direct losses from a data breach.
Attacks by hackers dominate the headlines but there are many
“gateways” through which a business can be impacted by cyber risk. The impact of BI being triggered by technical failure is frequently underestimated compared with cyber-attacks.
The vulnerability of industrial control systems (ICS) to attack poses a significant threat. To date, there have been accounts of centrifuges and power plants being manipulated. However, the damage could be much higher from security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.
Top Business Risks 2015
2014 Rank Trend
1 Business interruption and supply chain 46% 1 (43%)
-2 Natural catastrophes 30% 2 (33%)
-3 Fire/explosion 27% 3 (24%)
-4 Changes in legislation and regulation 18% 4 (21%)
-5 Cyber crime, IT failures, espionage, data breaches 17% 8 (12%)
6 Loss of reputation or brand value (e.g. from social media) 16% 6 (15%)
-7 Market stagnation or decline 15% 5 (19%)
8 Intensified competition 13% 7 (14%)
9 Political/social upheaval, war 11% 18 (4%)
10 Theft, fraud, corruption 9% 9 (10%)
11 Quality deficiencies, serial defects 8% 10 (10%)
12 Market fluctuations (e.g. foreign exchange rates or interest rates) 7% 11 (8%)
13 Talent shortage, aging workforce 7% 16 (6%)
14 Commodity price increases 6% 13 (7%)
15 Climate change/increasing volatility of weather 6% 23 (3%)
16 Credit availability 6% 15 (6%)
17 Austerity programs 5% 12 (7%)
18 Pollution 4% 17 (5%)
19 Technological innovation (e.g 3D printing, nanotechnology) 3% 14 (7%)
20 Terrorism 3% 22 (3%)
21 Inflation 3% 24 (2%)
22 Power blackouts 2% 19 (3%)
23 Health issues (e.g. pandemics) 2% 20 (3%)
24 Protectionism 2% 25 (1%)
25 Euro-zone disintegration 2% 21 (3%)
26 Deflation 1% 26 (1%)
-Allianz Risk Pulse
Allianz Risk Barometer
2015 Appendix
The fourth annual Allianz Risk Barometer was conducted among both global businesses and risk consultants, underwriters, senior managers and claims experts in the corporate insurance segment of both Allianz Global Corporate & Specialty (AGCS) and local Allianz entities. Figures represent the number of responses as a percentage of all survey responses (709). More than one risk could be selected by respondents.
“Cyber and data
insurance is needed by
any company which
possesses or uses data,
the internet and
Cyber & data insurance
We don’t need it as we’re not a technology company
Premiums can be expensive
We don’t need it as we don’t trade over the internet
Cover is limited
Cyber crime is over-rated
Wrong – Cyber & data insurance is needed by any company which possesses or uses data, the internet and telephone systems.
Wrong – For small businesses the premiums start from £100 per year plus tax.
Wrong – Cover can insure a range of exposures including fraudulent billing (e.g. fraudsters purporting to be your supplier and hacking systems/information in order to deceive your staff into settling invoices to bogus accounts).
Wrong – Options can be available for a ‘pre-set` range of covers or alternatively, particularly for larger companies, bespoke policies can be arranged. Cyber insurance has evolved over the last 10 years and a wide range of exposures can now be insured, which previously were uninsurable.
In the UK limits sought are usually in the £5 million to £10 million range. With excess layer support limits up to £100 million and higher being available in the London market.
For businesses with USA exposures, higher limits are more common due to the more onerous data protection laws in America. Insurers are already providing capacity to fulfil the requirements of companies in the USA, which at the upper end are buying cyber limits in the $200 million to $300 million range.
Wrong – The costs to the UK economy alone are huge, with a recent estimate in excess of $4.3 billion per annum. This includes:
intellectual property theft industrial espionage extortion costs
direct online theft costs theft of customer data
The annual global cost of cyber crime is estimated in the region of $250 billion across the world’s 10 largest economies.
Continued...
Cyber & data
insurance
Few insurers provide cyber cover
There is no legal or regulatory requirement for cyber insurance so I don’t need it
Since 2005 there have been 5,029 reported data breach incidents in the US, where organisations must report data breaches to regulators,
involving more than 675 million estimated records, according to the Identity Theft Resource Center.
Statistics outside the US are patchy. However, there have been at least 200 breaches in Europe involving 227 million records since 2005, according to an estimate by the Center for Media, Data and Society at the Central European University.
Some of the largest breaches include the likes of US retailers Target and Home Depot, health insurer Anthem, entertainment and electronics firm Sony and investment bank JP Morgan Chase.
The Target data breach in 2014, in which the personal details of some 70 million people may have been compromised, was one of the largest in history. It has been reported that it has cost the company well in excess of $100m, not including the damage to their reputation and loss of business, and was followed by the company’s chief executive leaving his post.
Wrong – There is a growing insurance market that is responding to demand. A range of insurers are aiming to write cyber insurance for small business (under £10m turnover). Several insurers are active in the mid-market. At the high end, a new consortium of underwriters recently launched a facility in London to insure global businesses (with revenue exceeding $5 billion) cyber exposures.
Wrong – Governments are reviewing the growing problem of data theft and cyber crime. See next page regarding EU General Data Protection Regulations.
How much does cyber-crime cost the world’s leading 10 economies?
This AGCS atlas examines the estimated total cost to the global economy from cyber-crime per year, with a particular focus on the impact on the world’s top 10 economies, according to GDP.
1. US $108bn 2. China $60bn 3. Germany $59bn 4. Brazil $7.7bn 5. UK $4.3bn 6. India $4bn 7. France $3bn 8. Russia $2bn 9. Japan $980m 10. Italy $900m 1. US $16.8trn .64% $108bn 2. China $9.5trn .63% $60bn 3. Japan $4.9trn .02% $980m 4. Germany $3.7trn 1.60% $59bn 5. France $2.8trn .11% $3bn 6. UK $2.7trn .16% $4.3bn 7. Brazil $2.4trn .32% $7.7bn 8. Russia $2.1trn .10% $2bn 9. Italy $2.1trn .04% $900m 10. India $1.9trn .21% $4bn Country Ranking by GDP1 Cyber-crime as a % of GDP2 Estimated cost3
Sources: 1 World Bank (2013) 2 Net Losses: Estimating the Global Cost of Cyber-Crime, CSIS/McAfee 3 Allianz Global Corporate & Speciality. Rankings according to cyber-crime costs
$445bn1
annual cost to the global economy 1CSIS/McAfee $250bn cost of cyber-crime to world’s 10 leading economies $200bn+
annual cost to top four economies
50%+
top 10 economies share of annual
General data protection regulation
The European Union is working on
new legislation that could have se
rious ramifications. It is intended to be a wide cast net
and will apply to any “data controller” which is summarised as follows:
These new EU regulations are expected to be finali
sed in the latter part of 2015. Penalties – the current proposals s
et out a three-tiered system, with
the most serious breaches resulting in fines of up to€1m ($1.1m) or 2%
of worldwide annual turnover. Compensation may also be payab
le to individual(s) who have suffere
d loss as a result of any data breach.
In the USA there are already strict regulations and
penalties related to the managem ent of data.
The Personal Data Protection Act
(PDPA), introduced in 2014, is the first privacy- spe cific legislation in Singapore, and aims
to provide transparency in relation
to the use of individuals’ personal data. PDPA in
vestigations are now underway fol
lowing unrelated breaches at a telecoms company
and a karaoke company, in which customers’ pers onal data was accessed and/or leaked
by hackers. The PDPA introduced fines of up to $1m per breach.
In Australia, a number of high profile
cyber breaches, coupled with an estimated 20% increase in cyber-attacks on busin
esses in 2014, have led to the Aus
tralian Privacy Commissioner and other regulator
y authorities including Australian P
rudential Regulation Authority (APRA) and the Australia
n Securities and Investments Com
mission (ASIC) focusing on the regulation of pers
onal information and security of online business pla tforms. Legislation requiring mandatory re
porting of serious data breaches is
likely to be enacted in the next year, and thereafter incre
ased levels of reported breaches a
nd fallout regulatory sanction are expected.
Data controllers and processo
rs to implement appropriate m
easures to
ensure a level of security appropriate to the
risk presented and the nature
of personal data protected
To notify the “supervising authority” without u
ndue delay and where feasible
not later than 24 hours after becoming aware
of a personal data breach
Data subjects have the right to
have data erased where no l
onger
considered necessary in the p
urpose for which it was collect
ed
Provides for private rights of a
ction for damage suffered as a result of
unlawful processing of data o
r an action inconsistent with th
What can a cyber policy insure?
Critical data is lost
Customers may be lost and business interrupted
Property damage
Theft
Adverse media coverage/damage to reputation/ lower market share - 71% of customers said they would leave an organisation after a data breach
Regulatory actions and associated fines and penalties
Profits impacted/value of shares may fall
Loss of trade secrets/confidential information
Extortion
Breach of contract
Product recall
Notification costs and other response costs i.e. forensic
Network security liability
Directors’ and officers’ liability
Potential risk scenarios from cyber attacks or incidents
“The annual global
cost of cyber crime is
estimated in the region
of $250 billion across
the world’s 10 largest
economies.”
What can a cyber policy insure?
Cyber loss or damage
Restoration of the insured’s network and data following unauthorised access, computer virus, denial of service attack or operational error.
Adulteration and contamination of stock
Stock damage cover if goods are stored in a temperature controlled environment as a result of unauthorised access, computer virus or a denial of service attack to the insured’s network.
Business interruption or extra expense
Loss of income or extra expense following unauthorised access, operational error, computer virus or denial of service attack to the insured’s network.
Cyber theft
Loss or alteration to the insured’s money, security (for instance an internet driven phishing scam of the insured’s network)
Loss of the insured’s goods due to unauthorised delivery of goods All due to transmission of information through or to the insured’s network and created by an external source.
Cyber media liability
Defamation and disparagement.
Infringement of copyright, trademark and publicity rights.
Privacy liability
Violation of a person’s rights of privacy or publicity -administrative or regulatory proceedings.
Disclosure of non-public personal information.
Failure to provide notice of a potential disclosure either which was originally stored on the insured’s network or a third party custodian’s (e.g. cloud provider).
Breach of confidentiality
Disclosure of corporate confidential information or trade secrets.
Failure to provide notice of a potential disclosure either which was originally stored on the insured’s network or a third party custodian’s (e.g. cloud provider).
Cyber security liability
Inability of others to access insured’ network. Damage to third party networks.
Loss of or damage to third party data on the insured’s network.
Continued...
Cyber in the context of insurance is an umbrella term embracing any risk faced by a business through its use of online networks or systems. Those risks can include denial of networks and systems by natural phenomena, electronic phenomena (e.g. viruses) and humans; and data lost through error or theft; damage to stock through hackers accessing internet-based control systems; internet/telephony fraud, extortion and associated reputational and legal liabilities.
What can a cyber policy insure?
Cyber extortion
Loss or alteration to the insured’s money, security (for instance an internet driven phishing scam of the insured’s network).
Loss of the insured’s goods due to unauthorised delivery of goods All due to transmission of information through or to the insured’s network and created by an external source.
Defacement of the insured’s website.
Telephone hacking
Forensic investigation costs arising from the use of the insured’s bandwidth and the cost of unauthorised calls due to unauthorised access of the insured’s telephone system by an external source.
Breach of payment security liability
The insured’s legal liability to pay damages in respect of a breach of a written contract between the insured and any entity or individual that governs the storage and processing of credit card information, including any breach of the PCI DSS (Payment Card Industry Data Security Standard).
Privacy liability
Legal liability to pay regulatory compensation awards, civil penalties or fines (only where permitted by law) and the regulatory defence costs in connection with an investigation, defence or appear of any investigation following a covered claim on the above third party liability cyber liability insuring clauses.
Not all of the above covers are provided on every cyber policy. If you require certain level of specific cover, a bespoke cyber policy may suit you best. Please speak to W Denis Insurance Brokers PLC so that your
requirements can be evaluated and understood. Usually a First Party Event will very quickly also turn into a Third Party Event, if there is a breach of your security and a potential loss or exposure of data to hackers, your own losses will swiftly manifest into a legal liability when you have to report data breach to your customers.
Some of the cyber insurance policies we arrange include ‘First Notification of Loss` 24/7 telephone helplines. Immediately following a potential claim, with one phone call you can contact our dedicated
specialists who will assist with technical support, public relations advice, data retrieval or loss assistance. This includes IT forensic support to help with identifying the cause of the breach, enabling secure systems to be reinstated and minimise any potential loss or legal liability.
First Party
Third Party
Regardless of it being a first or third party event, when a cyber or network incident occurs it can have a devastating effect on the reputation of the company and the confidence of its customers. This part of the policy provides funds, in the event of an incident, to enable the insured to hire expert assistance to mitigate the effect of the incident. In the event of a data breach the cost of notification of that breach to all relevant parties will also be covered.
Claim scenarios
European Court of Justice ruling on Weltimmo, Hungary
The ECJ ruled in favour of the Hungarian data protection authority in its case against Slovakian property site Weltimmo. It’s a landmark ruling that could have big implications for companies such as Facebook and Google, operating across multiple EU countries. The ECJ ruled on the 30th September 2015 that if a company operates a service in the native language of a country, and has representatives in that country, then it can be held accountable by the
country’s national data protection agency, despite not being headquartered in that country.
The ruling means that Weltimmo could be liable for 10m Hungarian forint (£23,650) fine levied by the Hungarian authority over the passing of user information to debt collection agencies, which was found to infringe Hungarian data protection laws.
Airline In June 2015, hackers grounded 10 planes belonging to a Polish airline after a denial of access attack blocked the sending of flight plans.
Oil Producer In 2012, “malware” disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week.
Industrial Control Systems examples
Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors, for example.
An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption.
A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue. Vulnerability of ICS was first highlighted by the Stuxnet computer worm in 2010. Stuxnet was reportedly developed by Israel to target Iranian nuclear facilities – the worm allegedly destroyed uranium enrichment centrifuges.
ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports.
While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries.
Continued...
For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day.
Claim scenarios
And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.
A hacker caused a floating oil-platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down.
Somali pirates employed hackers to infiltrate a shipping company’s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security. This led to the hijacking of at least one vessel. Denial of service attacks (initiating a very high number of requests to a system to cause it to cease operating) against ports have been reported.
Furthermore, there have been a number of anecdotal accounts about hackers accessing computer systems/navigation software, subsequently causing hull damage.
Boris Berezovsky vs
Roman Abramovich
In this major struggle between two Russian ‘oligarchs`, in the UK High Court a hacker allegedly hacked into and obtained confidential information from Boris Berezovsky’s lawyers and offered it to Roman Abramovich. Judgement was recently given in Abramovich’s favour, awarding him $6.5billion – the biggest private court case in British legal history. This incident demonstrates how exposed law firms are to cyber risks.
Epsilon Data Management
Epsilon Data managed email communication for large companies such as Marks & Spencer and JP Morgan Chase. Hackers stole an estimated 60 million email addresses. The resulting losses, including forensic audits, fines, litigation and lost business are estimated at $4billion.
Zurich American Insurance Co vs
Sony Corp
Zurich filed a suit against Sony in New York state court seeking a declaration that it is not obliged to defend Sony against three separate breaches of Sony’s Playstation Network, in which 100million customer records were exposed. The alleged damages are at $171million.
Claim scenarios
Online retailer
Hotel
Clothing distribution firm
Case Study:Website hosting failure
Impact: Website downtime resulting in lost sales and revenue. Consequence: When equipment failed at the data centre hosting the retailer’s website, the online sales function was unable to accept or process orders.
Policy response: Covered the loss of income from the loss of sales.
Case Study:Back-end system failure
Impact: Without information to process customers, hotel reception became chaotic, incorrect bills were issued, income was impaired and business was lost.
Consequence: Check-in/check-out, billing, room management and staff coordination information became out of date and thus of no use. Policy response: The hotel lacked cyber cover but would have been provided with insurance against lost revenue and funded with the increased cost of working.
Case Study:Stock control system malfunction
Impact: Disruption of the distribution routine had a disproportionate impact on popular sizes, resulting in a dramatic reduction in sales.
Consequence: Programming error resulted in the distribution to stores of a limited range of garment sizes.
Policy response: Covered the loss of income from the loss of sales.
Continued...
Engineering firm Case Study:Breach of commercial confidentiality
Impact: As part of a tender for business, a supplier sent its price list to the policyholder, an engineering firm. This list was subsequently forwarded, inadvertently, to a rival of the original supplier. Once in the possession of the list, the competitor was able to undercut the supplier’s prices in order to win business. The supplier therefore brought legal proceedings for loss of future earnings against the engineering firm.
Consequence: Legal action by a supplier.
Policy response: Covered the policyholder’s legal expenses and the cost of the settlement.
Claim scenarios
Charity
Retail clothing chain
Case Study:Website failure
Consequence: The charity relies heavily on donations made via its website, with the level of donations fluctuating according to the season, such as Christmas, or in connection with a sponsored event or advertising campaign. The website failure coincided with such an activity, severely compromising fund-raising activity and thus hindering its viability in terms of fulfilling its charitable aspirations and responsibilities.
Impact: Inability to accept online donations.
Policy response: Covered cost of forensic investigation work into the cause of the failure and met restoration costs in full. It also covered the charity for its loss of income and increased cost of working.
Case Study:Stock control system failure
Consequences: Point-of-sale equipment stopped working. Unable to accept orders via website.
Impact: Collapse of auto-ordering via point-of-sale tills resulted in popular items running short, with immediate and substantial negative effect on sales and ultimately, reputation.
Policy response: Funded cost of forensic investigation into cause of failure; Funded network restoration costs; Compensation for lost revenue; Funded increased cost of working from manual updating of stock system following full stock-take.
Quotation procedure
W Denis Insurance Brokers PLC
Brigade House, 86 Kirkstall Road, Leeds LS3 1LQ T. 0113 243 9812 and 34 Lime Street, London, EC3M 7AT T. 0203 544 4770
www.wdenis.co.uk
Authorised and Regulated by the Financial Conduct Authority
