A Brief History of Insurance

Whilst “cyber threats” may be new, the need to protect businesses against threats and losses incurred in the event of a major calamity is almost as old as civilization itself. People throughout history have employed risk management techniques to reduce the likelihood of loss or reduce the impact should a threat crystallize and occur. As early as the second century Chinese merchants travelling across dangerous rivers would distribute their goods across many ships to minimize their losses should they lose one or more in the troubled waters and it was the Romans and Greeks who introduced the concept of life and health insurance, where relatives of those lost in battle or at sea would benefit by receiving payments to cover funeral and future living expenses.

Insuring against losses has been with us for centuries, from the early Babylonians through to the Romans and the Greeks. More recently, in the seventeenth century Edward Lloyd’s coffee house in London embarked on a new journey as they swiftly became known as the place to obtain marine insurance. In a world ever more reliant upon shipping and produce from around the world, the need to protect businesses trading on these dangerous waterways made perfect sense to everyone involved. Lloyds of London was firmly established as a world player in maritime insurance when a young man by the name of Cuthbert Heath joined Lloyds in 1877. Cuthbert Heath, an underwriter in Lloyds was soon developing policies for non-marine-related insurance and reinsurance including fire insurance, burglary insurance including policies for the American market. This moved Lloyds out of the shipping lanes and opened up new and emerging markets and set the template which Lloyds still follows today, priding itself on covering new and complex risk areas.

Business Interruption Insurance

The world today is very different than it was in 1877 but what Lloyds did was to set the mold for modern-day Business Interruption Insurance (BI Insurance) which many businesses today still rely upon. Dependent upon the cover, BI Insurance provides cover for a company’s loss of earnings or profits in the unlikely event that they should be closed for a period of time for any number of reasons, including (but not limited to); fire, flood, earthquake, or acts of terrorism.

Typically there are three types of BI Insurance cover available:

• “Business interruption” insurance compensates the insured for income lost during the period of restoration or the time necessary to repair or restore the physical damage to the covered property;

• “Extended business interruption” (EBI) offers cover which is typically limited by a period of time, for the income lost after the property is repaired but before the income returns to its pre-loss level; and

• “Contingent business interruption” (CBI) offers cover for the insured’s loss of income resulting from physical damage, not to its own property but to the property of third-parties (i.e., the damage did not affect the insured’s property—but affected someone they rely upon and therefore affects their profit).

BI Insurance in whichever form is recognized as a very valuable and necessary type of insurance and one which many businesses see as the basic level of insurance they need in order to trade. But whilst BI Insurance and its variants cover for loss of profit, reimbursement of costs and compensate for damages to physical assets such as property, they rarely if ever cover the cost of non-physical assets. This means that BI Insurance may reimburse a claimant for the loss of the computer but it is unlikely to compensate them for the data which sits upon it, even though the data which this device holds may be worth many times the value of the device itself.

This gap some may feel is bridged by an additional form of insurance known as Professional Indemnity Insurance (PI Insurance) which can help protect a business if claims are brought against it by a client who believes some form of negligence or error has occurred (intentional or unintentional). In professional services organizations, such as financial services or legal entities this form of insurance is crucially important as the risk of litigation is often extremely high. This form of insurance may also cover the cost of penalties or fines arising from a data breach and brings us closer to a new form of insurance which has begun to grow in prominence and is quickly becoming the next “must have” for businesses operating in the modern era; Cyber Insurance Liability.

What Is Cyber Liability?

As we have seen, historically it was considered prudent to protect the physical assets of a business through insurance (BI Insurance) and later, claims for damage due to error or negligence (PI Insurance). But as the world becomes ever more interconnected and our dependency upon technology increases, the threat of unauthorized access or loss of personal information has resulted in the need to protect against previously uninsurable risks. So the Insurance market responded by creating the “Cyber Liability Insurance” (CL Insurance) product. CL Insurance is intended to cover risks associated with data breaches, which according to the Privacy and Electronic Communications Regulations (2011), include the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Although CL Insurance is relatively new the products are developing quickly as businesses and Insurance companies alike recognize the growing risks associated with operating in cyberspace. This growth is being driven by a number of factors including the speed and growth of the use of the Internet and our dependency upon technology. In 2013 the network company CISCO wrote a paper entitled “The Internet of Everything for Cities” which discussed “Connecting People, Process, Data, and Things to improve the ‘Livability’ of Cities and Communities.” In this paper it states how the “Internet of Things” (IoT), interconnected systems will become the “Internet of Everything (IoE) a network of networks where billions or even trillions of connections create unprecedented opportunities as well as new risks.” As we enter this era of the “Internet of Everything” several things become apparent:

• The world becomes more interconnected;

• the underlying infrastructure becomes more complex;

• the average user craves simplicity and “ease of use”

This means that

• We do not need to understand how the technology works to use it

• Information becomes easier to share between people and organizations

• Information is more likely to be retained for longer (disk storage is cheaper than ever)

• Information is more likely to exist on multiple devices (it no longer sits in secure computer rooms)

• Information can be sent to thousands of people with the click of a button

• We can communicate (using Social media) with thousands of people

• We can remain anonymous or create new identities behind which to hide

• We can connect to like-minded people around the world

As our reliance upon technology and information increases organizations are beginning to recognize their exposure is increasing, driven largely by high-profile cyber-related breaches and increased regulatory scrutiny and legislative requirements. As awareness increases, organizations are realizing that cyber risks are not solely concerned with the loss or unauthorized disclosure of personal data or information. Although there are a wide range of cyber risks, including those associated with business interruption and denial of service there are in fact just two forms of CL Insurance available (although these are not mutually exclusive as one can impact the other):

Cyber Risks—A Growing Concern

According to Government website, www.gov.uk, internet-related market in the UK is now estimated to be worth £82 billion a year while British businesses earn £1 in every £5 from the internet. This demonstrates the importance of the internet for businesses and individuals alike but research sponsored by Department for Business Innovation & Skills in 2013 revealed that in 2012 in the UK, 93% of large organizations had a security breach, with 87% of small businesses suffering a breach. The report estimated that costs incurred as a result of a security breach ranged between £450k-£850k and £35k-£65k respectively. It is likely because of these significant costs related to breaches, that security budgets have increased by 16% in 2013 (over 2012). This echoes further data from the Department for Business Innovation & Skills that 81% of senior management teams in large organizations are becoming increasingly concerned about security and see it as high or very high priority.

It is easy to understand the growing concern of those in large (and small) businesses when security breaches appear to be on the increase and the headlines are filled with almost daily stories of businesses being compromised. Cases include high-profile names such as “Yahoo!” (400 thousand passwords exposed), “LinkedIn” (6.5 million passwords exposed), and “Adobe” (38 million records breached [unofficially this number is reported to be far higher and estimated to exceed 150 million]). Many more stories are reported and countless more go unreported, all illustrating the growing need to understand the growing risks associated with “cyber.” The following examples offer further evidence of the diverse nature of cyber risks:

• On 29th of August 2013 two individuals were charged in connection with an attempt to blackmail a Manchester internet company via a cyber-attack. The investigation into this incident is currently ongoing, led by Greater Manchester Police in association with the Serious and Organised Crime Agency. This incident highlights the expanding threat Cyber Extortion poses to UK business.

• A multinational insurance company had to pay a multi-million pound sum to UK regulators when it was proved they had misplaced the server back-up tapes of their IT system containing the private details of over 40,000 of their policy holders.

• In 2011 the UK high street cosmetics company “Lush” was hacked via a third-party email provider. The hackers were able to access the payment details of 5000 customers who had previously shopped on its website. Lush did not fully meet industry standards relating to card payment security and faced a potential fine of £500,000 from The Information Commissioner’s Office.

These incidents and many more like them demonstrate the multitude and variety of risks faced by organizations today not only from direct losses from the event itself, but from the risks associated to impact upon reputation (requiring a structured and often costly PR response) and from increased fines and claims for damages.

The Cyber Threat

The cyber threat for organizations comes in a variety of shapes and sizes and dependent upon who they are, they may be seen as a primary target, as collateral damage or merely as a “playground” in which the cyber-infant hones their “Hacking” skills. These threats can include: Hacktivism, theft of IP (intellectual property), Cyber-stalking, Extortion, virus dissemination, identity theft, vandalism, and fraud. Many businesses could also find themselves unwittingly playing a part in attacks on other computer networks as they become “infected” by tools which enable an attacker to take command and control over their computers and use them at their will in a “Distributed Denial of Service” (DDOS) attack on another organization or critical infrastructure.

Stanley Konter, CEO of Savannah’s Sabre Technologies once stated “The problem has gotten more prevalent with always-on, high-speed internet access. Attackers are always out there looking for that type of computer.” He was referring to the fact that computers are often left switched on and connected to the internet, even when not in use and this connection can be used both ways by people wishing to do us harm. These threats range between state-sponsored terrorists looking to disrupt national infrastructures through to individuals and groups of individuals who are doing it for “lulz” (slang for the term “for laughs”).

Whilst it must be recognized that the cyber threat can come from an external source businesses are in need to be reminded that they are far more likely to be the victims of a cyber-related incident from within their own organization than that of an external source. Many organizations are already taking steps to protect themselves and their businesses from the cyber threat with Firewall technology, Antivirus protection and Intrusion Detection Systems. However internally, their processes have not evolved to protect themselves and the information they hold at the same pace. The incidents relayed earlier demonstrate that having good security controls in place will not prevent someone “misplacing” backup files containing masses of information. Nor will it prevent staff from throwing away physical documentation which contains personal information in the trash. The cyber threat therefore is far from being purely related to online information, a matter which the regulatory framework, worldwide is trying to address.

A Changing Regulatory Landscape

Increased scrutiny by regulatory bodies (worldwide) and threats of increased fines have clearly raised the need for appropriate protection. In Europe, January 2012 the European Commission proposed a reform of the EU’s 1995 data protection rules in a bid to strengthen online privacy rights. This was seen as a key requirement due in part because the 27 EU Member States had implemented the 1995 rules differently, resulting in divergences in enforcement. The intention is to create a single law which will reduce the cost of administration (of the legal frameworks) and is seen as a way to raise confidence in online services (see Chapter 1 and Chapter 14).

This chapter is not intended to be an in-depth review of the new regulation but there are key elements of the standard which are worthy of exploration as they directly impact the growing need for CL Insurance.

ICO Notification

The regulation which is due to come into force in 2014 (possibly 2015) empowers each supervisory authority to impose administrative sanctions in accordance with the regulation and stipulates that within 24 h and provide a full report within 3 days of the event. The wording of Article 31 of the regulation states:

The regulation stipulates the information which is required and also the manner in which it should be reported. Furthermore, Article 79 (“Administrative Sanctions”) outlines the administrative sanctions the supervisory authority can levy against organizations who breach the regulations and states that the sanction “shall be in each individual case effective, proportionate and dissuasive” (Article79.2). Article 79 of the regulation goes on to state that the amount of the administrative fine shall

The above passage clearly indicates that organizations must be in a position to understand their risks and have clear understanding of how they are protecting themselves against these risks becoming incidents. The regulation goes on to stipulate the kinds of sanctions which the supervisory authority can impose and it is these sanctions which organizations are becoming increasingly aware and concerned about, leading them to consider the uptake of some form of insurance which mitigates the increased risk of fines. These sanctions include fines of between €250,000 and €1,000,000 or between 0.5% and 2% of the annual worldwide turnover dependent upon the circumstances of the breach and the level of protection and mitigation that can be demonstrated.

As regulations therefore become more comprehensive businesses need not only to consider the most appropriate ways to improve their security controls (e.g., by adopting the international standard for information security, ISO27001:2013) but they must also look for ways to mitigate the potential losses from fines imposed by their local supervisory authority through the use of appropriate insurance.

What Does Cyber Liability Insurance Cover?

It is important to state at this stage that CL Insurance should not be seen as a method for organizations to simply transfer their risks to an insurer and make no other effort to protect themselves against potential incidents. Like many insurance products, CL Insurance products carry a series of exemptions and exclusions to protect the insurer from underwriting bad risks. Cyber Liability insurance is intended to mitigate losses from a variety of cyber-related incidents including those stated previously. With the new regulation on the horizon and the increasingly complex and interconnected environment businesses operate in; it is easy to see why cyber insurance is so desirable to businesses.

A good CL Insurance product should protect against the financial impact of a data leak, a data loss or a breach of a company’s IT system and may include ancillary cover for such elements as Cyber Extortion or costs associated with PR management. Current products vary in what they will and will not cover, but essentially range from the loss of information from an individual laptop to the hacking of an entire network or cloud storage facility. The impact of any of the above can have a serious effect on a company’s IT system, their market reputation and most importantly their financial stability.

The impact of a data breach can be far reaching but Cyber liability coverage essentially falls into three distinct areas of cover:

• Loss or Damage of Data—Data which is lost, stolen, corrupted or damaged by any means including intentional or unintentional actions. Costs incurred may include compensation claims, fines, investigations, remediation or recovery costs.

• Cyber Extortion—An increasing risk where hackers or “hacktivists” threaten to disrupt your business by introducing a virus or shutting down your website via a “Denial of Service” (DoS) attack, unless a sum of money is provided. Additional risks include the threat of having defamatory (or inappropriate) material injected into their websites or online catalogues to discredit the company. Cyber Extortion also includes the release of confidential information unless a fee is paid.

• Command & Control—Specialist knowledge may be required to manage the incident and ensure all necessary actions are taken to minimize the disruption to the business and ensure all interested parties are informed of actions being taken (including customers, clients, suppliers, and regulators). This can also include costs associated with external PR agencies to manage communication to the wider community and finally will include costs associated with the provision of Credit Protection Services to those affected.

As highlighted above in “Command & Control” the wider cover provided by some cyber polices extends to the public relations cost that can result from a business that is exposed as having a cyber breach. A company’s reputation can be quickly soured as customers lose confidence in their security. Having a speedy and professional PR Team to help manage the crisis and restore customers confidence is paramount in the digital age.

Who Offers Cyber Liability Insurance and What Should Customers Look Out For?

Cyber Liability Insurance has existed in the insurance market for a number of years but it is only the proposed changes in legislation, increased usage of mobile electronic devices and a series of high profile cyber attacks that have brought Cyber Liability Insurance to the forefront of businesses and broker’s attention. Choosing the right broker who understands the covers and the exposure is paramount in ensuring a business has adequate protection.

As the need for meaningful Cyber Liability protection grows there is no shortage of market capacity for this product. The established markets for this cover include AIG, Hiscox, ACE, Chubb, and Zurich; however, choosing the right policy is key to ensuring adequate cover is provided. A comprehensive Cyber Liability product should give cover for the following key areas:

• Defense Cost & Damages covered for First and Third Party losses

• Business interruption for Server Downtime

• A Forensic Investigation and Support Service to manage a breach and help restore a company’s system

• A Public Relations response service to help mitigate negative publicity following a cyber breach

• Cover offered in respect of Cyber Extortion

It is important also to consider if the provider offering the Cyber liability product understands the Cyber “space” they are operating within. Responding effectively to the threat is of paramount importance and understanding the process for notification and management will offer confidence to the purchaser that should the need arises, everyone will understand what will happen.

Conclusion

From the details provided on cyber threats and cyber-attacks it is clear that every businesses or organization operating a web site or conducting business in cyber-space needs protection from an ever increasing array of risks and need to take pro-active steps to protect themselves from incidents occurring. These measures should include a basic understanding and implementation of appropriate security controls. What “appropriate” means is different from industry to industry and business to business, but every organization should at the very least have adopted the principals of Data Protection and considered the appropriateness of the international standard for information security, ISO27001.

Good information security processes have always mandated that there should be good incident management in place and this is where CL Insurance steps into the frame. CL Insurance provides a level of comfort that, if (or “when”) a breach occurs there is something that the claimant can ultimately rely upon to help reduce the impact on their organization should there be legal or regulatory scrutiny (or sanctions) or there is a need for specialist or expert knowledge.

As more and more business is transacted in cyber-space, the use of mobile electronic devices increases and “Big Data” gets bigger the likelihood of something going wrong is undoubtedly going to increase too (see Chapter 14). The potential direct or indirect losses which could occur due to theft, loss, destruction of critical data, libel, defamation, copyright or trademark infringement, vandalism, threats or denial of service attacks are increasing and show no sign of slowing down.

Regulatory and legislative changes regarding data protection and breach notification could see fines and penalties becoming much more prevalent so businesses need to acknowledge the risk that Cyber Liability presents and carefully consider the security controls required to ensure data protection is in place. Whilst there are a variety of approaches to this which should be carefully assessed and understood, the benefits of a comprehensive and effective Cyber Liability policy will not be fully understood until they are needed.

The insurance market is historically slow to develop products which have little or no statistical information available but as this details surrounding breaches becomes more readily available the provision of CL Insurance will increase along with the demand in the market place. The future of CL Insurance is secured and will undoubtedly evolve over the coming years. The only question is how quickly CL Insurance will evolve into full Data Protection Insurance. This is a step which has yet to be taken but undoubtedly needs to happen.