OPINION: Ace’s Iain Ainslie on the growing cyber insurance market
In the past, data was physically stored, and it would have taken several trucks to steal half a million customer details. Today, it just needs a memory stick to be lost or an IT system to be hacked to trigger a breach of customer privacy that can cause a company lasting reputational harm. Although businesses in the UK and Europe have been slower to respond to this risk, largely because regulation is yet to be passed, progress is being made.
Data protection is no longer a physical risk, and so it is no surprise that there are almost daily stories in the press about increasingly sophisticated and daring cyber attacks. In the wake of the reputational and financial damage caused by recent breaches in the UK and US, company directors are at last beginning to sit up and take note that their business too could be at risk from a data breach or malicious cyber attack.
Almost two-thirds of companies surveyed in Ace’s 2013 Emerging Risks Barometer research recognised that their biggest threat to data security was internal, often something as simple as an employee clicking on an internet link which downloads malicious viruses on their work network, or a memory stick with sensitive information left in a public place. These statistics point to a real need for companies to review their internal procedures, and to educate staff on the serious financial impact that data loss can cause.
European companies have enjoyed less stringent data regulations than their peers in the US, but they urgently need to reconsider their management of third-party data in light of pending EU-wide data privacy laws, which will considerably increase their data protection responsibilities. If the proposed regulations become law, which is predicted to happen during 2015, European companies will have to report any data breaches to the relevant supervisory authority without delay, and where feasible within 24 hours. Companies which violate this requirement could be fined up to 5% of their global annual turnover, regardless of the harm caused by the breach.
Currently, according to Ace research, although risk managers and company directors rank cyber as the third most significant risk facing their business in Europe, well over a third (38%) believe that cyber risk will only be taken seriously when the law forces them to do so. In the meantime, in our experience, many fail to realise the full range of data risks they face, or mistakenly think that their IT department has security under control, and that existing insurance policies will provide cover. Sadly, this is a misconception, which could inflict a fatal blow to a company should it become a victim of a data breach.
Responding to the threat
There is a growing cyber insurance market which is offering cover against a wide range of first and third-party risks associated with cyber related incidents and data breach, and as a result wording is broad.
However, companies must start to respond more effectively to their increased responsibilities to protect third-party data. This means improving training and awareness internally, but also assessing the role of external risk mitigation.
Moreover, if companies can demonstrate that they have strong risk management programmes to address data breach risks, they may be able to buy back some of the standard policy exclusions within cyber policies. For example, a company can leverage its good governance to agree an extension to the standard first-party cover, so that cover includes protection against loss of income, increased costs of doing business and dealing with the effects of a breach.
Ultimately, whether companies buy cyber insurance or not, a full risk assessment of their cyber exposures is essential if they are to avoid inadvertently retaining risks without knowing it. To that end, there is a need for insurers, brokers and clients to work together more closely, to help understand, identify and mitigate cyber risks.
Iain Ainslie, technology and cyber underwriter, Ace European Group