Knowledge is power...

Understanding cyber loss and liability

Which of these news stories attracted your attention:

  • 6.5 million LinkedIn passwords stolen by hackers?
  • Millions of people suffering the knock-on effects of a software upgrade that froze RBS/NatWest systems, stopping payments in and out of personal and business accounts?
  • For the second time in a year RBS customers  were unable to access their accounts - for a different reason from the first time
  • 77 million PlayStation network and Qriocity user names, email addresses, phone numbers and – reportedly – credit card details being maliciously breached from the Sony Corporation?
  • TJX Companies discovering its unsecured wireless network had been hacked by someone with a laptop and antenna to gain over 45.5 million credit and debit card numbers and the personal data of 451,000 shoppers who had returned goods?

None of these? What will cause a business to take notice of  a 'catastrophe waiting to happen'?
Usually, nothing.
What is the catastrophe waiting to happen? It is…

The unintended consequences of the business world's total reliance upon computer technology to underpin almost every aspect of process and management. The fact that this is apparently not being foreseen by companies is a curiosity much talked about in some legal and insurance industry circles.

Data, especially personal data, is becoming a 'currency' of its own. The criminal world is flourishing thanks to the relative ease with which it can mine high volumes of information either accessed from or held within cyberspace.

Should the breakdown, last year, of the RBS/Natwest consumer banking system as a result of an alleged  'glitch in the upgrade process' send shivers down the spine of senior management?  In any IT-dependent business an equivalent catastrophe could happen, but who will openly admit it?

That is the golden question. There are some things in business environments that are too difficult or embarrassing to confront; the advancing risks associated with computer dependency are undoubtedly one of them.

Policies rarely cover big losses and liabilities
What is not appreciated by so many businesses is that they are probably not insured for the full consequences of loss or damage caused by IT and so-called cyber risks.

Cyber risks - defined as those associated with computers, internet, data protection and everything that relies upon connectivity and storage of data – are a growing concern among the leading, risk-aware businesses.

The several policies available on the market each have their own distinguishing features but there is no industry-standard template for the cover and the insurances are more restricted in cover than may be apparent from the description on the tin. The fact that some enterprising insurers are willing to take some of the risk is a welcome testimony to the industry's recognition of the problem and indeed acknowledges the business opportunity for the insurers. The fact remains, however, that the advance of technology and the risks associated with it is outpacing the ability of insurers to meet all of the risks all of the time.

So, businesses beware. Do not rely upon extensions of cover to other commercial risk insurance policies to cover all the real risks faced in the current cyber environment. These policies were never designed to accept such risk and while the extension of cover may be inexpensive and easy to obtain there is no guarantee that a claims examiner will conclude that the loss claimed fits the cover intended by the extension.

This could mean that the business suffering the loss, damage or legal liability will have to pay the consequences of it entirely unaided by both insurance monies. Additionally, the business would miss out on the legal expertise that  specialist cyber insurers can bring to the party under their guidance and at their expense.

There is no better time to start to become acquainted with what the insurance industry can offer businesses in the form of computer-related insurance protections.

So what are the things that a business should worry about?

Cyber-risks include:

  • liability for loss of data and it consequences by accident
  • liability for loss of data and it consequences by deliberate, wilful, dishonest, negligent and fraudulent means.
  • accidental damage caused by computer-driven property/equipment
  • loss or damage caused by failures or malfunctions of computers
  • loss, damage and liability caused by algorithmic errors or  malfunctions
  • loss of reputation, opportunity and/or intellectual property

Some of the more common sources of loss, damage and liability arise from:

  • the storage of data on mobile devices
  • losing unencrypted USB stick
  • accidentally emailing private information to the wrong email address
  • breach of strict security standards in retailers’ merchant agreements for credit card and banking operations
  • unindemnified contractual losses of data in cloud computing contracts
  • loss of data held by third party subcontractors on behalf of a Principal for which the Principal is responsible to its customer
  • rumours, (defamation; libel and slander) especially in networking and social media sites and in marketing and PR operations

Every business should consult its insurance adviser about the mounting cost of cyber losses and liabilities.

Cyber risk check list

Here’s how you can assess whether you require cyber liability cover:

Do you process or store any form of credit card data?
If yes, then you may be exposed to the risk of privacy breaches and the consequent PCI fines, card reissuance costs, and liability for fraud carried out on the compromised cards.

Do you own or operate any offices in the United States of America?
If yes, then you may be exposed to privacy breach notification requirements which apply to companies operating in over 45 states across the US. A failure to provide timely notification can give rise to significant regulatory fines as well as exposing the business to expensive class action law suits.

Do you store or process commercially sensitive third party data?
If yes, then you are likely to have serious contractual liability in the event that the security of the third party data is breached as well as risks of reputational harm.

Do you operate an interactive or transactional website?
If yes, then you will be subject to a wide range of statutory duties both domestically and internationally. Breaches of these duties can often give rise to civil liability as well as regulatory penalties.

Do you use a cloud service provider to store sensitive information?
If yes, then you could be held liable for information lost due to a breach to the provider’s systems, even though your own systems were not breached. 

Do you provide discussion forums, product reviews, or user generated content on your website?
If yes, then you are exposed to a serious risk of defamation or intellectual property rights infringement

Do you store business critical information on your servers?
If yes, then you are exposed to data loss and business interruption risks that are unlikely to be covered by a standard commercial property policy.