They share their insights for those wanting to sell the product

Cyber risk

Bridget Treacy, Hunton & Williams managing partner

There is a lack of public examples to point to in the UK of the costs of a data breach.”













“If you say that your company has never had a data breach, I’d suggest you’ve been looking in the wrong place. Learning lessons from any data breach is the silver lining that helps companies not to repeat mistakes. Breaches affect reputation: in the USA we’ve seen share prices fall, but if it is handled well the share price may rise.”


Hans Allnutt, DAC Beachcroft associate

Organisations usually hold data that’s valuable, and it’s therefore also valuable to a third party.”

“Europe led the way in data protection, but the Information Commissioner’s Office doesn’t really have the resources to fully enforce the Data Protection Act, and is reluctant to hand out fines. The ICO wants self-regulation such as exists in the payment card industry, rather than to put people
out of business.”


Lisa Payne-Lawrey, Clyde & Co partner

Hostile attacks reign as the most expensive data breach for UK organisations, and malicious attacks account for 29% of all breaches.”

“The average data breach costs UK organisations £1.9m, or £71 per record. The biggest contributors to costs are negligence, carelessness as to the loss of data, system failure, and lost business. Hostile attacks reign as the most expensive data breaches for UK organisations. Revenue generated from cyber attacks is estimated to exceed that made from selling illegal narcotics.”


John Dowdy, McKinsey & Company global leader, defence

There’s no actuarial table for cyber risk. There is no benchmark.”

“Who is really good at cyber security? We just don’t know. If you’re insuring somebody for a flood, you can find out if there’s been a flood before. With cyber risk, you don’t really know how good people are. Lots of companies don’t know what’s valuable. How can you protect yourself if you don’t know what you’re trying to protect?”


Andy Rees, QinetiQ head of security health check

You will never be completelyresilient to attack, but if you make it as hard as possible, the attacker may try somewhere with lower defences.”

“We attack networks using the same techniques as hackers. Usually straightforward security mistakes allow us to gain entry. In one example, we used a company’s website to glean its IP address range, through which we accessed its staging server and found names, email addresses, home addresses, post codes, car registration numbers, dates of birth and credit card details.”


Andy Hodgson, QinetiQ global chief information security officer

Prepare, protect, prevent and pursue. The Four Ps. You need them all.”

“At the moment we’re seeing high-profile attacks. Successful ones have usually been caused by some sort of human error. You’re only as strong as your weakest link. Don’t write your password on a post-it and leave it on your laptop. My job is to make sure that companies’ security is secure enough to withstand attacks from threat actors.”


Charlotte Worlock, Clyde & Co associate

After one data breach, a North Carolina company had to set up an external call centre to deal with the volume of calls.”

“Proposed new data laws mean that data breaches in Europe
are likely to be handled in a similar way to how they currently are in the USA. Firms incur huge costs ensuring compliance with complex laws, though luckily in the UK, there are no class action law suits, so individuals suing companies is much rarer.”


Geoff White, Zurich senior market underwriter - TechMedia

The misconception over cyber risk is that it’s a spotty kid in their bedroom, but there’s far more to it.”

“You’re now seeing insurers spending a lot of time investing in teams and policy offerings, most importantly developing good-value products based on what customers want. The holy grail is the SME to mid-market, though making things cost-efficient is difficult in this area. Human beings don’t like filling out forms and we really need to make it easier for our customers to buy this insurance.”


The answers

Think cyber risk doesn’t touch your clients? Read on – our experts pull no punches


What risks does a ‘cyber risk’ policy cover?

“Cyber means different things to different companies and varies widely depending on the size or function of a business.”

“The four key areas are: first-party property damage cover, business interruption, first-party liability cover and third-party liability.”

“Ultimately it’s about understanding these areas of cyber in relation to the customer.”

“It’s not necessarily financial data primarily, though of course people are more likely to sue if you’ve lost their credit card details, but technically it can be any sensitive data.”

What should you do in the event of a data breach?

“Once you have a breach, companies need to organise their internal resources to find out what’s happening. Launching an investigation is crucial.”

“The key questions for an investigation are: What happened? Who is affected? What data has been affected? And what systems were implicated?”

“It’s recommended to contact your lawyers as soon as possible. Then you need to contain the breach, evaluate the risks and consider your obligations.”

“Once notifications have gone out they will be discussed publicly, and it’s quite a task to manage that in an interconnected world.

What contributes to the cost of a data breach and how much is it?

“There may be notification liabilities, fees for specialists to help work through the laws, and third-party claims arising from
a breach.”

“A company in the USA had legal costs of more than $9m (£5.6m) and written notification costs reached $2m. It also entered into a settlement for $40m with 43 state attorney-generals, and incurred $10m settling class action and individual law suits.”

“In the UK data breach costs are rising year on year. Keeping customers became the greatest cost hurdle for companies last year.”

What should go into a breach notification?

“Breaches have a very significant impact on reputation. Sometimes in the USA the share price is affected. Sometimes, if a company handles a breach well, their share price may rise.”

“When notifying affected parties, you need to think about the perspective of the regulators and also
the plaintive’s lawyers. You need to address the individuals who have been impacted by the breach, and you need to consider the general message you’re sending out to the public.”

“Companies should also think about the impact on their own employees. They may also have been affected.”

What are the right questions to ask about a client’s data security?

“You have to assume there will be a breach, and ask yourself: what can people find when they get in? Are all the valuable things together?”

“Or are things split up, so that when somebody does get in they can’t steal everything at once?”

“When you start to study some of these data breaches, and successful attacks, then they’ve usually been caused by some sort of human error.”

“Guessable passwords are all usually formulaic, such as partners’ names, dog names, football clubs, types of car.”

What legal measures are in place to prevent hacking?

“The key thing here is the secondary market. Not so much the hacking incident, but the people who the data is then going to.”

“There’s very little in terms of criminal sanctions there. Under the DPA, you’re only liable to fines.”

“Both the ICO and the justice committee have lobbied government to bring in custodial sentences, which have been rejected while the Leveson enquiry is ongoing.”

“Therefore responsibility ultimately lies with the organisation and the Data Protection Act.”


Fact shot

29% – The percentage of UK data breaches owing to malicious or criminal attacks.

58% – The percentage of global data breaches by ‘hacktivist’ groups such as LulzSec.

24 – The number of hours for mandatory breach notification under the proposed EU laws.

10 – Number of years the USA has had mandatory breach notification laws.

45m –Number of credit card records stolen from TK Maxx in 2007.

$256m – The total cost of the TK Maxx data breach.

$1m – Notification costs for one data breach at a US educational institution

58% – The increase in voluntary private sector notifications in the UK in 2011

£140m – Total cost of a breach at transactions processor Heartland Payment Systems in 2009.

$300bn – The cost of the Joint Strike Fighter jet project, the designs of which were hacked in 2008.

20 – The age of the Computer Misuse Act, which typically results in two or three convictions a year.

£500k – The amount the ICO can fine a company for serious breaches of the Data Protection Act.


Regulation notes

EU proposals will require stricter privacy regulations for businesses in Europe

Proposals to update the Data Protection Act
European commissioner Vivien Reding has set out her proposals for new regulations on privacy. The rules would apply to any company or organisation handling EU citizens’ data inside or outside Europe.

The directive will standardise European data laws, replacing the 27 different pieces of legislation of each member state. The aim is to foster economic growth, safeguard privacy and reduce the administrative burden for businesses.

The key reforms include: fines of up to 2% of global annual turnover if companies breach EU data laws; mandatory notification of a data breach within 24 hours where possible; fines of up to 1% of global annual turnover for companies that fail to hand over data or change incorrect data; the right to be forgotten.

What the change will mean for clients
The rules will take effect within two years of ratification by member states and adoption by the European parliament. The proposals have drawn criticism for being particularly onerous, especially regarding 24-hour mandatory breach notification. Larger companies will have to establish a data protection officer to ensure EU compliance.

Systems security requirements
Organisations will be expected to maintain a level of systems security proportionate to the data they are storing, and available technology. Companies that neglect to implement and regularly review security measures are liable to fines of up to €1m (£800,000), or 2% of global annual turnover.

The situation in the USA
Mandatory notification legislation already exists in the USA, where compliance poses a significant cost to companies, especially with regard to meeting notification deadlines. Notification costs can be high, and improvements to business practice following a breach can have significant financial impact.

The DPA 1998 summary (as things stand)
The UK Information Commissioner’s Office (ICO) regulates data protection and privacy. It can issue enforcement notices (‘stop now’ orders) where there has been a breach, and can fine companies up to £500,000 for serious violations of the Data Protection Act.

However, the ICO has been criticised for an unwillingness to penalise companies, and for not having the resources to enforce the DPA fully.