Why simply having basic cyber risks insurance may not be enough.
In a news story that will send a chill through almost every business that holds customer data, it was announced by Reuters on Monday that cyber criminals had stolen data on more than 600,000 Dominos Pizza customers in Belgium and France and an anonymous Twitter user threatened to publish the data unless the company paid a cash ransom.
Customer names, delivery addresses, phone numbers, email addresses and passwords were taken from a server used in an online ordering system that the company was in the process of replacing, Dominos spokesman Chris Brandon said on Monday that he did not know if the stolen passwords had been encrypted. According to Reuters, a Tweet directed at Domino's customers through an account of somebody listed as "Rex Mundi" said hackers would publish the customer data on the Internet unless the company pays 30,000 euros ($40,800), according to an article in The Telegraph. The Rex Mundi account was later suspended. Brandon said he was not familiar with the ransom demands, but that the company would not be making any such payment.
Domino's Vice President of Communications Tim McIntyre said the hacking was "isolated" to independent franchise markets of Belgium and France, where the company's online ordering system did not collect credit card orders, so no financial data had been taken.
Are your Insureds appropriately covered?
UK businesses are increasingly realising the importance of cyber risk insurance cover for managing the impact of data breaches. However this incident shows that simply having basic cyber cover may not be enough to protect against all the perils that come with cybercrime.
As the field of cyber risk insurance matures, policies are likewise becoming more specific and customisable. Accordingly it is essential that businesses, their brokers and insurers consider the level of cover required so that the appropriate protection is given. This also includes ensuring that insureds are not paying for unnecessary coverage.
A number of high profile companies including Sony and more recently Target in the US have been in the news following the theft of personal customer information from databases. While these hit the headlines, the majority of data breaches occur within small companies. The impact on these large companies is bad enough but for a small or medium sized enterprise the impact could be proportionately greater and halt the business in its tracks.
Cyber risk insurance is a relatively new product, and the scope of its coverage can vary enormously from policy to policy. As the market for cyber risk insurance is still developing, there is no industry wide consensus on what these policies should be covering and the array of options and different terms used for the same products can be confusing for the customer.
Almost all Cyber risk insurance policies protect against liability to third parties and a good number cover an insured's own first party costs of managing a data breach and the ensuing crisis. These costs can include hiring consultants to identify and analyse the breach, legal costs, and rebuilding compromised security systems. Extortion by a third party does not fit within most third party or first party covers. Extortion liability coverage tends to require a specific addition to the cover. Traditional kidnap and ransom cover may not be triggered if all that has happened is that data has been copied and not physical assets or staff detained. Insureds and their brokers should therefore carefully consider whether obtaining extortion liability coverage is necessary.