Increase in regulation and risk of fines puts cyber-liability cover at top of agenda

Cyber War

It could have come from anywhere: a teenager in a bedroom, or a sophisticated Russian cyber-crime gang looking to steal data.

Either way, the recent cyber attack on broker software provider SSP drove a dagger right into the heart of the company’s operations, forcing it to temporarily close the systems that allow broker partners to sell insurance on price comparison sites.

SSP is one of many companies globally that have suffered. Cyber attacks are costing business dearly and insurers sense an opportunity.

The European cyber insurance market is worth an estimated £250m, with half of this written in the UK, and its growth potential is huge.

This year alone, Chartis, Liberty, Hiscox, Ace, Barbican, Beasley and several Lloyd’s syndicates have launched cyber-liability insurance products in the UK and Europe.

Some of these providers have worked in the more mature US cyber-liability market for several years and their launch into European markets is no coincidence. In part, it’s a response to the increasing number of cyber attacks; SSP is believed to have suffered 20,000 cyber attacks after the original attack on its broker link to Google Compare.

Also, the launch into Europe of so many cyber-liability products is a result of a toughening of European regulations around personal data.

The European Commission (EC) is following the US example. US Federal Law requires companies that suffer data losses or a security breach to tell every customer individually.

In January, EC justice commissioner Viviane Reding revealed plans to update the 1995 Data Protection Directive. It includes plans for firms to notify customers within 24 hours about potential data loss.

That requires extra manpower and time, raising the cost of an attack. Ultimately, this has increased the need for firms to have cyber-liability insurance cover and the skilled risk management advice from brokers and insurers that can help prevent an attack in the first place.

Fines for losing data
Even without Europe’s gaze, domestic regulators are getting tough. While the UK Information Commissioner has told internet service providers who lose customer data to inform individual customers, there is no 24-hour deadline.

The FSA, meanwhile, has imposed sizeable fines on companies for losing customer data, the most recent example being Zurich Insurance, which ironically is seen as a leading player in cyber-liability.

Zurich was fined a record £2.27m by the regulator for “the loss and lack of control over the personal data of 46,000 of its customers”.

In addition to the rising costs associated with regulation, the global nature of business is putting cyber-liability insurance in demand.

AIG cyber-liability underwriting manager for Europe James Bouloux says that a company wanting to operate in a country with strict rules on data loss, such as the USA, needs to be able to cover the cost of a potential breach in that territory.

‘It’s not about spinning a message, it’s about explaining to the public what has happened and why’

Jamie Bouloux, AIG

For example, Sony suffered a global data breach last year in which the personal details of thousands of its PlayStation Network customers were compromised.

It cost the Japanese technology giant dearly, both financially and in terms of its global reputation, because of its worldwide reach and the number of legal jurisdictions it operates in, each with its own rules over personal data.

Insurers are well aware that cyber attacks are now high on the agenda for risk managers, who either control the insurance budget or have a big say in how it is spent.

InterContinental Hotels’ head of risk management John Ludlow, talking to StrategicRISK, an information source for European corporate risk mangers and a sister brand to Insurance Times, says he recently completed a security programme encompassing cyber risk.

Ludlow started by trying to understand the risk, its scope and possible effect.

He says: “Once we had done this, we were able to write a white paper that we circulated among all interested parties. We then had a workshop where we discussed the risk, and then set about coming up with a common strategy on how we would counter the risk.

“Each workstream has now gone away to write a paper, after which a small group of us will consolidate all those papers and come up with a strategy, and a way forward. We’ll then go to the executive, the audit and the board and say ‘you may have not heard of this threat of cyber; this is roughly what it is; this is roughly what it means for the company; and this (is what) we propose to do about it’.”

Increasing sophistication
IBM Institute for Advanced Security director Martin Borrett says cyber attack is so damaging, it is no wonder that risk managers and board members of multinationals are worried.

“Although cyber-risk is still relatively new, the volume of attacks has been going up, and their sophistication is increasing.

“As critical information, related assets and devices are becoming more instrumental and interconnected, the damage and the knock-on effects of a major cyber attack can be felt not only in computing. They can affect critical business and infrastructure operations,” he says.

“The biggest cyber risk within an organisation is complacency and a lack of awareness.”

If IBM is right, at least insurers are helping companies wake up out of their slumber to the growing threat.

Talking points …

  • With data protection regulation expected to be toughened in Europe in 2014, will all companies be required to hold cyber-liability insurance?
  • What other things can firms do to protect themselves and their data from cyber attack?
  • Given the emergence of cloud computing, how vulnerable are insurers and other companies?

Managing a cyber crisis

Jamie Bouloux, AIG

Most cyber-liability insurance products are geared towards full service crisis management, said AIG cyber-liability underwriting manager for Europe Jamie Bouloux.

A company that has suffered a security breach will typically find its policy provides an IT forensic investigator or two, as well as legal and public relations assistance. In the USA, companies with this type of cover have become adept at securing their databases and dealing with reputational damage.

Bouloux said: “Most companies with sufficient cover find they typically lose only about 3% of their customers after a breach.”

Being able to respond immediately and effectively to any breach means companies maintain customers’ trust, as well as their own public reputation.

“A couple of teams will get involved. The policy will involve damage limitation if necessary and reputational management. It’s not about spinning a message, it’s about explaining to the public what has happened and why,” Bouloux said.

Insufficient insurance can be disastrous. Last year’s cyber attack on Sony’s PlayStation Network was expected to cost £180m alone this year in breach-related costs, while there were at least 55 class action law suits against Sony in the USA and Canada in 2011.

And Zurich America filed its own lawsuit seeking to defend itself from Sony’s claim on its commercial general liability insurance policy, which Zurich said did not indemnify the technology giant against cyber attacks or compensation claims.

Cybercrime is the top risk for business

Cybercrime is the number one emerging risk affecting the insurance market, says consultancy 24 Lockdown, with a total cost to business worldwide of £241bn in 2011.

Meanwhile, a report by the UK government last year put the cost of cyber attacks on UK business alone at £21bn. Costs to government departments totalled £2.2bn, while the public lost £3.3bn. Last year, the ABI found insurance fraud cost the UK £2bn.

Efforts to understand the scale and nature of cyber attacks are frequently hampered by the unwillingness of companies to admit they have been the victim of one because of fears of ‘reputational damage’.

According to 24 Lockdown director Steve Bibby, many companies are finding that “increased regulatory pressure around transparency of corporate data is bringing a wave of new threats to corporate brand identity and is compromising cyber security”.

Last year the UK government dedicated £650m over four years to tackle the growth of cybercrime.

Its report found intellectual property theft accounted for nearly half of all cybercrime, excluding illegal music and video downloads. Industrial espionage was also a significant problem, the government said.

Cyber numbers

The amount traded via e-commerce each year world-wide exceeds: £5trillion

Consultancy 24 Lockdown says the total cost of cyber-crime world-wide in 2011 reached: £150bn

According to a government report, the cost of cyber-crime to the UK last year totalled: £21bn

The cost of fraud to the insurance industry in 2011: £2bn

The number of cyber attacks on the UK per hour, every day, according to the security services: 1,000

To tackle cyber-crime, the UK government plans to spend: £650m

To see a map of the top 10 countries were attacks come from and the top five targeted regions, click here.