Cyber Risk – Once more unto the breach
As the number and severity of cyber attacks continues to increase, the need for effective continues to grow exponentially. Tim Evershed looks at how the market is responding
The volume of cyber attacks continues to grow, with organisations of all sizes vulnerable to hacking attacks and data breaches. A recent report carried out by PwC examining UK data breaches showed that not only had there been a rise in 2015 but that the scale and cost of these breaches had doubled.
Worryingly for those businesses, the report concludes that data breaches, for large business are now “a near certainty”. This conclusion is underlined by the list of organisations that have leaked personal information in recent years including local authorities, retailers such as JD Wetherspoon and Carphone Warehouse, as well as every major UK bank.
Aside from the cost of dealing with data breaches, insureds can also suffer huge business interruption losses if their networks are down for any length of time. Both of those risks will inevitably cause reputational damage as well.
Highlighting quite how damaging this can be for businesses is a study from Centrify, which reveals 75% of adults in the UK would stop doing business with, or cancel a membership to, an organisation that was hacked.
These numbers help explain why cyber liabilities are now one of the top concerns for directors and officers of companies, behind only regulation, according to research from law firm Allen & Overy and broker Willis Towers Watson.
“Directors’ & officers’ cover is becoming increasingly important and there is a change in what is perceived to be the greatest risk. Five or 10 years ago, crime and corruption would not have figured as highly as it does now, when it is centre stage. Regulatory investigations and cyber crime are now the greatest risks,” says Joanna Page, partner at Allen & Overy.
Further fuelling these concerns are changes in the legal framework due to come into force in the next two years. They come as a result of the General Data Protection Regulation, which will enable people to control their personal data better, and the Data Protection Directive for the police and criminal justice sector, which will ensure that the data
of victims, witnesses, and suspects of crimes,
Companies will have to notify the national supervisory authority of serious data breaches as soon as possible, so that users can take appropriate measures. No such obligation currently exists in the European Union but a similar obligation, which has existed in the US for some time, has given rise to some very expensive remedial action needing to be taken by companies that have suffered cyber attacks, during which the personal data of thousands of people has been compromised.
“There is some claims experience in the US and there will be more in Europe and the UK. The reason there has been more in the US is not just because it is a more litigious culture but also because it has been a requirement there that in the event of a hack, you inform the people whose data has been compromised,” says Francis Kean, executive director, FINEX, at Willis Towers Watson
“US retailer Target lost a lot of money and then shareholders were deeply unhappy at how easy it was for the hackers to have a go. So they sought to attack the company and its directors,” he adds.
This is certainly an area where directors and officers can find themselves personally exposed. In an era where just about every company relies on computers to some extent, cyber risk is real, serious and unavoidable – and as such, the threat of a liability attack against directors cannot be eradicated.
It is therefore necessary for board members to take steps to mitigate those risks and give themselves a basis for defence if their company’s systems were to fall victim to an attack.
“The board has to be acutely aware of what their exposures are in respect to cyber. It has to be seen to be implementing the correct responses, infrastructure and all necessary aspects of trying as hard as they can to mitigate that threat,” says Antony Hope, head of management liability at Markel International.
He continues: “It is unfortunately the case that many boards might be aware of the fact there are these exposures but aren’t intimately familiar with what those exposures might amount to, because they don’t have the level of knowledge and expertise – and that’s something that will have to change.”
The rise in the use of computer systems shows no sign of abating, with companies testing unmanned drones to carry out deliveries and driverless cars being tested for road use.
These developments can only escalate the cyber risks faced by companies – in a broadening range of industries – and the scope and frequency of cyber risks will increase.
The rise in these risks comes with an attendant requirement for companies to address them. It will then be incumbent on directors and officers to protect the companies they run – both in terms of protecting against the risk itself and the options available to the company for managing losses and dealing with cyber breaches.
The UK government has published guidelines for non-executive directors, to help them in assessing the measures being taken to enhance cyber security in the companies they oversee.
These guidelines list the following useful questions for directors to ask:
Do I really understand the cyber risks my company faces?
What questions should I ask myself?
What should I ask my board colleagues?
What should I be asking the audit and/or risk committees?
Mr Kean says: “The words ‘cyber risk’ can be very misleading. If you start to categorise risks affecting your organisation and there is a set of sub-categories of cyber risk, you are almost certainly proceeding down the wrong road.”
He adds: “The reason for that is that cyber risk is not a single risk that you can pigeonhole. Instead, what you need to do is look at all the risks that face your organisation then look at each of those risks through the prism of computers. That approach should lead to better results not only in terms of managing risk but also when it comes to the question of insurance.”
As the risk of cyber increases, so does the takeup of cyber liability policies. But how well are board members protected by the directors’ and officers’ insurance (D&O) market?
Mr Hope says: “D&O is essentially an all-risks policy for a board of directors and as long as there are aspects that aren’t otherwise excluded from coverage, then it extends to everything they do as a director or officer of a company. So cyber issues, in the absence of any exclusionary language, will be covered.”
However, where D&O policies do have cyber extensions, it is probably wise for insureds to think twice whether they are worth purchasing or not.
Mr Kean says: “When you look at the thing as a whole, although you’re getting perhaps extra bells and whistles in terms of costs that insurers are willing to grant you in relation to some cyber incident, the overall affect of the cyber extension is to reduce the cover because it limits the insurer’s exposure to that specific area they have granted.
“If the directors are being attacked by regulators or shareholders over a cyber incident, it shouldn’t be any different from an attack from any other reason. There should be the same level of cover whatever the cause of the attack is.”
Underwriting Faculty New Generation Group has looked at the issue of vulnerable customers
Terry Hayday explains how the upcoming iNED Forums can help insurance non-executive directors.
With public interest issues on the rise and socioeconomic factors