Cyber Risks

Is your company protected?

Cyber Risks
Cyber risk is an industry buzz term used to broadly define the risks associated with information systems themselves and the data/"information assets” they process, transfer or store.

Common cyber risks include unauthorized access or use of information systems, denial of services attacks, cyber espionage, spread of virus or malicious code (malware), destruction of information assets, and data breaches. Cyber risk can either be malicious in nature (performed by a hacker) or simply be caused by human error. Either way, these risks can lead to significant consequences to an organization’s bottom line.

The most commonly known and widespread of cyber risks are data breaches. Our reliance on information systems for almost every aspect of our society has created intangible assets (electronically stored data/ information), which are today considered critical to most organizations. Information assets can be anything from client lists to missioncritical systems that are fundamental to the achievement of an organizations mission and objectives.

To us as individuals, information assets, known as "personally identifiable information” (PII), are unique to an individual’s identity and can include your name, address, and more sensitive information such as your bank and credit card information or medical records. Loss, destruction, or theft of these valuable intangible assets could have devastating impact on organizations and individuals alike.

Despite companies legal and civil obligation to secure 3rd party intangible assets, an increasing number of data breaches, which result in the loss or theft of intangible assets, are being reported all around the world. Many of these cases are the direct result of the increase in cyber crime. In the UK alone, the Information Commission has reported a 30% increase in cyber crime over the last year. Perpetrators of cyber crimes may be anyone from employees to third party hackers who are not limited by geography.

A costly lesson
According to studies conducted by the Ponemon Instititute on the Cost of Data Breach, in 2009 the average cost incurred by a company as a result of a data breach in France was nearly EUR 2 million and approximately GBP 1.65 million in the UK. The study finds these figures low relative to data breach costs in the United States, which averaged around EUR 5.3 million per breach and approximately EUR159 per compromised record.

The high cost of a data breach in the U.S. is attributed to the more stringent data breach notification laws there, including the requirement to publicly disclose a data breach. A well publicized example occurred in 2008 at Heartland Payment Systems, the fifth-biggest payments processor in the U.S.

Considered the largest-ever criminal breach of credit card data, security experts estimate that approximately 130 million credit and debit cards issued by more than 650 financial services companies may have been compromised. It has been reported that the company incurred USD 12.6 million in expenses related to the attack on its system, including litigation and fees.

Notifying of a data breach usually leads an organization to face direct and indirect costs related to it. Direct costs include the actual costs to notify customers and data protection authorities as well as technical remediation of the problems/lax security that caused the data breach in the first place. It is the indirect costs however, that may be higher and difficult to quantify.

These can include regulatory fines and penalties, customer turnover, or reputational harm to the organization resulting in a drop in an organization’s share price. Industry experts expect that data breach notification costs will continue to grow in, due to the anticipated increase in data protection and/ or privacy litigation not only in the United States but in Europe as well.

European Commission toughens stance on data protection

The European Commission is pressing for more unified data protection laws within the European Union Member States. The Commissioner for Justice Fundamental Rights and Citizenship Commissioner, Viviane Reding, has warned that businesses and public authorities need to "take their data protection responsibilities more seriously.” So, what does this mean for businesses operating in the EU? Unlike the United States, there are currently no data breach notification laws within the EU.

However, the EU Commission has imposed legislation for telecommunications companies which require them to notify customers of data breaches once the law goes into effect in May 2011 and Germany, for instance, has already made amendments to its laws requiring companies to notify customers and Data Protection Authorities of data breaches if such breaches "threaten significant harm”. Other ramifications include heftier fines levied and orders to remediate compliance, technical or organizational failures associated with personally identifiable data for which they control. In some more severe cases of non-compliance, they have imposed sanctions on a company from collecting, processing or using personal data.

Protect your company from Cyber Risks
Risk management is not about being reactive, but proactive. In addition to well known practices such as training employees about corporate data responsibility and ensuring that mobile devices are encrypted. The minimum standard should be: • Establish standard policies and operating procedures for data breach investigations, remediation, and notifications related to personal data; • Assess and restructure the use or transfer of data lists and other personal data; and • Review and consider renegotiating service, employment, and other data-related contracts. It is also important for companies – especially smaller and medium sized companies – to realize that their general liability, property or E&O policies most likely do not provide cover for cyber liabilities.

Cyber Liability Insurance
Insurers have expanded Cyber Liability insurance protection in response to the increasingly complex challenges posed from a variety of tech-related liabilities. Coverage examples include: network security liability 

Protects companies from losses associated with unauthorized access to or theft of customer, employee or other proprietary data or e-business activities, computer viruses, denial of service attacks, as well as alleged unauthorized e-commerce transactions. PRIVACY LIABILITY Provides protection if an insured fails to protect electronic or non-electronic information in their care, custody and control. 

Media content services liability 
Blogging or other forms of business-related social media may seem harmless, but businesses are liable for the content they generate and post on their websites. They also have to be wary of misusing a competitor’s copyrights and trademarks or disclosing confidential information. This insurance covers for Intellectual Property and Personal Injury perils that result from an error or omission in content. 

Extortion threat 
Payments made to a party threatening to attack an Insured’s computer system in order to avert such a cyber attack. Disgruntled employees, customers or vendors can cause significant harm. The type of business and the breadth of information stored in a company’s computer system will help determine its cyber liability protection needs. It is important for a company to assess its risk and choose an insurance solution that addresses its unique exposures.
In the end one thing is clear, data breaches resulting from malicious attacks, third party mistakes and lost or stolen laptop and mobile devices are on the rise and can become a costly experience for any company. Taking the right risk management measures can save your company money and its reputation.

By Dawn Simmons Senior Underwriter Professional Lines XL Insurance

Discover MDS World