Cyber liability, not if but when?
Businesses of every size rely to an extent on information technology (IT) and data. This results in an exposure, alongside their clients, to a potential financial loss if that data is mislaid, stolen or rendered inaccessible.
The press frequently highlights the impact, both on businesses and individuals, of some form of data attack, but fewer column inches assess the probability of the risk. Simply put, how likely is your business to be affected? A UK Government survey estimated that in 2014, 81% of large organisations and 60% of small businesses suffered a security breach. Whilst a reduction on the previous year, the financial impact of each breach has almost doubled. Rectification costs frequently run into the hundreds of thousands of pounds and a serious breach of the Data Protection Act (DPA) can result in a £500,000 fine.
There is no doubt that personal data needs protecting. Last year the Information Commissioner’s Office (ICO) investigated 173 UK firms for a variety of incidents that may have breached the DPA – 29% related to security and 26% related to incorrect disclosure of data.
The DPA of 1998 requires that many businesses, including solicitors and accountants, register with the ICO as soon as they start trading. It also stipulates that such firms must take all necessary precautions to prevent the loss or theft of personal data. Whilst prevention is undoubtedly better than cure, the DPA requirements do little to help a firm that has suffered a breach. Yet it is at this point that rapid, expert intervention can have a very tangible, positive impact on the outcome.
Articles on data security can often be somewhat otherworldly with references to international security agencies and the dark arts of the hacker. Equally they can be so technical that they are baffling, so before we explore the topic in further detail, it is worth considering how some form of data infiltration or loss might impact a professional services firm. (See case studies section).
Whilst these case studies might sound alarmist, the typical professional services firm is also exposed to the more mundane threats, from the mislaid memory stick to the misdirection of a highly confidential email. Whether dealing with a situation that has arisen by way of an accident or as a result of criminal activity, the potential losses that go far beyond those of the ultimate owner of the data, ‘the client’.
They extend to include rectification costs, forensic investigations and reputational management. Irrespective of the steps that need to be taken, a rapid response led by a specialist team will often be required.
Traditional insurance policies such as commercial property, computer, business interruption or professional indemnity, may provide some elements of cover against the losses which can arise as a result of an incident that adversely impact data, whether first party or third party. In some cases businesses may elect to ‘bolt-on’ a cyber-extension to, for example, their PII policy. Whilst any attempt to extend coverage should be applauded, traditional insurance policies or extensions rarely offer the same breadth or cover that a stand-alone cyber policy does.
Whilst cyber liability has been available in the UK for over a decade, many businesses and indeed some insurers are only just beginning to understand where losses relating to data security might actually arise from. To assist in developing our understanding, Howden has recently announced plans to work with the US based technology company Insurisx who use cyber-security risk assessment analytics to assist in the development of insurance solutions. However, this cutting edge approach is rare and many are left trying to piece together an understanding of the topic from a confusing array of data sources that include industry reports to the press. An understandable reluctance to openly discuss an increasingly sensitive issue, a lack of expert guidance and over reliance on existing insurance arrangements, has resulted, we suspect, in many firms failing to fully understand or adequately insure their exposures.
This lack of understanding is compounded by the fact that many professional services firms, particularly smaller businesses, are heavily reliant on third party providers for much of their IT resource. Identifying potential weaknesses in technical resources will often fall to the ‘experts’ providing it. Even where the experts are honest enough to provide a ‘warts and all’ report, they may be confident that their own insurance, via way of subrogation, will cover any losses arising. This is unlikely to be the case and places an onus on the firm appointing the outsourced provider to develop an in-depth understanding of the provider’s insurance arrangements – something which is rarely possible without the assistance of an insurance expert.
The increasing trend for cloud computing further obscures the topic often making it hard to understand precisely ‘who is responsible for our data and our customer’s data.’ Outsourcing does not absolve a firm (the Data Controller) of their own responsibility, as data protection responsibilities and liabilities are imposed primarily on the ‘Controller’, who may employ ‘Processors’ to process data. It must also be considered that many cloud infrastructure providers are based outside of Europe so the quality of locally available insurance cover can vary significantly and, perhaps more importantly, providers are unlikely to be subject to obligations under the EU Data Protection Directive.
For those firms with an in-house IT resource, our perception is that it is rare that a representative of this team will be actively involved in either purchasing or managing the insurance programme. As a result, those that are involved in buying the insurance are left trying to comprehend both the exposures and the cover available from a form of insurance that is often accompanied by a raft of technical terms only fathomable to the insurance or IT expert. This may result in either the wrong cover being purchased or no cover at all. Indeed, as one head of a mortgage network confirmed, ‘we are not sure this issue is broadly understood. We do urge our network members to investigate their cover. There is an assumption that their PII covers this sort of problem but it is almost exclusively advice-based cover and the issue of holding personal data remains their responsibility. We are sure this is not appreciated.’
For those firms which continue to rely on their PII to cover cyber related events, it is important to consider what exactly a PII policy is intended to cover. PII policies are designed to respond to a “demand for damages or compensation” by a third party. In the event of, for example a data breach, a third party i.e. your clients are very unlikely to know they have been impacted.
Therefore, a claim under the definition of the PII policy will not be made and not respond.
- Forensic investigations where professionals quickly analyse the root cause of a breach, evaluate its severity and close off any security holes.
- Specialist legal advice on the implications of the breach.
- Credit monitoring services for customers who may have been affected.
- Notification to the ICO and any other relevant authorities.
For those firms that are ready to buy standalone Cyber Liability cover the insurance solutions available, whilst currently comparatively inexpensive, can appear both complex and inconsistent. An informed broker with a specialist understanding of both the insurance options available and the sector in which you operate will be able to assist. Robin Johnson, Managing Director of KFH Chartered Surveyors, echoes this sentiment, “Whatever your arrangements we feel you can only take an informed view if you have examined the risks thoroughly and regularly revisit your arrangements and keep your cover under review. A specialist broker is invaluable in helping with this.’”
Cyber insurance is a relatively new concept, particularly in the UK which is around a decade behind the US in terms of regulation. Whilst this means that the UK insurance market has yet to standardise its approach to this emerging risk, it does mean that cover is competitively priced as insurers have yet to feel the full impact of a serious volume of claims. Those firms that buy stand-alone cyber cover now and can demonstrate effective management of the likely triggers of a claim over the next few years should not only benefit from more affordable premiums over the longer term, but they should also benefit from more proactive guidance on the key issues that could lead to a claim via early engagement with specialist brokers and insurers.
In late 2013 it was reported that £7m was stolen from a financial adviser’s client by cyber criminals who had gained access to their email account by tricking them into giving up access to their private email. They then set up a filter so client correspondence skipped the adviser’s inbox, corresponded with the client and/or a clearing bank and tricked them into transferring their money. It is believed that at least six wealth managers fell prey to this scam in late 2013 costing clients a total of £45m.
Law firm Weightmans LLP warned in an article in Scottish Legal News earlier this year, of evidence that cyber criminals are increasingly targeting advisers who may be privy to market- sensitive information by way of their involvement in mergers and acquisitions. Criminals could then use the information to affect what essentially amounts to ‘insider dealing’ in listed company shares. This followed the “FIN4” attacks that targeted large pharmaceutical companies and their advisers in the US, embedding malicious code in emails to track discussions about merger activity. Whether for financial gain or sabotage, these attacks targeted more than 100, mostly listed, companies.
In 2014 a small U.S. law firm admitted to losing its entire library of legal documents to a virus called the Cryptolocker Trojan, a form of malicious software specifically written to generate ransom payments from relatively cash-rich but time-poor businesses.
The virus infected the company’s main server, leaving every single document used by the firm in an encrypted state, after an email with a malicious attachment was mistaken for a message sent from the firm’s phone answering service. The virus also warned that if the firm tried to tamper or decrypt anything, the main server would be permanently locked which left the firm’s IT department unable to do anything to rectify the situation. The firm then attempted to pay the ransom but discovered that the grace period – another nasty aspect of Cryptolocker – had expired.
It is estimated that there are over 130,000 victims of Cryptolocker in the UK with over 50,000 PCs infected between the summer of 2013 and June 2014. The software is thought to have been used to extort more than £18m of ransom payments globally but the total costs associated with reinstating affected systems is likely to significantly exceed this.