April 2011 Cyber risks: Understanding your insurance protection
The information contained in this paper provides only a general overview of subjects covered. It is not intended to be taken as advice regarding any individual situation or policy and should not be relied upon as such. Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. All such matters should be reviewed with the client s own qualified legal advisors in these areas. 11/0086
Introduction Today, information constitutes a significant portion of a company s assets, which is predominately stored electronically and shared over networks 1. What would happen if these vital corporate assets were stolen, disclosed, lost, destroyed or corrupted? How many companies or businesses could function without the information they send and receive on sophisticated information networks? A growing appreciation of the dependency on and importance of e-commerce, coupled with the ever increasing levels of cyber attacks, has sparked debate on the need for and availability of appropriate insurance coverage. The development and evolution of cyber risks mean that traditional insurance policies now have limitations when it comes to responding to these risks, which, at the same time, are increasingly prevalent for businesses. This paper examines some of the areas where cyber risks may fall outside the scope of traditional policies and looks at how businesses can find protection in the current insurance market. Melita Simic Managing Principal Financial & Professional Services April 2011 1. Examples include accounting information, intellectual property, customer/client details, competitive information and supplier information. 1
What is cyber risk? Cyber risk in general terms refers to the potential losses and liabilities arising out of the use of e-commerce. E-commerce, broadly speaking, is the application of technology towards the automation of business transactions. It consists of businesses connecting their critical business systems directly to their critical constituencies such as customers, employees, suppliers, vendors and business partners utilising internet based technologies. While the benefits of employing e-commerce strategies and internet based technologies are numerous, so are the risks. Cyber risks can be broadly categorised into the following: 1) Content risks 2) Technical risks 1) Content risks A company is responsible for all and any information posted on its web site. This means that a company may be exposed to liability for: Negligence if information appearing on its website is incorrect and results in an individual suffering loss Breach of contract or for misleading and deceptive conduct if the information appearing on its website is incorrect or misleading and deceptive and induces a party (or is relied on) to enter into a contact with the company online Any defamatory material appearing on its website or which is transmitted from its systems/servers across the internet Intellectual property infringement, encompassing copyright material (text, design and other graphics, photographs, software and the like), trademarks and logos, proprietary information (sales records, marketing plans, customer files), trade secrets and patented inventions False advertising or advertising infringement as a result of over exuberance in advertising Claims for breach of confidential information and/or privacy A company may also potentially be liable (for any of the above) under any given number of acts, codes, rules and regulations, which can result in hefty fines and criminal penalties. Additionally, the web site owner may be subject to different laws of different jurisdictions since web content appears worldwide. The list provided above is by no means exhaustive. The law remains uncertain as it evolves to take account of new cyber realities. 2
Content risks Liability under acts, codes, rules and regulations Breach of private and confidential information Intellectual property infringement Negligence Misleading and deceptive conduct WEBSITE INFORMATION Breach of privacy False advertising Different laws of different jurisdiction Breach of contract Defamation 2) Technical risks In addition to exposure to content risks, a company is also constantly open to a number of technical risks, and must consider the following: The transmission of information across the internet brings with it the risk of unauthorised access, human (programming) and/or other technical errors Any company connected to the internet is susceptible to an assortment of viruses, malicious codes or trojan horses, which can result in legal liabilities as well as damage to or destruction of valuable information assets, disruptions to service and financial loss Cyber extortion may occur when hackers steal or threaten to steal company information for the purposes of selling it back to them Information networks give employees unprecedented access to business information. Employees can use a company s computer network to destroy information or steal it to sell. Since most e-theft involves the copying of information and data, a company may not know that its information or data has been stolen until it appears somewhere else Deliberate overloading of web servers can cause a web server to crash, bringing to a halt internet trading and other on line operations The security of proprietary information in electronic form is a major risk area because of the high potential for loss, theft or unauthorised use of electronic data. In part, this is due to the fact that lost or stolen data can result in the violation of privacy rights. If hackers can get into the Pentagon, would it not be easy for them to get into your networks? 3
4
First party losses and third party liabilities From our examination of the range of cyber risks, it is evident that they can result in both: 1) First party losses 2) Third party liabilities 1) First party losses First party losses refer to direct losses sustained by the company stemming from the use of e-commerce or internet related activities. Examples include: (a) Damage to property consisting of intangible assets namely software (programs) and data (b) Business interruption (c) Theft of proprietary information or consumer data These can all occur as a result of one or more of the following cyber perils: (i) Hackers (external and internal) (ii) Viruses (iii) Extortion (iv) Programming errors (v) Power surges and the like leading to network or system failures 2) Third party liabilities Third party liabilities concern a company s liability to third parties for sustained losses arising out of the company s use (namely wrongful use) of e-commerce or internet related activities. Examples include: (a) Damage to third party property consisting of intangible assets, namely software (programs) and data and or financial losses as a result of: (i) Denial of access (ii) Insufficient measures used to protect third party from computer crime (iii) Spread of a computer virus (iv) Failure of software (v) Programming errors leading to network or system failures or loss of expected goods and services. (b) Intellectual property infringements encompassing software patents, copyrights, trade secrets, trade marks (c) Defamation, libel and slander (d) Invasion of privacy (e) Unfair competition or false and misleading advertising (f) Unauthorised use of confidential information 5
Traditional policies and cyber risks More often than not, cyber risks fall outside the realm of traditional insurance policies. The reason for this is twofold. Firstly, traditional insurance policies were developed long before the evolution of cyber risks. Consequently, cyber risks do not fit neatly within existing definitions and exclusions 2. A review of traditional insurance policies indicates that there are several gaps in coverage for cyber risks. Some of the problems with standard policies in relation to cyber risks include the following: There isn t always a trigger that creates an insured event. For instance, general liability and property policies were developed to respond to liabilities and natural perils (e.g. fire, hail, earthquakes) that damaged physical assets. Under property policies, business interruption is generally triggered if there is direct physical damage. Crime policies similarly provide cover to predominantely tangible property. Cyber risks on the other hand are largely intangible, caused by human error, or the result of malicious attacks and crimes. Most general liability policies do not cover economic loss or professional services, precluding most cyber risk damages The theft of intellectual property (given that intellectual property is considered an intangible asset) is not addressed by most policies 3 Crime policies often contain confusing exclusions and limitations when it comes to employee dishonesty and computer fraud Coverage may not exist for third party losses due to computer viruses or unauthorised access to private and confidential information Advertising injury coverage under general liability policies does not completely address intellectual property infringement, content and advertising offences over the internet Many companies do not have errors and omissions policies, and where they do, such policies often contain security breach exclusions Professional liability policies may exclude coverage because the internet related work may go beyond the scope of an insured s current professional services Many insurance policies have geographical limitations; the internet does not Secondly, insurers are attempting to limit their liability for cyber risks by incorporating additional exclusions into traditional policies. There are a number of reasons for this. Insurers do not want to expose themselves to risks they did not intend to cover when they wrote the traditional policies and for which they did not charge a premium, particularly when there is a lack of definition and quantification of these risks and little historical data. As a result, companies are finding that, while their cyber risks are expanding significantly, the coverage available for these exposures under traditional policies is shrinking creating serious coverage gaps for companies looking to safeguard their systems and intangible assets. 2. Some general insurance policies may however provide elements of cyber cover. 3. Specialised insurance cover has become available in recent years. 6
Finding a way forward Cyber risks are increasingly viewed by insurers as a distinct category of risk risk not covered by traditional commercial insurance. Whether traditional insurance policies will provide cover is uncertain and would be limited at best. It is therefore important that companies review and continuously update their insurance and risk management procedures to ensure that they can best protect themselves from cyber related losses. Given the current environment, protecting knowledge capital and networks against non-physical perils is critical. It is essential that companies put procedures in place to: Identify cyber risks 4 Qualify and rank them Assess controls and countermeasures in place Identify risk improvement procedures Repeat the process regularly and monitor progress Once cyber risks are identified, an insurance wording gap analysis can be performed and decisions made to negotiate extensions to current wordings or place a specific cyber policy to either supplement existing policies or act as first line policies. New cyber specific insurance policies are emerging to fill the gaps in traditional policies. This has been due in part to a better understanding of cyber risks and risk management issues as well as access to loss information. It is helpful to keep in mind that when underwriting this area of risk underwriters are likely to be examining the following aspects of the company to make a decision about its risk: What is the internet site being used for? Is it passive in that it only offers information with no customer interaction or is it interactive in that it allows customers to interact with the website by requesting or providing information or is it active in that it allows customers to make purchases from the website? 5 Is there a privacy statement? What security measures are in place? Physical security, written security policy, virus detection policies/software, passwords, firewalls, encrypted logins, authentication technology, or intrusion detection systems? Is there any regular testing of the security by internal audit? Is the security tested by an outside party i.e. penetration hacking or ethical hacking? What is the financial status of the company? What is the nature of the company? 6 What is the claims history of the company? Are there satisfactory internal controls and risk management procedures in place? 4. The key to protection lies in the accurate and adequate risk identification. 5. Cyber risks increase the more active the website. 6. Cyber risks vary between industries. Key cyber risk industries include financial institutions, entertainment/media, technology and telecommunications, manufacturing, airlines and travel services, higher education and retail. 7
Concluding remarks Cyber risks present new and different challenges and can have serious implications to a company s bottom line 7 both as direct 8 and indirect 9 consequences of the event. Ever growing media interest in cyber crime and various surveys into computer crime conducted over the years now highlight that the first lines of technological defence are no longer impenetrable. Data breaches affect millions of records a year. Media reports of data or network sabotage, virus and Trojan infection, computer fraud and laptop theft, incidents of denial of service and network scanning are ever increasing and it is unlikely that the underlying trends will improve in the short-term. Accordingly, insurance coverage for cyber risks should be a significant and growing concern for companies. Network security breaches can expose companies to class action lawsuits, significant recovery costs and irreversable damage to the corporate brand 10. Undoubtedly, the liabilities will continue to grow and evolve 11 as new perils arise and lawyers develop new causes of action. Policies have been specifically designed to cover a range of cyber risks (including both first party losses and third party liabilities) as well as to afford cover for associated legal expenses, settlements, judgments, regulatory investigations and other related business expenses, for example, privacy notification expenses. Given the enormous and growing participation of all companies in e-commerce isn t it time to consider transferring this risk? 7. Cyber Risks: is your company protected by Dawn Simmons, Senior Underwriter Professional Lines XL Insurance printed in Insight International September 2010. 8. For example the actual costs incurred in notifying relevant customers and data protection agencies of the security breach and mitigating further losses 9. For example customer turnover and damage to reputation. 10. Putting Cyber Risks on the Board s Radar Screen by Tracey Vispoli 11. Such as Privacy Notification Expenses. For example obligations to notify third parties of a security breach and mitigate losses 8
About Marsh: Marsh, the world s leading insurance broker and risk advisor, teams with its clients to define, design, and deliver innovative industry-specific solutions that help them protect their future and thrive. It has over 24,000 colleagues who collaborate to provide advice and transactional capabilities to clients in over 100 countries. Marsh is a member of Marsh & McLennan Companies, a global professional services firm with 51,000 employees worldwide and annual revenue exceeding $10 billion, which is also the parent company of Guy Carpenter, the risk and reinsurance specialist; Mercer, the provider of HR and related financial advice and services; and Oliver Wyman, the management consultancy. Its stock (ticker symbol: MMC) is listed on the New York, Chicago and London stock exchanges.
www.marsh.com.au Marsh (Sydney) Darling Park Tower 3 201 Sussex Street Sydney NSW 2000 Tel: +61 2 8864 8888 Fax: +61 2 8864 8800 Marsh (Melbourne) 555 Lonsdale Street Melbourne VIC 3000 Tel: +61 3 9603 2222 Fax: +61 3 9670 8581 Marsh (Brisbane) Level 20, Riverside Plaza 123 Eagle Street Brisbane QLD 4000 Tel: +61 7 3115 4555 Fax: +61 7 3115 4500 Marsh (Parramatta) Level 1, 87 Marsden Street Parramatta NSW 1250 Tel: +61 2 8864 8888 Fax: +61 2 8864 7333 Marsh (Perth) 2 The Esplanade Perth WA 6000 Tel: +61 8 9289 3888 Fax: +61 8 9289 3880 Marsh (Adelaide) Level 5 108 North Terrace Adelaide SA 5000 Tel: +61 8 8385 3600 Fax: +61 8 8385 3650 Marsh (Canberra) Level 5 60 Marcus Clarke Street Canberra ACT 2601 Tel: +61 2 6279 3300 Fax: +61 2 6279 3320 Marsh (Hobart) 111 Macquarie Street Hobart TAS 7000 Tel: +61 3 6281 3100 Fax: +61 3 6281 3160 Marsh (Darwin) Carpentaria House Level 1, 13 Cavenagh Street Darwin NT 0800 Tel: +61 8 8943 4400 Fax: +61 8 8981 9311 Marsh (Launceston) Level 2, 33 George Street Launceston TAS 7250 Tel: +61 3 6333 3200 Fax: +61 3 6333 3260 Disclaimer: The information contained herein is based on sources we believe reliable, but we do not guarantee its accuracy. The information contained in this publication provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation, and should not be relied upon as such. Statements concerning legal matters should be understood to be general observations based solely on our experience as insurance brokers and risk consultants and should not be relied upon as legal advice, which we are not authorized to provide. Insureds should consult their own qualified insurance and/or legal advisors regarding specific coverage and other issues. Copyright - 2011 Marsh Pty Ltd. All rights reserved.