The extent of online usage also means that we are generating an ever-increasing amount of electronic data. With that comes the risk of data breaches, whether by human error or malicious attacks.
Insureds facing cyber risks and liabilities need to be aware that traditional policies may not protect them. This article considers the various types of cyber risks; why traditional policies might not respond to such risks; why regulatory developments might make cyber cover a must-have form of cover; the rapidly growing market of specialist cyber-risks insurance products; and cloud computing.
Two of the most common forms of cyber risks are cyber attacks and data breaches. Cyber attacks can take many forms:
- Hacktivism – where a company’s website is hacked into and used as a platform to promote views.
- Denial of service attacks (DoS) – when a site is bombarded with millions of emails from a bogus source, thereby blocking access to the site by legitimate users. This happened to the Amazon and PayPal sites recently, when they were forced to stop online trading as a result of DoS attacks by people protesting against the arrest of Julian Assange.
- Cyber-extortion – where attackers threaten to carry out a DoS attack or to implant viruses in a company’s website or network.
Data breaches can occur as a result of human error – for instance, unencrypted data is lost or sent to the incorrect recipient – or by hackers, employees or others stealing or otherwise gaining access to sensitive data. Earlier this year, Sony was forced to shut down its PlayStation network for 23 days, with an estimated financial loss of US$171m, following a data breach when the names and (reportedly) credit card details of over 77 million users were stolen.
These examples highlight the new and challenging cyber risks accompanying the growth and usage of online services and technology.
Not getting physical
Most first-party policies require "physical loss or damage" to insured property.
Because cyber risks most often involve nonphysical events, coverage can be problematic.
- For example, in a DoS attack, a website is temporarily forced out of service but the site is neither destroyed nor permanently damaged. This could affect any business interruption claim, as cover is typically triggered by damage to (or loss of use of) "tangible property".
- Another example is where a site is affected by a virus or Trojan horse as a result of cyber-extortion. (A Trojan horse is a type of malware that masquerades as a legitimate file or helpful program with the ultimate purpose of giving a hacker unauthorised access to a computer.) Although an expensive IT clean-up is required, the virus has not actually caused destruction or alteration of the computer data or software.
Similar problems arise in respect of third-party liability policies. In the Sony PlayStation US lawsuit, Sony’s insurer said in response to claims arising from the data breaches that the policy did not cover damages arising from cyber incidents. Sony’s insurer took the position that the policy only covered "bodily injury" and "property damage" caused by occurrences other than the kind of cyber attacks that Sony experienced.
Other examples include where insureds have attempted to seek cover in relation to data breaches under their E&O, D&O or fidelity policies. Often, the problem is that such policies were not intended to cover cyber risks or are affected by policy exclusions.
These examples make it clear that coverage of cyber risks can be problematic under traditional types of policies. A further difficulty with conventional policies is that they are unlikely to cover (or to provide the level of cover needed to meet) a cyber attack or data breach.
Is special cover needed?
Given the coverage problems under traditional insurance contracts, there is plainly a need for standalone policies that are specifically designed to address cyber risks. Inevitably, however, the question will arise in individual cases as to whether specific cyber risk cover really is necessary in this particular instance. An insured might consider that it already has high-level IT security and risk management processes in place. It might also think that it has a low risk of a cyber attack or data breach.
Unfortunately, as some of the recent high-profile cases have demonstrated, no company is immune to a cyber attack. In the case of data losses – which often stem from human mistakes (for instance, a laptop left on a train) or conduct (rogue employees and hackers, for example) – no system can be designed to prevent such a loss.
In the US, the growth of cyber liability cover was strongly driven by the introduction of legislation in various states making notification of a data breach mandatory. At present, there is no such requirement in Europe, although EU regulators are reviewing the position and looking at similar laws.
The EU Justice Commissioner has recently proposed new data breach notification and privacy laws, forcing companies to notify their insurers every time a data breach occurs, even if no records have been accessed as a result of the breach. If implemented, these changes will have a significant impact on businesses.
The EU proposals also include fines of up to two per cent of annual global turnover on companies that breach the data laws. If and when they are implemented in the EU, such regulatory changes are likely to make standalone cyber cover a must-have type of insurance for many companies.
Types of cyber cover
There are several insurers in the US – and an ever-growing number in the UK – who offer cyber-insurance policies that provide cover for standard types of cyber risks such as data breaches, DoS attacks, network interruptions, and damage caused to software and hardware by virus attacks.
Even so, the type and scale of cyber risk faced by one insured can be quite different to that confronting another insured. This has led to a rapidly developing market of specialist cyber policies that have enhanced types of cover to respond to the specific cyber risks faced by a particular insured. Such specialised policies include the following:
- Electronic data loss policies - these could cover (1) mandatory data-loss notification costs (which will be relevant if data-loss notification becomes mandatory in the EU); (2) data-loss notification fines (as mentioned earlier, the EU privacy data proposals include fines of up to two per cent of global annual turnover if a company breaches the proposed data laws); (3) forensic IT specialist costs for identifying and resolving data breaches; (4) public relations costs managing the reputation of the insured that has suffered a data loss; (5) third-party security audits/monitoring for a specific period following a data loss; and (6) third-party claims expenses and damages.
- Cyber hacktivism and extortion cover - this could include cover for (1) business interruption arising from the loss of use of the insured’s website for trading as a result of "occupation" by hacktivists; (2) the cost of responding to (or dealing with) a cyber extortion demand; (3) IT specialists costs for monitoring following an incident; (4) the costs of resolving and cleaning up the consequences of a virus being implanted or the alteration of network components by a hacker; and (5) public relations costs.
- Business interruption or network failure policies - these could cover (1) lost revenue arising from DoS and virus attacks; and (2) IT specialist costs responding to an incident and post-incident monitoring for a specific period.
The types of policies and the nature of their cover will continue to evolve in response to emerging cyber risks and as new types of technology develop.
It is estimated that in 2011 more than 1.8 zettabytes (1 billion terabytes) of data was created globally. Given the rate at which we create and accumulate data, it is unsurprising that companies are increasingly looking to outsource data storage and to use third-party cloud computing providers.
Cloud computing is the on-demand delivery over the internet of computer resources from software to data centres. The cloud is a metaphor for the internet. Instead of using a server that is located in an office, cloud computing allows data to be kept "in the cloud". Clouds can be public (selling services to anyone on the internet), private (a data centre that supplies hosted services to a limited number of people) or a hybrid (private for customer sensitive data and public insofar as the data has public-facing components).
The cloud industry is an immature but rapidly growing market. At present, many cloud provider service agreements offer little in the form of performance assurances; several have exclusions of liability for data breaches; and a large number also retain the right to suspend their services at any time. Companies that decide to adopt a cloud strategy are at risk if their provider goes down temporarily (as occurred when a lightning strike recently took out part of Amazon’s cloud computing service) or is affected by a cyber attack.
Cloud insurance cover is currently in an embryonic stage. There are a few policies that are being developed specifically for the cloud environment, offering cover for lost revenue and expense resulting from the failure of the insured’s cloud service provider. Further new products will undoubtedly be introduced over time. It will be interesting to see if an insured is covered for liabilities arising if its cloud provider is hacked into or whether an insured will be covered for data breaches that occur at "cloud level".
As the market matures, it is also expected that the cloud providers' standard terms will change and they will be at risk of liability for their services. That in turn is likely to create a market for cloud provider insurance.
Read other items in The Key - Autumn 2012