CYBER SAVOIR FAIRE
By Paula L. Green
Regulation is still struggling to keep up with rapidly evolving cyberrisks but is already driving uptake of cyberrisk insurance in some markets. Companies are taking note of the changing landscape.
Spooked by the massive data breaches that have struck US-based retailers Target and Neiman Marcus and the privately owned Korea Credit Bureau, more and more risk officers around the globe are placing cyberrisk insurance near the top of their “to buy” list. And if the millions of irate consumers—predictably backed by aggressive plaintiffs attorneys—are not enough to turn up the heat in corporate risk management offices, the spread of legislation and regulations forcing companies to disclose breaches of their customers’ personal information is certainly making the C-suite take notice.
The looming implementation of the European General Data Protection Regulation, along with the increasing sophistication of hackers, is prodding executives at European multinationals—whose purchase of this cover falls far behind their counterparts in the United States—into action. “Demand for this cover is already high in the US and is now increasing in Europe, particularly as a result of the proposed EU regulations, which could include fines for data breaches,” says Julia Graham, director of risk management and insurance for DLA Piper UK, an international law firm. “The potential financial and reputational impacts [of these risks] are clear.”
The provisions of the draft regulation were strengthened when a European Parliament committee backed the European Commission’s regulation proposals last fall, notes Sarb Sembhi, a cybersecurity consultant based in London and chair of a committee at ISACA (Information Systems Audit and Control Association). For example, the draft now would require a company hit by a data breach to notify the National Supervisory Authority within 24 hours of the occurrence if feasible, down from a proposed 48 hours.
Sembhi, cybersecurity consultant: EC draft regulations were strengthened last fall
Sembhi believes the EC regulation’s notification requirement will increase the number of UK companies—now less than 5%—carrying the cover.
He estimates that about 40% of US companies, inspired by the mandatory breach notification legislation that now exists in 46 states, carry cyberrisk cover.
Approval by the European Parliament’s Civil Liberties, Justice and Home Affairs Committee of the draft legislation demonstrates European officials’ resolve on data protection, according to Stephen Wares, who heads the Europe, Middle East and Africa division of Marsh’s cyberrisk practice.
The committee aims to up the financial pain by setting the level of fines at up to €100 million, or 5% of annual worldwide revenues, whichever is greater. Fines were previously limited to 2% of a company’s global turnover, or €1 million.
The regulation will be reviewed in the early part of 2015. The committee’s approval sets out the Parliament’s position on data protection reform before final talks are held with the European Union Council, which represents the governments of EU member states.
In January 2012, the European Commission laid out a comprehensive reform of the European Union’s 1995 data protection rules in order to strengthen online privacy rights and curb the fragmentation of rules among the 27 EU member countries. The European General Data Protection Regulation is one of two major sections of the reform.
Over in Asia, data breach insurance has a short history and no trends have yet emerged, says Stella Tse, head of Marsh’s financial and professional liability practice in Asia. The companies handling data in jurisdictions with tougher regulations are “first in line to look at this cover,” and some are required by contract terms to secure the cover, says Tse. “Companies that have experienced some degree of data loss have taken out the cover,” adds Tse, who is based in Asia.
Oddly enough, KPMG’s Audit Committee Institute recently reported that organizations with the weakest cyberdefenses are the least interested in getting cyberinsurance.
Having cyberinsurance does not mean a company can relax its stance on other cyber-related controls, warns Graham. “‘Cyber savvy’ organizations that take out insurance have to go through a rigorous underwriting process before they can buy this cover, and it’s unlikely that any organization that fails the cyberunderwriter test would be granted cover,” she adds.
Ken Goldstein, vice president and global cybersecurity manager at global insurer Chubb Insurance, agrees. He says the recent series of severe data breaches will affect how insurance companies underwrite and price the large retail exposures. “At a minimum, insurance underwriters might expect the opportunity for greater details in order to better understand the private information at issue, how it is being protected, and the company’s loss history,” says Goldstein.
Graham adds that companies should expand the cybersecurity awareness among employees and offer training to all staff: It is financially sensible, as it will impact the cover’s availability and pricing. “It’s also a good defense if things do go wrong….evidence that you did all the ‘right things’ will help during any subsequent investigations. Awareness programs can be very cost-effective to put in place.”
Spencer Timmel, who specializes in cybersecurity and privacy liability at US insurance broker Hylant, says crisis response plans also are crucial. Although insurance is necessary to help mitigate the financial fallout stemming from any cyberattack, corporate risk officers should be doing their homework to have a response plan in place that involves internal executives from technology, legal and financial as well as outside attorneys, forensic firms and credit monitoring companies. “You don’t want to be doing a Google search in the middle of the night,” says Timmel.
NEW US FRAMEWORK
US risk officers, already coping with state data disclosure laws and the federal Securities and Exchange Commission’s October 2011 disclosure guidance on cybersecurity risk for shareholders, will soon be wrestling with a federal strategic framework for reducing cyberrisks to critical infrastructure. In an executive order, President Obama directed the National Institute of Standards and Technology to work with stakeholders to develop a voluntary framework for reducing cyberrisks.
While not mandatory, the framework is making executives more aware of the need to protect their companies from cyberrisks, says Kevin Kalinich, global practice leader of network cyberrisk at Aon.
In addition, the Insurance Services Office, which provides statistical, actuarial and other information about property/casualty risks, made a decision to add language that specifically excludes cyber-related risks from their general commercial liability forms. Although the courts have commonly ruled that cyberrisks are not covered under these policies, which were developed decades ago before the personal computer even existed, it again points out the need for cybercoverage, Kalinich adds.
The ample capacity in the cyberrisk insurance market means companies signing up for cover can easily find insurers. While the traditional commercial insurers may be restricting their limits, boosting retentions and upping premium prices, a number of new entrants are filling the gap with excess coverage.