News reports about data breaches and other major hacking incidents are now a daily event. At the same time, the consequences of such events are becoming incrementally clearer.
In particular, the Information Commissioner’s Office (ICO) has this month reported that it has issued a record fine to TalkTalk, £400,000, for failing to take basic steps to prevent attackers from obtaining sensitive customer data, “with ease”.
The hacking threat is also coming into focus in other sectors. Lloyd’s List reported this month on an emerging trend in the shipping industry of payments being made to fraudsters who trick charterers into transferring funds to their bank accounts by means of convincing looking emails, apparently emanating from the email addresses of legitimate agents, such as shipmanagers requesting payment of hire. A similar trend has been noted in other sectors, including law firms. Two features of this trend that stand out are the use of email addresses that appear similar but are slightly different to legitimate ones, coupled with a pattern of such emails being sent when the recipients’ guard may be down – “Friday afternoon fraud”, as Lloyd’s list put it.
These trends are of course of interest to insurers, particularly those who issue polices that provide cover that is broad enough to cover “cyber-risks”, such as email fraud, which lie in an often poorly defined grey area between “cyber risks” and conventional fraud.
The above developments come hot on the heels of recent HM Treasury guidance regarding the EU General Data Protection Regulation1, which came into force earlier this year. Those in the cyber risks arena will know that this regulation not only provides for stringent controls on how personal data is to be protected, but that it also has teeth, in the form of fines of up to the greater of 4% of gross annual worldwide turnover or €20 million. This of course remains an issue for (re)insurers and their customers, notwithstanding Brexit. Companies that handle personal data, including insurers, have until May 2018 to ensure that the requirements of the regulation are in place.
In the light of all this, insurers and reinsurers who are exposed to cyber-risks (whether knowingly or otherwise) would do well to take stock of their exposures and to take time to think about the scope of cover that they are prepared to offer, together with the risks of accumulations and aggregation of losses, in order to ensure they are not caught off-guard when the inevitable deluge of claims arrives.