The alleged hacking of the UK 2011 Census database and cyber attacks on Sega, the CIA’s website, and the International Monetary Fund are the latest in a string of attacks on high-profile companies and agencies that have also included Sony’s Playstation Network, US defense contractor Lockheed Martin and Citigroup. There is speculation, and indeed apprehension, that these types of attacks might be directed at power systems, electrical systems and other critical infrastructure in the foreseeable future.
While most of the incidents reported in the press appear to have a US origin, such incidents do have local implications. Of the 100 million accounts reportedly affected by the hacking of Sony’s Playstation Network, 400,000 of them were Hong Kong accounts. The Privacy Commissioner for Personal Data in Hong Kong announced that he had commenced a compliance check to probe into the data breach. The Commissioner’s Office is also investigating whether Sony had taken all practicable steps to protect customer data against hacking.
Right now, Hong Kong does not have a mandatory data breach notification system, unlike some of the states in the US. This means that notifications are not required to be made to the Commissioner’s Office or to affected individuals when a breach of security leads to an unauthorised disclosure of personal data. Current proposals to amend the Personal Data (Privacy) Ordinance do not include the introduction of a mandatory system. However, even without regulatory intervention, and despite the costs involved in doing so, some entities do choose to notify individuals who are affected by a data breach.
Notifications of data breaches, and the associated expenses, are but one of the many consequences that might be faced by an entity which has encountered a cyber security breach. A cyber attack can cost an entity many millions of dollars. The recent spate of high-profile security breaches would, therefore, seem to be a welcome marketing tool for insurers selling cyber insurance. The recent incidents certainly raise awareness about the role which cyber insurance can play in transferring risk and in increasing cyber security.
Cyber insurance can provide coverage not only for the costs of breach notifications, but also for business interruption losses, the costs of engaging IT forensic experts, extortion losses, as well as credit monitoring expenses and the costs of hiring public relations consultants to deal with reputational damage.
Cyber insurance might also lead to improved cyber security by encouraging the adoption of best practices or preventative measures because insurers will generally require a certain level of security as a precondition of coverage. Premiums may vary depending on the level of security implemented by the insured. Some think that cyber insurance may prove to be an effective, market-driven way of increasing cyber security.
The recent attacks help make a compelling case for purchasing cyber insurance. However, they should also serve as a stark reminder to insurers of the considerable risk they take on in insuring such risks.