Cyber-risk is now firmly established as one of the most serious global risks. Last year saw an unprecedented number of high-profile cyber-attacks, while in January 2015 US health insurer Anthem reported suffering a massive data breach estimated to have affected around 80 million customers and employees. These attacks send a clear message to businesses: cyber-security and risk management must be infused into an organisation's DNA.
Cyber-incidents range from 'home team' failures in software and protection of data on the one hand to externally induced disruption through denial-of-service attacks, extortion, 'hacktivism' and state-sponsored espionage and attacks on the other.
Cyber-risk affects all organisations, regardless of sector or size, but the financial consequences vary significantly. Target Corp recently reported recovery of $90 million under a cyber-insurance policy in respect of a $248 million loss following its 2013 data breach,(1) and there have been reports that Anthem's cyber-insurance cover for losses up to $100 million could be exhausted.(2) Cyber-liability insurance is available and – save perhaps for the largest and bravest of self-insuring companies – essential to any cyber-security management plan. Of course, not only the financial consequences of cyber-attacks matter; the reputational damage associated with cyber-attacks can be severe. Conversely, being known to have good cyber-security can be a competitive advantage as well as an essential part of risk management.
This update discusses:
- what sound cyber-governance involves from an insurance perspective;
- cyber-liability cover considerations;
- reasons why cyber-insurance uptake seems not to have been as rapid as expected; and
- the continuing issue for insurers of pricing cyber-risk.
Sound cyber-governance – insurance considerations
Sound cyber-risk management is a governance issue that should involve the boardroom. After all, the directors will most likely be in the spotlight if there is a preventable failure and the UK government's view is that some 80% of known cyber-attacks could have been prevented by attainable, realistic security measures, such as those outlined in the Cyber Essentials Scheme. Cyber-risk insurers will want to know what steps the company has taken to help itself in order to price and provide cover. Directors should insist on:
- being well briefed on cyber-security issues (eg, regularly reviewing the organisation's operational cyber-risk exposure and cyber-security strategy);
- having a good understanding of the issues so that they can address the legal, financial and reputational ramifications of a cyber-breach;
- carrying out periodic reviews of existing outsourcing and third-party service contracts and maintaining a cyber-risk register of the identified exposures, contractual position on liability for cyber-related incidents and associated insurance cover, so that the risks can be properly monitored, managed and insured;
- discussing which of the cyber-risks specific to the organisation should be accepted, mitigated or transferred through contracts with vendors and others, as well as insurance, with formulation of a plan for each risk;
- knowing the extent to which the organisation has cover for its cyber-risks under existing insurance policies (some of which may well exclude it) and keeping under review whether the organisation should purchase standalone cyber-liability insurance;
- checking directors' and officers' (D&O) insurance policies to assess whether they are sufficient to cover the risk of derivative claims following a cyber-risk incident; and
- monitoring the development of, and considering participating in, voluntary government schemes (eg, the UK government's Cyber Essentials Scheme, where holding a 'cyber-essentials' badge may secure preferential rates with certain insurers).
A proper understanding of the organisation's operational risk exposure and a coherent cyber-security strategy are essential for assessing the cover needed under insurance policies, and are also likely to help with premium costs.
When reviewing the organisation's insurance portfolio, it is important to recognise that traditional policies will often specifically exclude the impact of cyber-incidents, meaning that specialised cyber-liability policies are needed to protect the business to the extent that a prudent manager would expect.
Standalone cyber-liability cover
Standalone cyber-liability coverage tends to be expensive, because of the high-impact nature of the risk and the difficulty in quantifying potential losses. Of course, premiums should come down as more policies are bought.
A business that is in control of and conversant with its cyber-risk profile will be better able to negotiate cover to fit the exposures identified within its business, working with its broker to craft a suitable cyber-liability policy.
The value offered by cyber-liability cover does not stop at a claims pay-out. Cyber-liability policies typically provide access to and payment for experts (eg, specialist forensic teams and public relations consultants), which can go a long way towards minimising the financial and reputational impact of a cyber-incident on the business. In essence, the insurer of a cyber-liability policy sits in wait, ready to help the insured to respond to and recover from a cyber-attack, if required.
Roadblocks to uptake
In January 2015 a Zurich-sponsored survey found that only 35% of organisations in Europe purchase cyber-cover and 65% consider that the insurance industry is not doing enough to design products which address cyber-risk.(3) Organisations typically chose not to purchase cyber-cover for three reasons:
- Current products offer inadequate cover for the organisation's exposures;
- They are considered too expensive; or
- The merits of purchasing cyber-cover have not yet been explored.
Even in the United States – where purchase of cyber-insurance has been significantly higher than in the United Kingdom – the upward trend in the number of organisations purchasing cyber-liability insurance reportedly reached a plateau in 2014, despite a marked increased in cyber-awareness (64% of respondents regarded cyber-risk as a significant threat, up 10% from 2013).(4)
Cyber-risk preparedness, rather than awareness, therefore appears to be the new corporate governance issue. A 2014 study by EY identified three roadblocks to organisations getting ahead of cyber-crime:(5)
- Lack of agility – organisations are failing to move fast enough to address not only new and emerging cyber-threats, but also the known vulnerabilities in their cyber-defences.
- Lack of budget – more organisations are now reporting that their cyber-security budgets will remain flat, despite increased board awareness of the nature and magnitude of the risk.
- Lack of cyber-security skills – organisations are struggling to hire the specialists necessary to analyse threat intelligence data, draw relevant and actionable conclusions and enable decisions and responses to be taken. Only 5% of organisations have a dedicated and specialised threat intelligence team. The analysis to be performed by such specialists is key to building cyber-security skills in non-technical disciplines and integrating cyber-security into the structure of how a business operates.
Pricing the risk – an ongoing issue
According to the December 2014 AM Best Report, which asked insurers globally about cyber-security risks:
- 10% of respondents offered a standalone cyber-policy;
- 10% bundled cyber-coverage with errors and omissions, property/business interruption and general liability policies; and
- the remaining respondents either did not provide cyber-insurance or were non-committal.(6)
Given the reported lack of cyber-preparedness among organisations, these results are unsurprising.
The relatively small size of the global cyber-risk insurance market, compared with the estimates of the risk, may change. If cyber-preparedness among organisations improves, insurers will be better placed to understand and price the risks that an organisation wishes to transfer, designing cyber-liability products which offer a great risk transfer mechanism for the needs of that organisation's business.
Extensive efforts are being made by the UK government to promote greater attention to cyber-insurance considerations. The government – most notably, through its Cyber-security Information Sharing Partnership – recognises that cross-sectoral information sharing on cyber-threats is important for an organisation to be able to prepare for the cyber-risks presented by its business and source a cyber-liability policy which offers an effective transfer of risk.
For further information on this topic please contact Marisa Orr or Nigel Montgomery at Sidley Austin LLP by telephone (+44 20 7360 3600?) or email ([email protected] or [email protected]). The Sidley Austin LLP website can be accessed at www.sidley.com.
(1) "Spending on Cyberattack Insurance Soars", Top Tech News (February 17 2015), available at www.toptechnews.com/article/index.php?story_id=1010035QT3ZO.
(2) "Anthem breach could exhaust $100mn cyber programme", The Insurance Insider (February 16 2015).
(3) "2015 Network Security & Cyber Risk Management: The Fourth Annual Survey of Enterprise-Wide Cyber Risk Management Practices in Europe", Advisen Insurance Intelligence, sponsored by Zurich (February 2015), available at www.advisenltd.com/wp-content/uploads/network-security-cyber-risk-management-white-paper-2015-02-06.pdf.
(5) "Get ahead of cybercrime – EY's Global Information Security Survey 2014", EY (October 2014), available at www.ey.com/Publication/vwLUAssets/EY-global-information-security-survey-2014/$FILE/EY-global-information-security-survey-2014.pdf.
(6) "A.M. Best Special Report: Cyber Security Presents Challenging Landscape for Insurers and Insureds", AM Best Press Release (December 8 2014), available at www3.ambest.com/ambv/bestnews/presscontent.aspx?AltSrc=28&refnum=21971.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.