There’s little doubt that cyber liability, which encompasses a new field of emerging perils such as vendor risk, data breach and theft, phishing scams, once a niche area of insurance, is moving into the mainstream. Hannover Re’s Executive Board Member André Arrago recently flagged cyber liability as one of the key areas of innovation on the underwriting side, while Lloyd’s has recently announced its aim to broaden out cyber risk coverage in areas that haven’t been addressed. It’s easy to see why. With cyber criminals increasingly daring and sophisticated, data protection and security is vital. Need convincing? Read on…
Hacktivism
Hacktivism, phishing scams and data breaches seem to be a daily feature in the news these days. Even so, and despite a growing awareness, many areas of the market have yet to grasp the full dangers raised by so-called cyber liability. Just look at take these examples from a report produced by law firm DAC Beachcroft:
The $4bn potential loss
Epsilon Data Management - Epsilon Data managed email communications for large companies such as Marks & Spencer and JP Morgan Chase. Hackers stole an estimated 60 million email addresses. The resulting losses, including forensic audits, fines, litigation, and lost business, are estimated at $4 billion.
PlayStation woes
Three separate breaches of Sony’s PlayStation network, in which 100 million customer records were exposed. The alleged damages are $171 million.
Roman’s victory
Boris Berezovsky v Roman Abramovich - A hacker allegedly hacked into and obtained confidential information from Boris Berezovsky’s lawyers and offered it to Roman Abramovich. Judgment was recently given in Abramovich's favour, awarding him $6.5bn – the biggest private court case in British legal history.
View from the Underwriters
Here is a brief selection of media coverage from underwriters who specialise in cyber liability:
Writing in the recent report Cyber Risks Decoded, Brit Insurance Underwriter Ben Maidment is clear: “There are significant levels of [insurance] capacity at present, with most currently covering risks emanating from the USA, where the lion’s share of demand for the coverage is coming from. If, however, the EU brings in mandatory notification regulations, which are proposed, then demand for coverage in Europe will rise and potentially more capacity will be required.”
Beazley Underwriter Paul Bantick adds: “This form of insurance is viewed as an exciting emerging risk class, as it is attractive as it offers a potential new source of short-tail business. However, I think that many have wordings that have jumped the gun, and these could get scaled back as losses emerge. I think that Lloyd’s will eventually play a bigger role in this market and a more standardised wording will be developed.”
Matthew Hogg, vice president of LIU's strategic assets division, says: "The Cabinet Office reckons that cyber-crime costs the UK economy £27bn a year, so it's clearly a major threat, but too many businesses still don't appreciate fully how this affects them, or what steps they can take to make themselves safer. They need guidelines commensurate with the size of the organisation and its risk exposure in its given vertical, along with awareness-raising of cyber risk and insurance."
Kiln Underwriter Tom Hoad comments: “The Americans are very worried about cyber attacks on their infrastructure, particularly from Chinese hackers getting into utilities… with the take-up, it’s just a question of doing deals and people having more deals, and it spreads by osmosis. People are going to identify with this as more and more of these events happen.”
Vendor Risks
According to McKinsey and Co, “Regulatory scrutiny has now reached beyond banks, to the companies that supply them. Regulators are holding financial institutions responsible not only for their own actions but also for those of their vendors and suppliers.” In the past year, for example, American Express, Capital One, and Discover Bank have paid a total of more than $530 million to settle complaints of deceptive selling and predatory behaviour by their third-party suppliers.
A report by MicKinsey and Co, Managing when vendor and supplier risk becomes your own, says:
“This new regulatory thrust poses a big challenge for financial institutions because some of them have a limited perspective on their suppliers’ interactions with customers. The largest banks and credit-card companies can have close to 50,000 suppliers. In response to the changes, financial firms are looking for new solutions to identify and manage third-party risk. A number of leading banks and credit-card companies are developing and embracing best practices.
“Regulators now expect institutions to know their third parties, how each of them interacts with consumers, and what activities it performs. Many firms do not have this information readily available. Supplier databases can be incomplete, and some of the most sensitive risks can reside in relationships that are not found in them.”
The Claims
Naturally this is hardly an unbridled risk, however. It is increasingly clear that cyber exposures present an aggregating risk for insurers around technology vendors. To appreciate how this aggregate risk could affect all the different parties on a Lloyd’s line slip, for example, consider the following hypothetical example
AAA Hosting Company is considered to be a big data centre supplier; it has 1000 clients, including companies A, B, C and D
Company A buys IT insurance from Underwriter 1
Company B buys IT insurance from Underwriter 2
Company C buys IT insurance from Underwriter 3
Company D buys IT insurance from Underwriter 4
AAA suffers a loss which impacts companies A-D, and each submits a claim.
Now imagine AAA buys all its networking technology from a single vendor NetEX, but so do some of its competing data centre providers N24, CloudHosting.com and VirtualNet. If a security threat is discovered in NetEX technology which can be exposed by effective hacking, then all the clients using the aforementioned data centre providers will be impacted and the resultant number of claims being presented to insurers escalates.
The Solution
Underwriters firstly need to ascertain those parts of the client’s business which are critically reliant on IT, the threats posed need to be evaluated and the internal processes and controls being used to mitigate the risks need to be reviewed. Secondly, a consultancy approach needs to be adopted which helps clients to understand their risk profile and embed controls within the operation to mitigate such risk. Thirdly, underwriters need to capture better data on the relationship between vendor technology and client risk profiles, so that potential threats can be evaluated and adequately priced for.
There are a number of international standards which can help organisations develop such controls.
A good place to start is The PCI Security Standards Council, which offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step.
The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
The International Standards Office has a number of standards focussed on security information, supply chains and processes. ISO 23001, which specifies a common encryption format for use in any file format based on ISO/IEC 14496-12, the ISO base media file format. The 'cenc' Common Encryption Scheme specifies standard encryption and key mapping methods that can be utilized by one or more digital rights and key management systems (DRM systems) to enable decryption of the same file using different DRM systems. Other recommended management standards which can be used together to create an integrated system of procedures, processes and controls are ISO 27001 information security management, ISO 22313 business continuity and ISO 9001 quality management.
To quote McKinsey and Co, “Clear, actionable management reports and well-designed workflow systems are essential for accountability across the business units, compliance, and audit. To work well, these tools must track and monitor the relevant data.”
Suki Basi, Managing Director of Russell Group Limited
