The importance of managing cyber risk for e-commerce
Given the number and scale of data breaches and cyber security incidents affecting e-commerce companies, reacting and preparing for cyber risk is now highly important for e-commerce businesses of any size. In this article, Hans Allnutt, Partner at DAC Beachcroft, and Simon Saunders, Head of Consultancy at IT security service Portcullis Security Limited, consider how we define cyber risk and what such risks might look like, as well as the role tailored cyber insurance policies can play in mitigating these risks.
Following many cyber events and data breaches that were publicised worldwide, 2014 was referred to as the ‘Year of the Breach.’ It naturally follows that 2015 has seen continued increasing interest from companies seeking to increase their resistance to cyber threats as well as to reduce their resulting legal exposure.
An organisation’s resistance to cyber threats derives not only from measures taken to resist attacks but also from the steps taken following an incident to mitigate the financial exposure to itself and parties affected by any lost data. Cyber risk insurance has often been labelled as an ‘after-the-event’ measure and, worryingly, the availability of insurance has received misguided criticism that it would encourage companies to ignore preventative measures. Such a view is akin to the belief that a homeowner would leave doors and windows open because he or she has the benefit of an insurance policy.
The more appropriate view recognises the important role that insurance and insurers can play in reducing cyber risk1 This article considers a definition of cyber risk, how e-commerce companies might identify and assess that risk and the role of insurance in preventing and mitigating those risks.
Defining cyber risk
Before grappling with what measures might be taken to reduce cyber risk, it is necessary to define ‘cyber risk’ in order to separate this form of risk from existing organisational risks.
In some ways the term ‘cyber’ has been helpful in raising awareness of technology-linked risks but at the same time this amorphous term can be confusing when it comes to identifying what the related risks are. If national governments and global financial institutions have yet to agree the scope of cyber risk (there is no comprehensive framework for the risk assessment of cyber catastrophes2) then there should be a healthy dose of sympathy for the typical e-commerce company trying to do the same.
Some helpful direction might be drawn from the approaches taken within the insurance industry where it is necessary to define an incident or event and the resultant losses in a policy’s contractual terms.
Genuine innovation has taken place from a number of insurers to define cyber risk and develop insurance policies that respond to the emerging risks. However, the understanding of these innovations has been clouded by the unavoidable fact that certain exposures arising out of cyber risk events may be covered by existing long-standing insurances. Companies have therefore questioned the need for an additional insurance purchase. The confusion is not lost on regulators, with the Financial Conduct Authority recently warning that it is ‘vital that there is absolute clarity about what such [cyber risk] policies do and do not cover, and under what circumstances it will be possible to claim.’3
Against this backdrop, the insurance industry is taking steps to provide certainty over the cover provided, firstly for the benefit of its policyholders, and secondly, to classify cyber risk correctly in order to monitor industry trends and aggregate exposures to capital reserves (there is significant concern over systemic cyber risks that might give rise to multiple losses across the insurance industry). Last year, Lloyd’s suggested a separate classification of cyber risk arising out of a ‘malicious electronic attack.’ The narrowing of this classification of cyber risk is useful because it strips away more generic risks relating to general business continuity. Once cyber risk is defined, a company or insurer can then assess the types of loss that might flow from the cyber risk, for example:
• Increased business costs and reduction to income (i.e. loss of profit); and
• The legal, commercial and corporate obligations associated with a failure of data security.
As the understanding of cyber risk develops, so does the appreciation of the types of loss that can follow. Again, useful direction can be taken from the insurance industry’s innovation. For example, Lloyd’s has suggested a separate classification of ‘property damage’ cyber risk and some insurers are providing cover for ‘bodily injury.’ It is notable that the insurance industry is not alone in the perception of these potential consequences from cyber risk; the Serious Crime Bill, which received Royal Assent in March 2015, includes new offences under the Computer Misuse Act 1990 for causing ‘damage to the environment of any place’ and ‘loss to human life, human illness or injury.’4
Examples of cyber risk
The most obvious cyber risks faced by e-commerce companies are malicious electronic attacks and the increasing legal burden surrounding data security. In deciding how to mitigate such risks, a company might start by looking at certain case examples and applying them to their own organisation.
A few years ago, most of the cited examples of cyber attacks and data breaches were drawn from the US. However, there are an increasing number of publicised European malicious cyber attacks against e-commerce sites of all sizes. Recent examples include:
• Domino’s Pizza - hackers stole personal data from more than 600,000 of Domino’s French and Belgian customers, threatening to release the data unless a ransom of €30,000 was paid5.
• Office Holdings Limited - the Information Commissioner’s Office (‘ICO’) criticised this company on its technical security and data retention periods after a hacker broke into a legacy IT system6.
• Staysure Ltd - In 2015, the ICO fined Staysure £175,000 for storing unencrypted CVV numbers in relation to 93,000 customers and failing to comply with PCI-DSS. Staysure endured an investigation of over one year, the CEO was publicly questioned on a consumer radio programme, and the company offered retail vouchers and identity theft monitoring services in compensation to affected customers7.
It is also important to consider the potential business disruption and trading interruption that can be caused through denial of service attacks or simply as a result of system downtime during the investigation of an attack.
Preventative measures against cyber risk
No company can eradicate cyber risk entirely, a fact consistent with the legal requirements of the Data Protection Act 1998 (‘DPA’). The DPA does not require absolute security, rather the seventh data protection principle demands that organisations take ‘appropriate’ technical and organisational measures to secure personal data. The ICO’s guidance recognises that there is no ‘one size fits all’ solution to information security. An e-commerce organisation that has taken one or more of the steps outlined below stands a much better chance of satisfying the regulator that it has discharged its principle seven obligations, and as such, would be less likely to be subjected to a fine or other sanction.
Whilst every company is different, most organisations should pay serious consideration to the following factors when creating or implementing their preventative security strategy:
• Information security (which encompasses cyber security) is a business risk function. This means that the whole business should be engaged in setting requirements and expectations and ensuring these are being met. If cross-business engagement is not achieved, information security will not provide full value, either by failing to protect the business adequately or by wasting resources that could more usefully be deployed elsewhere.
• Focus on security first, compliance second. There is no doubt that compliance (such as with PCI-DSS) is important, however there is no point in focussing on compliance to the extent that security is neglected. Such an approach will lead to exactly what the compliance regime is trying to avoid: an incident. By doing information security well, compliance should naturally follow.
• Vulnerability management. The vast majority of cyber attacks are opportunistic, with attackers targeting an organisation once they have identified vulnerability. Avoid being a target by removing vulnerabilities from systems before they go live and maintain security by properly managing change and applying patches.
• Protect against the inevitable. Assume that hardware will be lost and be absolutely confident that any information is protected in that event. Laptops, BYOD devices, and transferable media should be subject to methods such as whole-disk encryption, secure containers, and remote wiping.
• Segregate networks and operate a least-privileges model. Many attacks revolve around what is made available to a user or system by default, whether that be an external compromise or a rogue employee. If users or systems can only access information and functionality absolutely pertinent to their role, it naturally provides additional barriers to any would be attacker.
• Invest in monitoring, alerting and filtering. This means both people and technology. Ultimately if an organisation is not aware of attacks occurring, there is little opportunity to prevent them, stop them or to respond post-attack.
Mitigating cyber risk events
Regardless of the preventative methods taken, an e-commerce company should assume that it is a question of ‘when,’ not ‘if,’ it will suffer a cyber incident.
An e-commerce company’s response to mitigate the effects of a cyber risk incident is not only a business critical consideration but arguably a legal obligation. The ICO’s guidance encourages organisations to ‘be ready to respond to any breach of security swiftly and effectively.’8 Despite sanctioning a monetary penalty against Staysure in 2015, the ICO commended the company’s remedial action taken (through forensic investigations) to identify and correct the breach and the protection of affected customers though a dedicated response team and identity theft monitoring services.
The importance of a dedicated response team cannot be underestimated because it is ultimately people, rather than systems, that recover from cyber incidents. Internal resource, availability and expertise may be limited in which case it may be necessary to draw upon external resources.
As well as systems, controls and personnel, e-commerce companies should also consider the blunt reality of how they are going to pay for the financial consequences of a cyber incident and whether they could manage the instant cash flow burden of:
• any lost trade/income as a result of the incident;
• the additional operating costs (staff overtime, business continuity locations and infrastructure); and,
• the professional costs of experts and advisors to respond to a breach.
Cyber risk and data breach insurance
Just as there is no ‘one size fits all’ solution for the prevention of cyber risk, there are now a wide variety of insurance policies that are designed for different industry sectors and company sizes. Unfortunately, this relatively new sector of insurance has meant that there are a wide variety of insurance covers and wordings. Choosing the right policy can appear to be a taxing exercise, but an e-commerce company will be in a much better position to consider an appropriate policy having considered how its own cyber risk might be identified and mitigated. The first step should always be to seek advice from an experienced e-commerce insurance broker.
This article has focussed on cyber risk as a malicious electronic attack and the risks associated with data security and privacy laws. It is important to purchase a policy that indemnifies both ‘first’ party costs, being those costs incurred by a company that suffers a cyber incident, and ‘third’ party liabilities, being those legal liabilities owed to third parties as a result of the cyber incident or data breach.
Certain cyber or data breach insurance policies also provide cover for ‘business interruption,’ i.e. the lost profits caused by the cyber incident. The lost profits are often calculated with the assistance of expert accountants.
Certain dedicated cyber risk and data breach insurance policies also provide access to dedicated response teams including legal, IT forensic, PR and identity theft monitoring services. As noted above, the importance of cyber risk response teams cannot be underestimated and the benefits of such policies go beyond simply a financial indemnity - the expertise within these teams that deal with a large volume of data breaches on a regular basis can be invaluable for companies who do not have the internal resource to respond to such incidents.
Hans Allnutt Partner
Simon Saunders Head of Consultancy
Portcullis Security Limited
1. Rt Hon Francis Maude MP, ‘UK Cyber Security, The Role of Insurance in Managing and Mitigating the Risk,’ March 2015.
2. Ruffle, S.J.; Bowman, G.; Caccioli, F.; Coburn, A.W.; Kelly, S.; Leslie, B.; Ralph, D.; 2014, Stress, Test Scenario: Sybil Logic Bomb Cyber Catastrophe; Cambridge Risk Framework series;
Centre for Risk Studies, University of Cambridge.
3. Financial Conduct Authority, Business Plan 2015/16, 2015.
4. s41 Serious Crime Act 2015.