Almost every business in Ireland relies heavily on electronic systems and networks in order to carry out its everyday operations. Despite this, Irish businesses have been slower than their American and British counterparts to take out insurance cover to protect against the costs associated with an adverse cyber event. This article seeks to identify the main heads of cyber risk, and explain how cyber indemnity can protect against those risks.
Cyber Risk can be broken down into three distinct categories; Operational, Informational and Physical.
Operational Cyber Risk
Operational Cyber Risk arises from an event which threatens the ability of the business to carry out its everyday operations.
In the past few years, there has been a global proliferation of ransomware attacks, with the Petya and WannaCry attacks garnering significant media attention. In May 2017 it was reported that the Irish operations of three global firms, MSD (Pharma) Maersk (Shipping) & WPP (Advertising) were hit in attacks linked to the Petya virus. It may therefore not come as much surprise that in a 2016 survey carried out on Irish Businesses by IT firm Data Solutions showed that 20% of Irish businesses had already been hit with a ransomware attack.
Another common form of operational risk is denial of service attacks (DDoS). In Jan 2016 a DDoS brought the a huge portion of the Irish Government’s online services offline, including those of the Oireachtas, the Department of Justice, the Department of Defence, the Central Statistics Office & the Courts Services of Ireland.
While the media tend to focus on malicious hacking of systems, a further, significant operational risk arises due to flaws/errors in software systems. In August 2017 for example, the HSE became aware of a serious flaw in their system for storing patient scans. By the time this flaw was discovered, over 25,000 X-rays, ultrasounds and scans stored on the system since 2011 were affected.
Informational Cyber Risk
Informational Cyber Risk arises secondary to the processing and storing of data and information by electronic means. This area is one which is (rightly) garnering significant attention as we await the imminent implementation of the GDPR.
The most obvious informational cyber risk is a data breach. In 2016, Irish Computer Society carried out a survey which found that 61% of Irish businesses had suffered at least one data breach in the past year. The potential cost of a data breach can be catastrophic for businesses. For example, in 2013 the Ennis based LoyaltyBuild suffered a data breach affecting the personal data, including credit card information, of 1.5m data subjects. By 2016 LoyaltyBuild’s reported loss arising from this breach was circa €18m. In 2017, the Gardai reported that 20 Irish organisations were all victims of "CEO" or "invoice redirection" fraud the previous year. €22m was stolen. Once company lost €7m in a single attack.
Again, while the media tends to focus on hackers and fraudsters stealing data, data breaches can commonly occur in error. For example, in 2015 the Department of Social Welfare sent a man three strangers’ bank statements and payslips in the post. In 2007, the UK Government lost the personal records of 25 million individuals, including their dates of birth, addresses, bank accounts and national insurance numbers in the post.
Physical Cyber Risk
This risk, which is more remote in the Irish context, refers to risk of physical assets and bodily injury. For example, in 2016 massive damage was caused to a steel mill in Germany when hackers caused the unsafe shutdown of a blast furnace. In 2015 Sweden notified NATO of a serious, ongoing cyber attack by a hacker group linked to Russian intelligence.
What Cyber Indemnity Covers
So what does a Cyber Indemnity policy cover? Obviously it varies from Insurers to Insurer, however most policies will cover what are known as “First Party” costs which arise further to an adverse cyber event. These are the costs which are incurred prior to any “claims” arising, such as the cost of investigating and remediating the breach (Insurers will often have a specialised team on retainer), initial legal costs (e.g. advising of the businesses potential exposure to Regulatory, Civil and even Criminal penalties), crisis management costs (e.g. PR), business interruption costs, notification costs (e.g. to Data Subjects) and recovery costs (e.g. recovery of sums paid as ransom/stolen by hackers).
The policies will then also cover “Third Party” costs, being the costs associated with claims, which can range from privacy/data breach claims, defamation claims, multimedia/intellectual property claims and regulatory proceedings. When the GDPR comes into force this May the potential cost of regulatory fines alone will be the higher of €20m or 4% of worldwide turnover.
Do other Insurance Policies provide protection?
Smaller businesses in particular are loathe to add another policy to their suite of business insurance, if they believe that their existing policies provide at least partial cover for adverse cyber events.
However, it is important to note that a cyber event will not satisfy the definition of a “claim”, which is usually defined as a written demand for recompense or a written assertion of a right against the Insured party. Therefore, while some more traditional policies of insurance such as Professional Indemnity or Management Liability may potentially provide cover for Third Party claims arising from a cyber event, none of the First Party costs will fall to be covered.
Further, more traditional policies tend to require negligence to be present before the policy will respond, which is often not the case when an adverse cyber event occurs. Even if negligence is present, the negligence which causes the cyber event may not fall within the professional or business services definition in the policy.
Also, more traditional policies will also often exclude cover for fines and penalties. Therefore, while it is possible that non-cyber insurance policies may provide some cover for businesses, this cover is likely to be so narrow as to be of cold comfort for businesses dealing with an adverse cyber event.