Flynn O’Driscoll Legal Update
Cybersecurity Insurance: Transferring the Risk
Introduction
Cybersecurity is rapidly becoming one of the fastest growing items of IT expenditure for businesses. The need to develop effective responses to a dynamic and ever-evolving threat landscape requires an extreme level of diligence. However as with many business risks, one option (apart from mitigation) is to transfer those risks outside of the business through the purchase of insurance products.
Cybersecurity insurance products are developing rapidly to serve this market. However, the scale of the potential market makes it difficult for buyers when considering their options. The variety of cybersecurity risks is broad and requires individual determination of risk based on different (and in this case, usually limited) actuarial data.
As such, a variety of insurance products have come to market. In many instances these are often endorsements on existing policies. However, individual standalone products are now being made available by several insurance providers. These often focus on data protection breach coverage.
Initially, this could be identified in the US market where a complex framework of State laws has developed in relation to data breaches (often for healthcare data). Mandatory EU-wide legislation in relation to data breaches was initially limited to the telecommunication sector. However, with the implementation of the General Data Protection Regulation (the GDPR) in May 2018, it is expected that the cybersecurity market for data breach insurance is likely to expand considerably in the EU.
The cybersecurity insurance industry
Due to the very nature of the cybersecurity industry, a lack of historical data is available as
to the frequency and severity of losses caused by cybersecurity incidents. The fact that many such incidents can also go unreported does not help matters. Add in the reluctance of
commercial entities, be they SME’s or large corporate multinationals to admit being the victim of such an attack. The embarrassment factor and reputational protection tend to dictate any disclosure. As such the amount of data available is limited, for the purposes of carrying out any significant amount of the actuarial analysis. In any event, the fast paced nature of the cybersecurity risk landscape has the tendency to make any such analysis outdated.
Furthermore, much of the actuarial analysis to date has focused on data protection breaches, though cybersecurity risk can vary significantly. A risk premium developed from a predictive model based on data breaches will not be of much use where alternative risks may be much greater to a particular business (for example, a cloud services provider being subjected to a Distributed Denial of Service (DDoS) attack).
One of the primary issues facing the cybersecurity industry is risk aggregation. In these circumstances, this refers to the concentrated nature of risk in (usually networked) technology industries. Whilst the distributed nature of the internet means that as a whole it is an extremely resilient system, it is still inherently a networked system. As such, whilst the remainder of the internet will not go down if only a part of the internet is brought down, the impact of a failure of one part of the system can have numerous downstream consequences. This cascading nature of events could lead to claims across numerous policies, businesses and industries, all based on one single incident.
One example would be where a cloud services vendor was attacked or otherwise brought offline. All users of the vendor would be impacted, with their own systems being brought offline. The result could be that one
DDoS attack on a cloud service vendor could lead to a large number of claimants claiming on their cybersecurity insurance policies.
This “systematic” risk introduces the potential to cause large scale risk aggregation. In a new and fast paced market such as cybersecurity insurance, this poses a major issue, not just to insurers who need to price this risk, but to buyers, who will inevitably see a degree of divergence in the market when shopping around. Furthermore, to date many cybersecurity insurance products are offered as endorsements to existing policies, and therefore the risk exists that insurers may have already (to an extent unknowingly) opened themselves up to a significant accumulation of risk.
Three main types of policy to the Business
Currently, cybersecurity insurance products can be categorised into three broad products:-
Standalone polices
These products are separate policies offered by insurers that cover a range of different risks. The market has not yet converged on a single standardised policy and therefore the policies offered by competing insurers can vary greatly depending on the specific insurer’s underwriting risk appetite for this particular insurance market.
Endorsements on existing policies
These proposals are cybersecurity endorsements on existing traditional insurance policies, such as commercial general liability. The wording tends to focus on data protection breaches, but more specific endorsements can extend to network attacks or any other malicious attacks on a business’ technology environment. In many instances, these are targeted at smaller businesses,
however there is the fear that such endorsements provide a false sense of security if they are not sufficiently tailored to the specific business' need.
Silent cybersecurity policy cover
Many traditional insurance policies (such as commercial general liability) already cover some of the risks that may also be associated with cybersecurity breaches. For instance, protection for certain events (such as fire) or other “All Risk” policies may offer protection against some of the ultimate ramifications of a cybersecurity breach. However, it is not uncommon for such policies to include broad exclusionary clauses that may capture many cybersecurity breaches.
Sample broad exclusions, such as those relating to “electronic data loss”, can often render such policies relatively useless in the case of many different cybersecurity breaches. More recently there have also been moves to include further specific exclusionary wording, which has further led to the need to seek tailored cybersecurity coverage.
Statutory policies of insurance provided to many professionals such as law firms and accountancy practices will have an element of this type of cover contained in their policy of professional indemnity insurance: a classic scenario being where the client account is attacked by some elaborate cyber-attack. This can range from a basic “confidence trickster” type scam to an engineered system interception - a social engineering fraud.
“One of the defining characteristics of cybersecurity is volatility; unlike many external threats that a business can face, the risks associated with cybersecurity can vary significantly and rapidly”
Moral hazard risk
As with the insurance industry more generally, moral hazard can be an issue in relation to cybersecurity insurance products; if a buyer decides to rely on insurance to the detriment of effective cybersecurity, the risk of loss can quickly increase. As such, the insurance industry has taken steps to address this. Cybersecurity policies often include additional extras such as security audits (which are often not merely used as means of premium determination). Data protection breach consultancy and related risk management services are often provided by the industry in order to create awareness of the risks and assist policyholders in mitigating against such risks.
These additional extras also tend to filter into the solutions provided by the insurer when a claim is made. An insurer may offer a total response solution or may only cover financial liabilities. In the case of smaller businesses, with lesser access to cybersecurity expertise, a total response solution from the insurer can provide access to resources and experience to which they would otherwise not have access. This can also have the effect of limiting the insurer’s maximum liability under the policy.
In addition, and to avoid the potential for such a moral hazard, insurers are inserting conditions precedent to cover clauses as part of their insurance offerings. Such clauses usually deal with maintenance, upgrading and auditing of computer systems, as well as adopting high specification security
programmes or upgrading an already existing system.
Advantages of cybersecurity insurance
There are a number of factors relating to the particular risks in the cybersecurity field that render relevant insurance a useful addition to the risk management strategy of many businesses. The chief issues are outlined below.
The range of threats
One of the defining characteristics of cybersecurity is volatility; unlike many external threats that a business can face, the risks associated with cybersecurity can vary significantly and rapidly. One the most obvious risks is that of a breach of personal data.
However even such incidents can have a range of ramifications that can cause costs for the business. For instance, a single breach of personal data can lead to:
• dealing with data subjects and mitigating the damage to each data subject;
• the potential for credit card fraud where the breach includes financial data;
• interacting with police, data protection, and other regulatory authorities on investigations into the breach (and the possibility of financial penalties being imposed).
A data breach is only one type of cybersecurity incident. Combine this with the potential for DDoS attacks, breaches by malicious insiders, cyber corporate espionage and even the possibility of cyber-attacks from nation states, and the desire for some form of insurance to cover these risks becomes a necessity.
Monetising the risk
As with any other type of insurance, a monetary value is essentially placed on cybersecurity risks facing the business once a quote is provided. This can be particularly useful in focusing minds at senior management level. Whilst it may be difficult for the Board to appreciate the actual damage that a cybersecurity breach can do to a business, the Board can certainly evaluate the cost of insurance and allocate funds to IT department budgets where necessary in order to mitigate such risks.
Mitigating the risk
Just like any other cost to the business, there should be a desire to reduce the premiums charged by a cybersecurity insurance provider. As such, a business should use the cybersecurity insurance underwriting process as a method to identifying particular areas of risk and seek to reduce those risks accordingly.
It is ultimately for the benefit of both the insurer and customer if particular gaps in a business’ cybersecurity are identified and addressed.
Cybersecurity insurance can provide an effective incentive to seek out preventative measures and adopt best practices, which will ultimately mitigate against the risk of a cybersecurity breach.
Seeking cybersecurity insurance
Due to the relative novelty of the market, buyers are often unaware of what to look out for when seeking quotes. As the market is still highly specialised, buyers will need to be diligent in seeking the best products to suit their individual business needs.
Identify the risks
Before going to the market, businesses need to identify the cybersecurity risk landscape applicable to their business. Certain tools are available to assist businesses in identifying such risks. In 2014, the US National Institute of Standards and Technology published the Framework for Improving Critical Infrastructure Cybersecurity (the NIST Cybersecurity Framework). Rather than a technical standard or set of security controls, the NIST Cybersecurity Framework provides a more holistic risk management tool that sets out a high level taxonomy of cybersecurity issues, allowing a business to identify the risk, and put in place adequate procedures to deal with them.
In the EU, the Directive on Security of Network and Information Systems 2016/1148 (the NIS Directive) was adopted in July 2016. This requires Member States to adopt a national strategy on security of network and information systems and designate at least one national authority to supervise the application of the NIS Directive. It is envisaged that the cybersecurity standards likely to be develop under the NIS Directive will be useful for businesses at all stages to identify and respond to cybersecurity risks.
Furthermore, the European Network and Information Security Agency (ENISA), established by the European Parliament and the Council in 2004, was tasked with tracking information security risks, facilitating cooperation and information-sharing between public and private sector entities, and assisting Member States in their development of industry-specific cybersecurity strategies. ENISA already provides reports and recommendations that businesses can use to identify key cybersecurity risks.
Ensure all relevant risks are covered by the policy
It has been discussed above how the range of cybersecurity risks facing a business can vary significantly. When seeking cybersecurity insurance, it is imperative that the buyer identifies the most significant risks and ensure that these are covered. Unlike the insurer, the buyer will usually be in a better position to identify key cybersecurity risks. Unfortunately, smaller business will often lack the sophistication to identify these risks, therefore it is important that expertise is sourced in such instances so to ensure the correct transfer of risk under the most appropriate cybersecurity insurance product. For instance, a provider of social networking services will obviously need to ensure that cybersecurity insurance comprehensively deals with data breaches.
Some of the main risks that business should consider covering are set out in the table on page 12.
Understand the policy; get the value
One of the best ways to reduce the risk of a cybersecurity breach is to undergo testing, such as system penetration testing. Companies can avail themselves of a range of tools from cybersecurity providers that will simulate an attempted system intrusion or a widespread DDoS attack. (See Compliance & Risk Vol 5 Issue 5, “Business crime and crisis simulation: Practice makes preparedness”)
Insurance Policy Risk
Data protection/privacy breach Breach of personal data and consequential notification and breach
response procedures
Data (non-personal)/software loss Loss of valuable business data and access to business critical applications
as well as the costs associated with data recovery (if possible)
Network/business interruption Loss to third parties associated with loss of IT network functionality
and/or business interruption to customers
Regulatory and defence coverage Liabilities arising in response to governmental or other regulatory
investigations and any consequential fines
Product liability Liabilities to third parties for lack of access to any technology products
of the business
Directors and Officers liability Liabilities arising from claims against company officers in relation to
specific cybersecurity breaches
Multi-media liability Liabilities arising from intellectual property infringement / defamation arising
from business’ products
Reputational damage Cost associated with damage to corporate reputation on publication
of a cybersecurity breach
Financial theft and fraud/extortion Financial losses associated with direct theft caused by a cybersecurity
breach or payments made in response to ransomware demand
Incident response Any costs associated with investigation and resolution of any cybersecurity
breach
Intellectual Property theft Direct costs associated with theft of business IP from a cybersecurity
breach including loss of revenue
Review current insurance policies
Due to the potential extensive risk landscape, there is the possibility that many cybersecurity incidents may be covered under existing policies. For instance, is specific cybersecurity insurance or general crime-related insurance the best policy where there has been an external (and therefore almost certainly illegal) intrusion into a business computer system?
It is important that all related policies are reviewed to identify the most appropriate policy as it may not always be necessary for a particular risk to be covered off in a separate cybersecurity policy. If relying on an existing policy, that policy should be reviewed in order to identify whether it covers cybersecurity breach related costs, for example IT forensic investigation costs/ reputational risk etc.
Be wary in comparing products
Unfortunately, the cybersecurity market does lack a degree of product standardisation. As such, buyers will need to be cautious in trying to compare policies.
Comparisons on premiums alone are not possible due to the varying degrees of coverage being offered by cybersecurity insurance providers. This also leads to differing interpretations of policy language. It is therefore important that where wording lacks clarity, this is dealt with upfront, where possible.
Premium should be the last consideration when purchasing a cyber security policy of insurance. Cover of the perceived risks to the business should be procured. Once a policy of insurance which can provide such a cover has been identified, then and only then should premium be a consideration.
Read the forms carefully
Just as much as cybersecurity insurance policies vary, so too do the forms on which businesses must apply for such insurance. There can be a significant degree of variance in the application forms and questionnaires used by cybersecurity insurance providers.
Buyers should be careful when completing these forms. Stock answers may not be applicable across several vendors’ application forms and care should be taken that each form is completely correctly. It should be noted that it is not uncommon for insurers to enter into detailed information exchanges with buyers (and/or carry out investigations with the assistance of third party cybersecurity specialists) before providing a quote, so that the insurer can develop the best risk profile possible.
Additional benefits of the policies
It is not uncommon for certain cybersecurity insurance products to include a range of extras such as the provision of expert consultancy services in the event of a breach. From a practical perspective the immediate aftermath of a cybersecurity breach will usually require additional manpower rather than funds; insurance providers will often have extensive expertise in handling such incidents and can be an invaluable asset in guiding, particularly smaller, businesses through any cybersecurity incident.
Review notice provisions
Similar to any type of insurance policy, the insured should be aware of notice provisions in the policy, so that it avoids any possible disputes with the insurer as to when notice should have been given. Unlike claims made under commercial general liability insurance, where the date of the incident is usually easy to ascertain (e.g. the date of the fire), in the
case of a cybersecurity breach, this can be much harder to identify.
In many recent personal data breaches, the disclosure of personal data has not become known (even by the affected organisation) for months or even years after the event. Currently policies can vary significantly on this point, therefore it is important to be aware of the following:
• Knowledge criteria
At what point does the organisation become fixed with knowledge of the cybersecurity breach? Does it require senior management to become aware of it or is more general language used?
• Time requirements
Once fixed with knowledge, usually the policy will require the insurer be notified as soon as possible thereafter. However, the maximum time periods should be carefully noted and procedures should be put in place to ensure compliance. Many policies will offer extended period coverage and this should be considered, particularly in the case of data protection breaches.
• Notification
In the case of data protection/privacy breaches, is there any obligation to report to the insurer, even when a claim is not made and there is no obligation to notify under applicable legislation. Even after the implementation of the GDPR in May 2018, there will be some circumstances where a business is not obliged to make a notification to the authorities/data subjects, however does the insurance policy require notification to the insurer nonetheless?
Liability for incidents arising from third party service providers
Where there has been a cybersecurity incident caused by a third part service provider (e.g. cloud service provider), the business should ensure that the policy will cover this scenario. Care should be taken to review a language that deals with business interruption coverage that may be caused by a third party. Has the insurer included a waiting period before becoming involved? How long is such a period? It should also be noted that in respect of such third party service providers, it may also be possible to be named on the cybersecurity policy of the third party. However this can be difficult in practice, and it should not preclude the business from seeking its own cover, particularly for any business critical applications.
Conclusion
Despite the rapid growth of the cybersecurity industry, it is essential for all parties to realise that it is still an industry in its infancy. Products are still often quite new. The extent of the coverage can often be limited by insurers wary of the possible risk that could accumulate on their books. Conversely, due to the rapid and evolving nature of cybersecurity threats, insurers may have already taken on substantial (and at this stage an unquantifiable amount of) risk.
Nevertheless, as businesses become increasingly reliant on technology throughout their operations, it is imperative that additional risks are identified and where possible minimised and transferred out of the organisation. It is imperative too for key decision makers within industry to be fully apprised of all perceived risks to their business. This can range from a direct attack on the network to a social engineering type scam to a “Fake President’s” cyber-attack.
A salutary lesson should be taken from the Austrian Aerospace parts manufacturer, FACC. It was the victim of a €42millon cyber fraud in 2016 which caused a huge impact on its bottom line and led to the removal from office of both the CEO and CFO of the company.
Cybersecurity insurance is no longer a niche product. As cybersecurity breaches continue to hit headlines worldwide, taking out a cybersecurity policy should be as obvious as taking out any other type commercial general liability insurance. Businesses must, however, familiarise themselves with these unique products and start asking relevant questions now to ensure that the policies they source are effective in the unfortunate event of a claim needing to be made.