Modern businesses rely heavily on computer software and the internet when dealing with digital data and they are becoming increasingly aware of the cyber risk exposure faced by their organisations.
Over the last few years there has been increasing focus on cyber risks and associated insurance cover.
A UK Government survey carried out in 2014 estimated that 81% of large corporations and 60% of small businesses suffered a cyber-breach in 2014. Whilst over 60% of incidents reported to insurers are the result of accidents, cyber-crime is now the world’s fastest growing category of organised crime and the majority of high value losses stem from actions designed to cause harm.
This is the first of two blogs on the subject considering, in the first instance, the nature and consequences of cyber risks and secondly, the current insurance situation.
1. Definition of Cyber Risk
The Institute of Risk Management defines cyber risk as,
“any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”
Almost every organisation faces exposure to loss resulting from damage or destruction of its computers and computer networks. This can lead to business interruption, income loss, damage management and repair costs and reputational damage.
Non malicious events such as major physical incidents, for example, fires, explosions, floods and natural disasters, can have a devastating effect on a business. A good example of this is the recent Holborn underground fire which caused considerable damage to services effecting network access for hundreds of businesses and, in some cases, consequent supply chain disruptions.
Malicious events such as cyber-attacks are designed to cause maximum disruption exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, data and software destruction or deletion, theft of funds, reputational damage and liability to third parties (such as customers and supply chain partners).
2. Potential Losses from Cyber Attacks
Potential losses deriving from cyber-attacks or non-malicious IT failures fall into the following categories:
|Intellectual Property (IP theft)||Loss of value of an IP asset, expressed in terms of loss of revenue as a result of reduced market share.|
|Business Interruption||Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber-attacks or other non-malicious IT failures.|
|Data and software loss||The cost to reconstitute data or software that has been deleted or corrupted.|
|Cyber extortion||The cost of expert handling for an extortion incident, combined with the amount of the ransom payment.|
|Cyber-crime/cyber fraud||The direct financial loss suffered by an organisation arising from the use of computers to commit fraud or theft of money, securities, or other property.|
|Breach of privacy event||The cost to investigate and respond to a breach event, including IT forensics and notifying affected data subjects. Third party liability claims arising from the same incident. Fines from regulators and industry associations.|
|Network failure liabilities||Third party liabilities arising from certain security events occurring within the organisation’s IT network or passing through it in order to attack a third party.|
|Impact on Reputation||Loss of revenues arising from an increase in customer attrition or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event.|
|Physical asset damage||First party loss due to the destruction of physical property resulting from cyber-attacks.|
|Death and bodily injury||Third party liability for death and bodily injuries resulting from cyber-attacks.|
|Incident investigations and response costs||Direct costs incurred to investigate and ‘close’ the incident and minimise post incident losses.|
3. Risk Profile
For larger organisations intellectual property theft is considered to be the risk which would have the most severe impact and issues of quantification can be challenging because IP assets and the loss suffered by an organisation are difficult to value. However, key risks also include the unauthorised disclosure of personal data, system outage events and consequent reputational damage. In fact it is estimated that reputational damage accounts for 5% – 20% of the cost of a cyber-security breach for large businesses.
Whilst physical losses are a less publicised element of cyber breaches they are a growing concern and can include damage to plant and machinery and system malfunctions. In Germany in 2014 a spear phishing scam allowed hackers to access a steel mill’s system preventing a blast furnace from shutting down in the appropriate manner causing massive damage to the mill.
4. Risk Mitigation
In June 2014 the UK Government announced the launch of the Cyber Essentials Scheme. It has been designed to fulfil two functions:
- To provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats; and
- To offer a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
The Cyber Essentials scheme concentrates on five key controls. These are:
- Boundary, firewalls and internet gateways – devices designed to prevent unauthorised access to or from private networks;
- To secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation;
- Access control – ensuring that only those who should have access to systems have access and at the appropriate level;
- Malware protection – ensuring that virus and malware protection is installed and is up to date; and
- Patch management – ensuring latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
In addition to implementing those basic cyber security controls an organisation may undergo certification and it is expected that insurers, investors and auditors will start to take certification into account when assessing an organisation’s risk profile.
5. Cyber Insurance
This brings me to the issue of cyber insurance. Earlier this year the Association of British Insurers suggested that cyber insurance should become as common a purchase for UK businesses as property insurance within the next decade.
The ABI note that there are five key reasons why cyber policies are a business essential and these are:
- Cyber-crime is one of the fastest growing forms of crime in the world;
- Cyber threats are at the cutting edge of technology, changing so rapidly that it is almost impossible for individual companies to keep their defences ahead of the game;
- Businesses are increasingly dependent on IT for their everyday activities;
- Cyber-attacks and failures can result in businesses closing or having to dramatically change what they do;
- The British insurance market is already able to offer businesses cyber insurance products; the market in London being responsible for more than 10% of global cyber insurance business.
However there is a great deal of confusion as to the level and type of insurance available or in place, how to quantify it and what sort of risks can be insured.
Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.
Part two of this blog will discuss cyber risk insurance, the type and variety of cover currently available and potential coverage issues.
For further information on this issue please contact:
 Spear phishing is a scam involving an email that appears to be from an individual or a business that you know when in fact it is from criminal hackers seeking unauthorised access to confidential data.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.