Data breaches have become so common in everyday parlance it is arguable the proverbial “man on the Clapham Omnibus”* could recite one or two examples if prompted. You need only consider the past two years, in which more than a dozen well-known UK brands have made headlines after their customer data was compromised, to understand how this topic has entered the public discourse.
Historically, when mobile phone companies, banks and retailers were implicated in the compromise of customer information, consumer protection, notification and advice were seen as the best ways to limit damage to both brand and reputation. Over the past three to five years, our industry has developed solutions that have helped protect businesses and their customers from the consequences of hackers gaining access to their data. The result has been a growing confidence within the insurance sector. Many more underwriters have entered the market and are adding much-needed capacity while developing cyber incident response services that directly address consumer needs.
Much of the work we do tends to be confidential, but it would not be unreasonable to argue in private that the damage and exposure from data breaches has been greatly limited by our collective efforts. It is also clear this recent experience has allowed the risk management community to develop a pretty robust defence against the regulatory and reputational threats posed by a data breach hack.
The ability to respond to the demands posed by a data breach remain, and the ability to respond to a cyber incident with an operational exposure only – i.e., where there are no data implications – is becoming of more pressing importance. This is where potential gaps in support present themselves more frequently; and as anyone in the market will understand, the consequences of delayed or ineffectual response and mitigation can significantly increase overall exposure and recovery times.
An increasingly knowledgeable risk management community is looking for a risk transfer mechanism for this exposure and underwriters are responding with products offering to "buy back" the traditional cyber exclusions such as CL380, NMA2914 and LMA3030 in business interruption policies. This is an area where we see the demand for much more than a legal framework to deliver a solution that can limit exposure and potential liabilities.
While we accept that the damage caused to society from data breaches is hugely significant, the greater threat financially could be an attack on a company’s operations that then affects manufacturing, delivery or the provision of services. The vast majority of businesses, regardless of location or size, rely upon either one or a network of computers.
The rise in the automation of production and manufacturing processes, cloud computing, virtual working and paperless environments create this additional aspect to cyber risk for any business where operational capacity can be brought to a standstill. This can be crippling from both a revenue and reputation perspective without creating a data breach exposure.
Ransomware, and, more recently, distributed denial of service (DDoS) attacks across all business sectors have seen internet or web platforms seize up completely, making business as usual next to impossible. We are also seeing a rise in instances where hackers have inadvertently “knocked out” segments of the IT infrastructure that host web portals or industrial control systems, as they make their way across the network to access personal and commercially sensitive data.
Food and motor manufacturers could conceivably see automated production lines hacked, with potentially catastrophic consequences if, for example, a key ingredient or quality control check was tampered with or the process rendered products unfit for human consumption or sale.
These types of threats require detailed modelling and scenario planning, where the focus is on protecting against operational risk and attributable financial/reputational implications. For insurers, the immediate need at point of notification will be in supporting, validating and assisting the insured during a crisis to manage their situation, and making sure the customer deploys mitigating protocols that minimise disruption to the provision of services or the manufacture of products.
It is becoming increasingly well understood that cyber as a proximate cause of loss and IT infrastructure as a head of loss have wider implications than just data breach incidents. Insurers and risk managers understand this, so those providing a cyber incident response need to provide a variant of the more traditional model for data breach crisis management. What is needed is an effective vehicle to mitigate those exposures posed by a non-data breach event.
This article first appeared in Insurance Day – www.insuranceday.com
* For readers outside the UK, 'The man on the Clapham omnibus' is a hypothetical ordinary and reasonable person, used by the courts in English law where it is necessary to decide whether a party has acted as a reasonable person would – for example, in a civil action for negligence. (Source - Wikepedia)