Data & Cyber Risks. big data

Transcription

1 Data & Cyber Risks big data For all businesses that use or store data V This report highlights the risks of storing or using data and gives business risk managers insight to the exposures, legal ramifications and potential solutions to this growing problem.

2 Introduction The biggest threat to our economy Politicians have signalled that they believe the law needs an overhaul following a recent cyber-attack at telecom firm TalkTalk. Former home office minister Hazel Blears described the TalkTalk data breach as a wake-up call that should prompt a debate about whether further regulation was needed, suggesting cyber crime was probably the biggest threat to our economy. Cyber security and information protection can be challenging for companies of all sizes. Hackers are not the only threat today s businesses rely on the internet for services such as online marketing, administrative functions, credit card processing and distribution controls. Any intrusion that disrupts delivery of these services can lead to brand and reputation damage, regulatory scrutiny, stakeholder dissatisfaction, and financial losses. Contents Data & cyber risks the facts 2 Cyber and data insurance 3 General data protection regulation 5 1 What can a cyber policy insure? 6 Claim scenarios 9 Quotation procedure 11 W Denis can help. We offer a range of risk management and risk transfer solutions that will enable you to assess, manage, and respond effectively to the cyber threats that your organisation faces.

3 Data & cyber risks the facts Data privacy and protection are key cyber risks and related legislation is set to toughen globally. More notifications of, and significant fines for, data breaches can be expected in the future. Legislation has already become much tougher in the US, Hong Kong, Singapore and Australia, while the European Union is looking to agree pan-european data protection rules. Tougher guidelines on a country-bycountry basis can be expected. The risk of business interruption (BI), intellectual property theft and cyberextortion both for financial and non-financial gain are increasing. BI costs could be equal to or even exceed direct losses from a data breach. Attacks by hackers dominate the headlines but there are many gateways through which a business can be impacted by cyber risk. The impact of BI being triggered by technical failure is frequently underestimated compared with cyber-attacks. The vulnerability of industrial control systems (ICS) to attack poses a significant threat. To date, there have been accounts of centrifuges and power plants being manipulated. However, the damage could be much higher from security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals. Allianz Risk Pulse Allianz Risk Barometer 2015 Appendix The fourth annual Allianz Risk Barometer was conducted among both global businesses and risk consultants, underwriters, senior managers and claims experts in the corporate insurance segment of both Allianz Global Corporate & Specialty (AGCS) and local Allianz entities. Figures represent the number of responses as a percentage of all survey responses (709). More than one risk could be selected by respondents. Top Business Risks Rank Trend 1 Business interruption and supply chain 46% 1 (43%) - 2 Natural catastrophes 30% 2 (33%) - 3 Fire/explosion 27% 3 (24%) - 4 Changes in legislation and regulation 18% 4 (21%) - 5 Cyber crime, IT failures, espionage, data breaches 17% 8 (12%) 6 Loss of reputation or brand value (e.g. from social media) 16% 6 (15%) - 7 Market stagnation or decline 15% 5 (19%) 8 Intensified competition 13% 7 (14%) 9 Political/social upheaval, war 11% 18 (4%) 10 Theft, fraud, corruption 9% 9 (10%) 11 Quality deficiencies, serial defects 8% 10 (10%) 12 Market fluctuations (e.g. foreign exchange rates or interest rates) 7% 11 (8%) 13 Talent shortage, aging workforce 7% 16 (6%) 14 Commodity price increases 6% 13 (7%) 15 Climate change/increasing volatility of weather 6% 23 (3%) 16 Credit availability 6% 15 (6%) 17 Austerity programs 5% 12 (7%) 18 Pollution 4% 17 (5%) 19 Technological innovation (e.g 3D printing, nanotechnology) 3% 14 (7%) 20 Terrorism 3% 22 (3%) 21 Inflation 3% 24 (2%) 22 Power blackouts 2% 19 (3%) 23 Health issues (e.g. pandemics) 2% 20 (3%) 24 Protectionism 2% 25 (1%) 25 Euro-zone disintegration 2% 21 (3%) 26 Deflation 1% 26 (1%) - Cyber and data insurance is needed by any company which possesses or uses data, the internet and telephone systems. 2

4 Cyber & data insurance The facts We don t need it as we re not a technology company Wrong Cyber & data insurance is needed by any company which possesses or uses data, the internet and telephone systems. Premiums can be expensive Wrong For small businesses the premiums start from 100 per year plus tax. We don t need it as we don t trade over the internet Wrong Cover can insure a range of exposures including fraudulent billing (e.g. fraudsters purporting to be your supplier and hacking systems/information in order to deceive your staff into settling invoices to bogus accounts). Cover is limited Wrong Options can be available for a pre-set` range of covers or alternatively, particularly for larger companies, bespoke policies can be arranged. Cyber insurance has evolved over the last 10 years and a wide range of exposures can now be insured, which previously were uninsurable. In the UK limits sought are usually in the 5 million to 10 million range. With excess layer support limits up to 100 million and higher being available in the London market. For businesses with USA exposures, higher limits are more common due to the more onerous data protection laws in America. Insurers are already providing capacity to fulfil the requirements of companies in the USA, which at the upper end are buying cyber limits in the $200 million to $300 million range. Cyber crime is over-rated Wrong The costs to the UK economy alone are huge, with a recent estimate in excess of $4.3 billion per annum. This includes: intellectual property theft industrial espionage extortion costs direct online theft costs theft of customer data The annual global cost of cyber crime is estimated in the region of $250 billion across the world s 10 largest economies. Continued... 3

5 Cyber & data insurance How much does cyber-crime cost the world s leading 10 economies? This AGCS atlas examines the estimated total cost to the global economy from cyber-crime per year, with a particular focus on the impact on the world s top 10 economies, according to GDP. 1. US $108bn Since 2005 there have been 5,029 reported data breach incidents in the US, where organisations must report data breaches to regulators, involving more than 675 million estimated records, according to the Identity Theft Resource Center. 2. China $60bn 3. Germany $59bn 4. Brazil $7.7bn 5. UK $4.3bn 6. India $4bn 7. France $3bn 8. Russia $2bn 9. Japan $980m 10. Italy $900m Country Ranking by GDP1 $445bn1 annual cost to the global economy 1 CSIS/McAfee $250bn cost of cyber-crime to world s 10 leading economies Cyber-crime as a % of GDP2 $200bn+ annual cost to top four economies 50%+ top 10 economies share of annual cost Estimated cost3 1. US $16.8trn.64% $108bn 2. China $9.5trn.63% $60bn 3. Japan $4.9trn.02% $980m 4. Germany $3.7trn 1.60% $59bn 5. France $2.8trn.11% $3bn 6. UK $2.7trn.16% $4.3bn 7. Brazil $2.4trn.32% $7.7bn 8. Russia $2.1trn.10% $2bn 9. Italy $2.1trn.04% $900m 10. India $1.9trn.21% $4bn Sources: 1 World Bank (2013) 2 Net Losses: Estimating the Global Cost of Cyber-Crime, CSIS/McAfee 3 Allianz Global Corporate & Speciality. Rankings according to cyber-crime costs Statistics outside the US are patchy. However, there have been at least 200 breaches in Europe involving 227 million records since 2005, according to an estimate by the Center for Media, Data and Society at the Central European University. Some of the largest breaches include the likes of US retailers Target and Home Depot, health insurer Anthem, entertainment and electronics firm Sony and investment bank JP Morgan Chase. The Target data breach in 2014, in which the personal details of some 70 million people may have been compromised, was one of the largest in history. It has been reported that it has cost the company well in excess of $100m, not including the damage to their reputation and loss of business, and was followed by the company s chief executive leaving his post. Few insurers provide cyber cover Wrong There is a growing insurance market that is responding to demand. A range of insurers are aiming to write cyber insurance for small business (under 10m turnover). Several insurers are active in the mid-market. At the high end, a new consortium of underwriters recently launched a facility in London to insure global businesses (with revenue exceeding $5 billion) cyber exposures. There is no legal or regulatory requirement for cyber insurance so I don t need it Wrong Governments are reviewing the growing problem of data theft and cyber crime. See next page regarding EU General Data Protection Regulations. 4

6 General data protection regulation The European Union is working on new legislation that could have serious ramifications. It is intended to be a wide cast net and will apply to any data controller which is summarised as follows: Data controllers and processors to implement appropriate measures to ensure a level of security appropriate to the risk presented and the nature of personal data protected To notify the supervising authority without undue delay and where feasible not later than 24 hours after becoming aware of a personal data breach Data subjects have the right to have data erased where no longer considered necessary in the purpose for which it was collected Provides for private rights of action for damage suffered as a result of unlawful processing of data or an action inconsistent with the regulation These new EU regulations are expected to be finalised in the latter part of Penalties the current proposals set out a three-tiered system, with the most serious breaches resulting in fines of up to 1m ($1.1m) or 2% of worldwide annual turnover. Compensation may also be payable to individual(s) who have suffered loss as a result of any data breach. In the USA there are already strict regulations and penalties related to the management of data. The Personal Data Protection Act (PDPA), introduced in 2014, is the first privacy- specific legislation in Singapore, and aims to provide transparency in relation to the use of individuals personal data. PDPA investigations are now underway following unrelated breaches at a telecoms company and a karaoke company, in which customers personal data was accessed and/or leaked by hackers. The PDPA introduced fines of up to $1m per breach. In Australia, a number of high profile cyber breaches, coupled with an estimated 20% increase in cyber-attacks on businesses in 2014, have led to the Australian Privacy Commissioner and other regulatory authorities including Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) focusing on the regulation of personal information and security of online business platforms. Legislation requiring mandatory reporting of serious data breaches is likely to be enacted in the next year, and thereafter increased levels of reported breaches and fallout regulatory sanction are expected. 5

7 What can a cyber policy insure? Potential risk scenarios from cyber attacks or incidents Critical data is lost Customers may be lost and business interrupted Property damage Theft Adverse media coverage/damage to reputation/ lower market share - 71% of customers said they would leave an organisation after a data breach Regulatory actions and associated fines and penalties Profits impacted/value of shares may fall Loss of trade secrets/confidential information Extortion Breach of contract Product recall Notification costs and other response costs i.e. forensic Network security liability Directors and officers liability The annual global cost of cyber crime is estimated in the region of $250 billion across the world s 10 largest economies. 6

8 What can a cyber policy insure? Cyber in the context of insurance is an umbrella term embracing any risk faced by a business through its use of online networks or systems. Those risks can include denial of networks and systems by natural phenomena, electronic phenomena (e.g. viruses) and humans; and data lost through error or theft; damage to stock through hackers accessing internet-based control systems; internet/telephony fraud, extortion and associated reputational and legal liabilities. First Party Third Party Cyber loss or damage Restoration of the insured s network and data following unauthorised access, computer virus, denial of service attack or operational error. Cyber media liability Defamation and disparagement. Infringement of copyright, trademark and publicity rights. Adulteration and contamination of stock Stock damage cover if goods are stored in a temperature controlled environment as a result of unauthorised access, computer virus or a denial of service attack to the insured s network. Privacy liability Violation of a person s rights of privacy or publicity - administrative or regulatory proceedings. Disclosure of non-public personal information. Failure to provide notice of a potential disclosure either which was originally stored on the insured s network or a third party custodian s (e.g. cloud provider). Business interruption or extra expense Loss of income or extra expense following unauthorised access, operational error, computer virus or denial of service attack to the insured s network. Breach of confidentiality Disclosure of corporate confidential information or trade secrets. Failure to provide notice of a potential disclosure either which was originally stored on the insured s network or a third party custodian s (e.g. cloud provider). Cyber theft Loss or alteration to the insured s money, security (for instance an internet driven phishing scam of the insured s network) Loss of the insured s goods due to unauthorised delivery of goods All due to transmission of information through or to the insured s network and created by an external source. Cyber security liability Inability of others to access insured network. Damage to third party networks. Loss of or damage to third party data on the insured s network. Continued... 7

9 What can a cyber policy insure? First Party Third Party Cyber extortion Loss or alteration to the insured s money, security (for instance an internet driven phishing scam of the insured s network). Loss of the insured s goods due to unauthorised delivery of goods All due to transmission of information through or to the insured s network and created by an external source. Defacement of the insured s website. Breach of payment security liability The insured s legal liability to pay damages in respect of a breach of a written contract between the insured and any entity or individual that governs the storage and processing of credit card information, including any breach of the PCI DSS (Payment Card Industry Data Security Standard). Telephone hacking Forensic investigation costs arising from the use of the insured s bandwidth and the cost of unauthorised calls due to unauthorised access of the insured s telephone system by an external source. Privacy liability Legal liability to pay regulatory compensation awards, civil penalties or fines (only where permitted by law) and the regulatory defence costs in connection with an investigation, defence or appear of any investigation following a covered claim on the above third party liability cyber liability insuring clauses. Crisis management costs and notification costs Regardless of it being a first or third party event, when a cyber or network incident occurs it can have a devastating effect on the reputation of the company and the confidence of its customers. This part of the policy provides funds, in the event of an incident, to enable the insured to hire expert assistance to mitigate the effect of the incident. In the event of a data breach the cost of notification of that breach to all relevant parties will also be covered. Not all of the above covers are provided on every cyber policy. If you require certain level of specific cover, a bespoke cyber policy may suit you best. Please speak to W Denis Insurance Brokers PLC so that your requirements can be evaluated and understood. Usually a First Party Event will very quickly also turn into a Third Party Event, if there is a breach of your security and a potential loss or exposure of data to hackers, your own losses will swiftly manifest into a legal liability when you have to report data breach to your customers. Some of the cyber insurance policies we arrange include First Notification of Loss` 24/7 telephone helplines. Immediately following a potential claim, with one phone call you can contact our dedicated specialists who will assist with technical support, public relations advice, data retrieval or loss assistance. This includes IT forensic support to help with identifying the cause of the breach, enabling secure systems to be reinstated and minimise any potential loss or legal liability. 8

10 Claim scenarios European Court of Justice ruling on Weltimmo, Hungary The ECJ ruled in favour of the Hungarian data protection authority in its case against Slovakian property site Weltimmo. It s a landmark ruling that could have big implications for companies such as Facebook and Google, operating across multiple EU countries. The ECJ ruled on the 30th September 2015 that if a company operates a service in the native language of a country, and has representatives in that country, then it can be held accountable by the country s national data protection agency, despite not being headquartered in that country. The ruling means that Weltimmo could be liable for 10m Hungarian forint ( 23,650) fine levied by the Hungarian authority over the passing of user information to debt collection agencies, which was found to infringe Hungarian data protection laws. Airline In June 2015, hackers grounded 10 planes belonging to a Polish airline after a denial of access attack blocked the sending of flight plans. Oil Producer In 2012, malware disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week. Industrial Control Systems examples Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors, for example. An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption. A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue. Vulnerability of ICS was first highlighted by the Stuxnet computer worm in Stuxnet was reportedly developed by Israel to target Iranian nuclear facilities the worm allegedly destroyed uranium enrichment centrifuges. ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports. While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries. For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day. Continued... 9

11 Claim scenarios And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals. A hacker caused a floating oil-platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down. Somali pirates employed hackers to infiltrate a shipping company s systems to identify vessels passing through the Gulf of Aden with valuable cargoes and minimal on-board security. This led to the hijacking of at least one vessel. Denial of service attacks (initiating a very high number of requests to a system to cause it to cease operating) against ports have been reported. Furthermore, there have been a number of anecdotal accounts about hackers accessing computer systems/navigation software, subsequently causing hull damage. Boris Berezovsky vs Roman Abramovich In this major struggle between two Russian oligarchs`, in the UK High Court a hacker allegedly hacked into and obtained confidential information from Boris Berezovsky s lawyers and offered it to Roman Abramovich. Judgement was recently given in Abramovich s favour, awarding him $6.5billion the biggest private court case in British legal history. This incident demonstrates how exposed law firms are to cyber risks. Epsilon Data Management Epsilon Data managed communication for large companies such as Marks & Spencer and JP Morgan Chase. Hackers stole an estimated 60 million addresses. The resulting losses, including forensic audits, fines, litigation and lost business are estimated at $4billion. Zurich American Insurance Co vs Sony Corp Zurich filed a suit against Sony in New York state court seeking a declaration that it is not obliged to defend Sony against three separate breaches of Sony s Playstation Network, in which 100million customer records were exposed. The alleged damages are at $171million. 10

12 Claim scenarios Online retailer Case Study: Website hosting failure Impact: Website downtime resulting in lost sales and revenue. Consequence: When equipment failed at the data centre hosting the retailer s website, the online sales function was unable to accept or process orders. Policy response: Covered the loss of income from the loss of sales. Hotel Case Study: Back-end system failure Impact: Without information to process customers, hotel reception became chaotic, incorrect bills were issued, income was impaired and business was lost. Consequence: Check-in/check-out, billing, room management and staff coordination information became out of date and thus of no use. Policy response: The hotel lacked cyber cover but would have been provided with insurance against lost revenue and funded with the increased cost of working. Clothing distribution firm Case Study: Stock control system malfunction Impact: Disruption of the distribution routine had a disproportionate impact on popular sizes, resulting in a dramatic reduction in sales. Consequence: Programming error resulted in the distribution to stores of a limited range of garment sizes. Policy response: Covered the loss of income from the loss of sales. Engineering firm Case Study: Breach of commercial confidentiality Impact: As part of a tender for business, a supplier sent its price list to the policyholder, an engineering firm. This list was subsequently forwarded, inadvertently, to a rival of the original supplier. Once in the possession of the list, the competitor was able to undercut the supplier s prices in order to win business. The supplier therefore brought legal proceedings for loss of future earnings against the engineering firm. Consequence: Legal action by a supplier. Policy response: Covered the policyholder s legal expenses and the cost of the settlement. Continued... 11

13 Claim scenarios Charity Case Study: Website failure Consequence: The charity relies heavily on donations made via its website, with the level of donations fluctuating according to the season, such as Christmas, or in connection with a sponsored event or advertising campaign. The website failure coincided with such an activity, severely compromising fund-raising activity and thus hindering its viability in terms of fulfilling its charitable aspirations and responsibilities. Impact: Inability to accept online donations. Policy response: Covered cost of forensic investigation work into the cause of the failure and met restoration costs in full. It also covered the charity for its loss of income and increased cost of working. Retail clothing chain Case Study: Stock control system failure Consequences: Point-of-sale equipment stopped working. Unable to accept orders via website. Impact: Collapse of auto-ordering via point-of-sale tills resulted in popular items running short, with immediate and substantial negative effect on sales and ultimately, reputation. Policy response: Funded cost of forensic investigation into cause of failure; Funded network restoration costs; Compensation for lost revenue; Funded increased cost of working from manual updating of stock system following full stock-take. 12

14 Quotation procedure For small businesses (turnover under 15m) we can offer very fast premium/cover indications on a statement of fact` basis. However the cover provided via this method is not the widest and is quite rigid. If you would like a bespoke quotation, where the widest cover and highest limits are available, or if your turnover exceeds 15m then we will need to ask you to complete a short application form, before we can offer you a quotation. W Denis Insurance Brokers PLC Brigade House, 86 Kirkstall Road, Leeds LS3 1LQ T and 34 Lime Street, London, EC3M 7AT T Authorised and Regulated by the Financial Conduct Authority 13 DISCLAIMER: The information, examples and suggestions in this document have been procured from sourced believed to be reliable, but they should not be construed as legal or other professional advice. W Denis Insurance Brokers PLC accepts no responsibility for the accuracy or completeness of this material. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, conditions, amounts, terms and exclusions that will apply. All products and services outlined in this document may not be available in all worldwide jurisdictions or US states and may be subject to change without notice. W Denis Insurance Brokers PLC will provide a specific quotation for your consideration, on request, which will include contract certain terms and conditions applicable to you.