Mega breaches – again

Recent cyber security “mega breaches” touch on another important insurance issue: aggregation. The sheer scale of large data security breaches gives rise to potential aggregation issues, for example:

  • If a system has been compromised, that vulnerability may be used to compromise the systems of third parties using the affected system (as in the Target breach)
  • The same vulnerability could be exploited in other systems (as in the case of the recent Heartbleed bug)
  • The data stolen could be used to perpetrate further breaches (for example, personal data allowing identity theft, passwords used on more than one account)
  • Commercially or market sensitive data may give rise to first party losses and third party claims by interested parties such as shareholders, owners or developers of confidential information etc
  • Liability claims may be brought against other third parties implicated in a data breach, such as data hosting, data storage, data hosting companies and credit card processing companies

Other aggregation issues

In our view, further areas which currently pose a higher aggregation risk for tech and cyber insurers include the following:

  • Vulnerabilities of common software solutions: the recent Heartbleed bug arose from a vulnerability in an open source used by a number of well-known websites. In addition, there was a potential liability arising from a vulnerability in commonly used software or add-ons, demonstrated by the recent Adobe breach. Earlier this month Adobe and Microsoft issued patches to address a number of critical security issues in well-known applications such as Flash Player, AIR, Internet Explorer and Microsoft Word
  • Obsolescence of anti-malware software:  Many commentators suggest that traditional means of addressing data security problems such as anti-virus software are rapidly becoming outmoded as malware developers tailor programmes which can automatically monitor anti-virus signatures and patch themselves so that they are not recognised by the virus software
  • Data Centres/Cloud Computing:  The increase in volume of information held by multiple insureds in the Cloud and/or outsourced to large data centres creates an increased accumulation of risk as a result either of a data security breach in the cloud or physical damage to the data centre/cloud hosting systems. Although most cloud solutions and data centres argue that they have robust backup systems, experience indicates that they are unlikely to be fool-proof in every case
  • Hacking/damage to critical infrastructure:  Loss or damage to local infrastructure plainly creates a risk of severe knock-on effect to businesses reliant on that infrastructure. For example, the outage of a mobile telecommunications networks can affect not just the network operator itself but other businesses which potentially unable to operate due to lack of connectivity in circumstances where they become increasingly reliant on mobile technology.