As reported in our last edition of Insurance files, millions of customers of Target in the US were the subject of a monumental cyber attack late last year, which involved the compromise of 40 million credit card numbers, along with 70 million addresses, phone numbers and other pieces of information. Target’s sales and reputation diminished once news of the breach became public. Consequently, Target first replaced its top technology executive and more recently, in the clearest possible expression of executive accountability, fired its chairman and CEO who had been with the company for 35 years.
The risks and consequences of cyber security breaches are growing, as is awareness of the issue at board level.
The US National Association of Corporate Directors recently reported that cyber criminals are stealing up to a terabyte of data each day, and that the average annualised cost of cyber crime to an organisation has risen 78 percent. The average time required to detect and respond to a cyber attack has also increased, by almost 130 percent according to the NACD report.
Following a November 2013 global survey of 360 senior executives, the Economist Intelligence Unit reported that more than 75% of North American, European and Asia-Pacific region organisations experienced cyber risk incidents in the past two years. Only 13% of Asia-Pacific region executives felt fully prepared for imminent incidents affecting their companies.
Specialised cyber risk insurance policies may cover liabilities like those that arose out of Target's data breach. In addition to defence costs and damages flowing from third party claims and class actions, such policies may also cover first party costs such as:
- recovery and restoration;
- investigation and response;
- business interruption;
- expenses for technical expertise;
- loss of revenue; and
- damage to a company's reputation.
However, while the availability of cyber insurance products is growing in accordance with increasing recognition of the risk, insurers and insureds are still coming to terms with the nature and extent of losses that might flow from a cyber breach. Target reported that it expected insurance to cover $44 million of the $61 million in expenses incurred as a result of the breach in its case. However, it has been predicted that total fines and expenses arising from the breach could be in excess of $1 billion – eclipsing Target’s reported $100 million cyber insurance cover.
Outside a specialised cyber risk policy, a company may be left looking to a management liability type policy for some form of coverage for its potential cyber security and privacy related liabilities. The executive accountability demonstrated by the Target case, and the shareholder lawsuits alleging wrongful acts by a company's leadership that may follow an event like a data breach, also highlight the importance of effective directors' and officers' coverage in addition to management liability type cover, particularly for medium to large companies. However, given the very specific threats and risks posed by cyber breaches, acquisition of specific cover to deal with such risks will be the reality for more and more Australian businesses in the short term.
Transferring risk via cyber insurance products is obviously only one important component of a modern risk solution for companies. Conducting a thorough assessment of the real data and IT risks and analysing measures to minimise those risks both prepares a company for potential cyber threats and allows it to properly examine varied cyber insurance offerings against its needs.