A disclaimer to begin with – there is no one ‘Cyber Insurance’ product. There are several – each insurer has its own take and coverage varies wildly. Some offer limited policies which offer to repair your IT systems after a hack/virus. The broadest policies respond to accidental and malicious losses and include cover for bringing in IT forensic experts, getting systems back up and running, restoring systems and data, dealing with lost profits and reputational fallout, covering the loss from a cyber crime incident, notification costs for those affected by a breach and dealing with regulatory actions.
The bad news is that it can be difficult for companies to understand what their exposures are and which policy best suits their needs. The good news is that independent insurance brokers exist for the very purpose of providing guidance (yes, we do have some uses!). Below are some scenarios for firms to consider – any examples used are real-life and affected Irish firms.
For this article, I have chosen to focus on 9 of the most prominent cyber insurance scenarios, describing examples, the worry and whose websites are most at risk. Here is a quick look at the 9:
9 Most Threatening Cyber Insurance Scenarios for eCommerce Website Companies:
1) Cyber Crime
2) Data Breach
3) Forensic Costs
4) Notification Costs
5) Business Interruption
6) System Damage
7) Reputational Damage
8) Crisis Consultants
9) Social Media/Online Content
1) Cyber Crime:
Past example:
Hackers monitored email conversations between the financial controller of a hotel and their supplier over a period of time. When they became sufficiently familiar with the conversations between the two, the hackers struck. The hacker made contact with the financial controller – again, from a very similar email address to the supplier’s – and used the language the supplier would have used about the latest Man Utd match. They then requested for the hotel to make payment on the 21st rather than the 30th due to cash flow issues and to update their bank account details. By the time the real supplier requested payment the monies were not recoverable – €49,000 was lost.
What’s the worry?
I could write a whole other blog just going through the various incidents I have seen. Cyber crime is now more lucrative than the global drugs trade and it is very common among Irish companies – the average loss to our clients in the past year has been around €30,000 per incident.
Most affected companies:
Those that transfer money, particularly large payments to suppliers or on behalf of clients.
2) Data Breach:
Practical Examples:
Accidental- Sending an email with client/employee information to the wrong person.
Malicious – A hacker steals data which can identify individuals – names, addresses, date of birth, credit card details etc.
What’s the worry?
A data breach would be bad news at any time. However, new EU Regulation comes into effect in 2018 whereby it will be mandatory to notify the Data Protection Commissioner (DPC) if a breach occurs (whether accidental or malicious). The DPC will have a whole new range of powers including the ability to fine companies up to €20m or 4% of global turnover, whichever is higher.
Most affected companies:
Those that even briefly processes client or employee data.
3) Forensic Costs:
Practical Example:
You receive a call from your IT department. A breach has occurred and has just been discovered – but how long ago and what is the extent?
What’s the worry?
The average time taken to discover a breach is over 6 months – a lot of damage can be done in the interim. Insurance can cover the cost of using in-house or specialist IT consultants to get to the root of the breach and to stop it at source.
Most affected companies:
Anyone with significant reliance on IT systems
4) Notification Costs:
Practical example:
A breach has happened – there is a cost associated with finding out who has been affected, what data has been taken and then notifying them of same.
What’s the worry:
This will have a particular effect after the new regulation comes into force – the average cost per file works out around €134. For companies with many thousands of files this cost alone has been known to exhaust policy cyber insurance limits.
Most affected companies:
Those with a number of client/employee files which include Personally Identifiable Information (PII).
5) Business Interruption
Example:
Your website is taken down by cyber criminals and you cannot process online orders during this time.
What’s the worry?
You may buy Business Interruption already under your Office Insurance – however, it only responds to physical loss such as fire or flood. Loss of income while systems are down would not be covered, unless it was due to physical damage to your servers.
Most affected companies:
Those that rely on systems to trade.
6) System Damage:
Practical example:
A virus or a disgruntled employee has wiped out a large amount of your computer programs and they need to be reinstated by IT.
What’s the worry?
Getting up and running again can be costly and time consuming.
Most affected companies:
Those that rely on systems to trade.
7) Reputational Damage:
Practical example:
Loyaltybuild in Clare had a significant and high-profile data breach in 2013, with the personal details of around 1.5m individuals affected. That year they posted a profit of €1m. Earlier this year the firm announced an €18m pre-tax loss.
What’s the worry:
People don’t like the thought of their data being ‘out there’. When this happens, it makes good copy for newspapers and can keep radio-station phone lines buzzing. How a company moves on can depend on their response to an incident, but in the interim profits can be hit.
Most affected companies:
Firms that hold a large amount of client information.
8) Crisis Consultants
Practical examples:
Loyaltybuild’s Managing Director carried out an interview in 2015 stating how the firm had trained employees, improved systems and essentially moved on from the breach – the damage to their brand may already have been done.
Did you know Ryanair announced last year that it had €4.6m stolen from by cyber crime, or that Paddy Power had a breach of affecting 650,000 customers between 2010-2014? Both were well managed news releases with minimal obvious impact to each company’s brands.
What’s the worry?
Having consultants such as PR firms may sound farfetched right now, but in the event of an incident about to make headlines their guidance could be invaluable to your firm being able to continue to trade.
Most affected companies:
Firms that hold a large amount of client information.
9) Social Media/Online Content
Practical examples:
A bar hires a photographer to take photos of its clientele after every Friday and Saturday. When the photos are uploaded, everybody loves ‘tagging’ their friends on Facebook – however one photo slips through that shows a bit too much of one individual, and their friend has just shared it. The request to take the photo down isn’t seen for a period of time, meanwhile more and more friends see the embarrassing shot.
What’s the worry?
There are other considerations apart from infringement of privacy. Does your website claim you are the best at what you do? If so – says who?! You are responsible for your online content. Be aware of what is being uploaded online and of who has access to upload to your company pages.
Most affected companies:
Firms with active websites or social media accounts.
If you would like to discuss the adequacy of your existing insurance programme against cyber threats, feel free to contact the author– bomara@oli.ie.
–
About The Author:
Brian O’Mara works with O’Leary Insurances, Ireland’s largest independent insurance broker. He specialises in Cyber Insurance having cut his teeth placing complex bespoke policies for some of Australia’s largest publicly-listed and private companies including utilities and tech firms. In mid-2015 he returned to Ireland to co-ordinate O’Leary Insurances approach to this ever-changing area of risk. He regularly presents on cyber exposures to professionals around Ireland and has also contributed to newsletters and podcasts on the topic.