Cyber liability insurance
Safeguarding financial interests against modern threats
Two world-wide cyberattacks and a comprehensive EU-wide data protection regulation have led companies to extensively revise their data handling methods. However, if businesses solely focus on preventing data breaches, they disregard the fact that occasionally, breaches will happen. The Ponemon Institute’s 2017 Global Data Breach Study assessed the average total cost of a data breach to be $3.62 million. This is why cyber liability insurance has become more prominent.
With the EU’s General Data Protection Regulation (GDPR) coming into force in May 2018, companies of all sizes have had to make considerable changes to how they manage and store data. Businesses must now notify their respective supervisory authorities within 72 hours of becoming aware of a breach or suspected cyber attack if they want to avoid severe financial consequences for their company.
The penalties for violating GDPR rules are hefty and are separated into two tiers – a maximum of €10 million or 2 percent of annual global turnover of the previous year, whichever is higher, for breaches of controller or processor obligations, and a maximum of €20 million or 4 percent of annual turnover of the previous year, whichever is higher, for breaches of data subjects’ rights and freedoms. The fines are imposed on a case-by-case basis, also taking into account the behaviour of the company.
Prominent recent data breaches
Regardless of the Regulation, data breaches have become commonplace over the last decade. Currently, the two largest known breaches concern Google’s Google+ breach and the hack on Facebook.
For the former, a breach was discovered in March 2018, i.e. before GDPR came into force, with Google not disclosing the violation out of fear of regulatory scrutiny and public opinion. For the latter, a total of 30 million users, of which three million were Europeans, were affected by the hack, with 14 million users having extensive information stolen.
Cyberattacks targeting companies
GDPR violations are not the only type of modern data breaches that companies should prepare for. Take NotPetya – a virus that in June 2017 mainly targeted Ukrainian businesses but quickly spread to all parts of the globe. It caused an excess of $10 billion in total damages, according to former Homeland Security adviser Tom Bossert, then the most senior cybersecurity official in the Trump White House.
The shipping conglomerate Maersk suffered between $250 million and $300 million, pharmaceutical giant Merck & Company lost $870 million, TNT Express lost $400 million, and Mondelez suffered $188 million in damages.
The virus, disguised as ransomware, indiscriminately destroyed all data it came into contact with. A month before, a ransomware named WannaCry, demanding at least $300 in Bitcoin for all infected computers, affected operations of all types, from the National Health Service in the United Kingdom to companies such as Renault in France or Telefónica in Spain. Not complying with the payment would lead to the companies’ data being destroyed.
In addition, phishing methods, whereby cyber criminals attempt to obtain sensitive information by disguising themselves as trustworthy entities, are becoming more sophisticated. In 2018, the so-called Account Takeover Attacks (ATO), where hackers take over user accounts for nefarious purposes, have flourished. A recent Barracuda study showed that from a sample of 60 incidents analysed, 22 percent of the individuals concerned worked in sensitive departments, such as human resources, IT, finance, and legal.
An extension of ATO is the business email compromise (BEC), where the end goal is to defraud the company.
Companies affected irrespective of their size
As such attacks in the digital era have become akin to banks needing to take appropriate measures to prevent robberies, companies are required to improve their data protection means. Nevertheless, with the complexity of systems architectures, coupled with the human predisposition to underestimate non-physical threats, software bugs will be found and they will be exploited.
This entails that companies must not only be prepared for an imminent attack. They also must have a plan ready for the aftermath in the wake of a security breach. This is where cyber liability insurance comes into play.
Cyber insurance policies are not a recent development, though they have been more widespread in the United States so far. Such insurance is still limited due to the lack of available data on cybercrime incidents and the the scarce attention paid to cyber security.
Though multinational corporations have definitely started to take cyber attacks more seriously due to the developments over the last few years, smaller businesses tend to assume that they are out of scope of the attackers. However, Symantec’s Internet Security Threat Report Volume 23, published in March 2018, found that both large and small businesses are equally affected by email-borne malware and viruses. This makes cyber insurance an option to consider for companies of all sizes.
A rising interest
A number of insurance providers have reported increasing interest in Europe regarding cyber insurance. This has been largely due to the GDPR and the WannaCry and NotPetya attacks.
The financial losses a company can potentially face are too significant to not be prepared. Most companies nowadays cannot operate properly without their digital assets, making cyber insurance an enticing option.
Nevertheless, cyber insurance is an umbrella term and coverage is determined by the insurance policy that businesses purchase. Common reimbursable expenses are forensics investigations, business losses, notification obligations, lawsuits, and extortion. In Europe, GDPR fines are not insurable in most countries, with Finland and Norway currently being the only two countries, where insurance for such fines can be obtained.
It is safe to assume that the cyber insurance market will grow in Europe and become more defined in the upcoming years.
Given that both the GDPR and ransomware attacks have generated extensive news coverage, the threat looming from either the non-compliance of consumer data or a penetration of the company’s security systems is becoming more understood by the general population. As property insurance has been the tried and tested method for safeguarding physical financial interests, it is not surprising that a similar concept is now being used to protect digital assets.
Comment or question? Don’t hesitate to contact: feedback@inhouse-legal.eu