Cyber Risks: Is Your Company Protected?
The EU's intention to harmonize data protection laws will have significant impact on companies across the continent.
By Dawn Simmons, Senior Underwriter Professional Lines
Technology is great. It has improved production capabilities, shortened production timelines and allows us to conduct business anywhere in the world at any time.It is the increasing interaction and growing dependence on technology however, that leave us and our businesses vulnerable to a variety of emerging risks commonly referred to as “cyber risks”.
WHAT ARE CYBER RISKS?
Cyber risk is an industry buzz term used to broadly define the risks associated with information systems themselves and the data/“information assets” they process, transfer or store. Common cyber risks include unauthorized access or use of information systems, denial of services attacks, cyber espionage, spread of virus or malicious code (malware), destruction of information assets, and data breaches. Cyber risk can either be malicious in nature (performed by a hacker) or simply be caused by human error. Either way, these risks can lead to significant consequences to an organization’s bottom line.
The most commonly known and widespread of cyber risks are data breaches. Our reliance on information systems for almost every aspect of our society has created intangible assets (electronically stored data/information), which are today considered critical assets to most organizations.
There are many forms of information assets. To organizations, information assets can be anything from client lists to mission-critical systems that are fundamental to the achievement of an organizations mission and objectives. To us as individuals, information assets, known as “personally identifiable information” (PII), are unique to an individual’s identity and can include your name, address, and more sensitive information such as your bank and credit card information or medical records. Loss, destruction, or theft of these valuable intangible assets could have devastating impact on organizations and individuals a like.
Despite companies legal and civil obligation to secure 3rd party intangible assets, an increasing number of data breaches, which result in the loss or theft of intangible assets, are being reported all around the world. Many of these cases are the direct result of the increase in cyber crime. In the UK alone, the Information Commission has reported a 30% increase in cyber crime over the last year. Perpetrators of cyber crimes may be anyone from employees to third party hackers who are not limited by geography.
These data breaches pose a threat to financial, customer, employee and other information assets. More importantly, they can have serious implications to a company’s bottom line, both as direct and indirect consequences of the event.
A COSTLY LESSON
According to studies conducted by the Ponemon Instititute on the Cost of Data Breach, in 2009 the average cost incurred by a company as a result of a data breach in France was USD 2.53 million (approximately EUR 1.98 million) and USD 2.57 million ( approximately GBP 1.65 million) in the UK. In Germany the costs soared over USD 3.44 million (approximately EUR 2.69 million) per breach and USD 177 (approximately EUR138) for each compromised record. The study finds these figures low relative to data breach costs in the United States, which averaged more than USD 6.75 million (approximately EUR 5.3 million) per breach and USD 204 (approximately EUR159) per compromised record.
The high cost of a data breach in the U.S. is attributed to the more stringent data breach notification laws there, including the requirement to publicly disclose a data breach.
A well publicized example occurred in 2008 at Heartland Payment Systems, the fifth-biggest payments processor in the U.S. Considered the largest-ever criminal breach of credit card data, security experts estimate that approximately 130 million credit and debit cards issued by more than 650 financial services companies may have been compromised. It has been reported that the company incurred USD 12.6 million in expenses related to the attack on its system, including litigation and fees.
Notifying of a data breach usually leads an organization to face direct and indirect costs related to it. Direct costs include the actual costs to notify customers and data protection authorities as well as technical remediation of the problems/lax security that caused the data breach in the first place. It is the indirect costs however, that may be higher and difficult to quantify. These can include regulatory fines and penalties, customer turnover, or reputational harm to the organization resulting in a drop in an organization’s share price. According to the Ponemon Institute Report, loss of customers accounted for approximately 44% of post-data breach loss.
Industry experts expect that data breach notification costs will continue to grow in future years, due to the anticipated increase in data protection and/or privacy litigation not only in the United States but in Europe as well. We could see cases similar to that described above if the European Commission follows the U.S. lead with regard to data protection laws.
EUROPEAN COMMISSION TOUGHENS STANCE ON DATA PROTECTION
The European Commission is pressing for more unified data protection laws within the European Union Member States. The hope is to ease data flow amongst member states; build consumer trust and confidence by strengthening individuals’ rights for improved security and better data control; and to ensure better compliance with data protection laws.
All of this could have a significant impact on companies across the continent. The Commission for Justice Fundamental Rights and Citizenship Commissioner, Viviane Reding, has warned that businesses and public authorities need to “take their data protection responsibilities more seriously.”
This latest initiative by the European Commission is a final wake-up call for European businesses to ensure they fully understand and manage their cyber risks. So, what does this mean for businesses operating in the EU?
Unlike the United States, there are currently no data breach notification laws within the EU. But change is coming. The EU Commission has imposed legislation for telecommunications companies which require them to notify customers of data breaches once the law goes into effect in May 2011.
Germany, the first member country to take the European Commission’s new legislation a step further, is making amendments to the German Federal Data Protection Act which are similar in scope to the data breach notification laws of the United States. Under these amendments “Data Controllers” are required to notify customers (called “Data Subjects”) and Data Protection Authorities of data breaches if such breaches “threaten significant harm”.
Following Germany, Austria amended its Data Protection Act in early 2010 to include its own data breach “notification duty” legislation. It seems quite likely that other EU member states will adapt similar regulations that reflect the Commission’s proposed ‘Digital Agenda’. Similar legislation to the U.S., apart from just notifying the “data subject”, could include requiring companies to offer a call center to handle calls from data subjects following a data breach notification, to pay for credit monitoring services and to cover any costs generated by costly litigation brought on behalf of the “victims” data subjects.
The increased power of Data Protection Authorities has other ramifications for companies who break, or are found not in compliance with, data protection laws. This includes heftier fines levied and orders to remediate compliance, technical or organizational failures associated with personally identifiable data for which they control. In some more severe cases of non-compliance, they have imposed sanctions on a company from collecting, processing or using personal data, which can have a direct affect to a company’s bottom line.
PROTECT YOUR COMPANY FROM CYBER RISKS
In general, risk management is not about being reactive, but proactive. Companies are well advised to recognize that they have a tremendous risk to identity and security breaches. Hence they should closely examine their risk management strategies to reduce their exposure. In addition to well known practices such as training employees about corporate data responsibility and ensuring that mobile devices are encrypted, companies should pay careful attention to the Amendments and likely future legislation in the EU to ensure they remain compliant. At the moment companies should at a minimum:
• Establish standard policies and operating procedures for data breach
investigations, remediation, and notifications related to personal data;
• Assess and restructure the use or transfer of data lists and other
personal data; and
• Review and consider renegotiating service, employment, and other
data-related contracts.
It is also important for companies – especially smaller and medium sized companies – to realize that their general liability, property or E&O policies most likely do not provide cover for cyber liabilities.
CYBER LIABILITY INSURANCE
While cyber liability insurance has been around in some form or another for the last decade, insurers have carefully expanded insurance protection to offer coverage that responds to the increasingly complex challenges that businesses face in protecting themselves from a variety of tech-related liabilities. These can include coverage such as:
• Network Security Liability: Protects companies from losses associated with
unauthorized access to or theft of customer, employee or other proprietary data
or e-business activities, computer viruses, denial of service attacks, as well as
alleged unauthorized e-commerce transactions.
• Privacy Liability: Provides protection if an insured fails to protect electronic or
non-electronic information in their care, custody and control.
• Media Content Services Liability: Thanks to the Internet and social networking
sites, like Facebook, LinkedIn and Twitter, all businesses are media companies too
and therefore need to be concerned with media liability. While blogging and other
forms of business-related social media may seem harmless, businesses are liable
for the content they generate and post on their websites. They have to be wary of
misusing a competitor’s copyrights and trademarks or disclosing confidential
information. Many businesses have adopted clear media policies or social computing
guidelines, especially since employers are generally responsible for independent
actions taken by employees if these actions are deemed to be within the scope of
employment. This insurance covers the Insured for Intellectual Property and Personal
Injury perils that result from an error or omission in content. It is important to note that
coverage for Patent and Trade Secrets is generally not provided.
• Extortion Threat: Payments made to a party threatening to attack an Insured’s
computer system in order to avert such a cyber attack. Disgruntled employees,
customers or vendors can cause significant harm. For instance,
a laid-off IT administrator was recently arrested and faces up to five years in prison
after he tried to extort money from his former employer, a mutual fund company, by
threatening to crash the company’s servers. Demanding a better severance package,
he threatened to use his connections with hackers in Eastern Europe to wreak havoc
on their customers’ private information.
Other risks that can be insured with cyber liability protection include Business Interruption, Credit Monitoring, and Crisis Management to name a few. The type of business and the breadth of information stored in a company’s computer system will help determine its cyber liability protection needs. It is important for a company to assess its risk and choose an insurance solution that addresses its unique exposures.
In the end one thing is clear, data breaches resulting from malicious attacks, third party mistakes and lost or stolen laptop and mobile devices are on the rise and can become a costly experience for any company. Taking the right risk management measures can save your company money and its reputation.