The Rise of Cyber Insurance by Sarah Stephens
|The last decade has seen thousands of highly publicised and cost heavy cyber incidents which have impacted organisations across the globe as well as a range of industry sectors. No company or industry is immune. As the pace of technological change continues unabated, organisations’ reliance on computer networks and the information they hold has become critical to their ability to offer products and services and to interact with customers and employees.|
By Sarah Stephens, Head of Cyber, Technology, Media E&O at JLT Specialty
This shift in emphasis from tangible assets, like buildings and machinery, to intangible assets, like networks and data, didn’t immediately result in a similar shift to specialised insurance policies. The landscape of cyber insurance was slow to grow at first but is now advancing at rocket speed.
When and where did it all begin?
In the late 1990s and early 2000s, insurers first began to offer products with slivers of today’s cyber coverage. Early products mainly dealt with the liability resulting from transmitting a virus to a business partner and business interruption suffered after a cyber attack, but the triggers tended to be much narrower and the coverage more restrictive. Despite being revolutionary, there was relatively little uptake in the early days as companies were uninterested in a product they didn’t understand and felt was expensive. With regulators not in the picture and few headline claims in the public sphere, insurers found that their cyber products weren’t flying off the shelves.
The landscape started to shift in 2003 when California introduced the US’s first breach notification regulation, SB1386. Prior to this, an American company could be hacked and have had personally identifiable customer or employee information stolen without disclosing it publicly. Cyber insurance policies grew little sub-limits for the minor costs of complying with this law.
So what has happened since 2003?
California’s law and others like it have brought thousands of data breaches to light since 2003. In fact, now forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands all have some form of breach notification regulation, making it tougher to legally keep incidents under wraps these days.
Many large incidents became hugely expensive, and insurers responded with policies covering more and more of the cost of suffering a data breach. Those companies who suffered from a breach now incurred a range of additional expenses; notably for consumer notification, credit monitoring, forensic investigation, call centres, public relations, legal advice, and other crisis management expenses. Unlucky companies also faced legal costs – both in responding to regulators and civil litigants – as well as ever larger settlements and fines.
Despite not having the same data breach notification laws as the States, companies in the UK are increasingly put under pressure by the Information Commissioner’s Office (ICO). The ICO state that organisations should take suitable precautions to safeguard any personal data they hold. In the event of a breach the company should notify the ICO within 24 hours. Depending on the level of damage caused by the breach, all those who are affected may require notification as well. If and when the new EU
Data Protection Regulation passes, as many expect it will in 2015, the obligations to notify consumers and data regulators of incidents will swing far closer towards the onerous US regime. This increasingly difficult cyber exposure environment has not gone unnoticed by corporate risk managers. Particularly in North America, cyber insurance purchases have grown exponentially; with many large insureds seeking more capacity than the market can offer. Demand for cyber insurance education in Europe and Asia has never been higher, with companies reacting to daily headlines and changing regulatory landscapes. Purchasing behaviour has also accelerated rapidly over the past 12 months.
Cyber concerns and solutions today stretch beyond simply data breach risk for companies reliant on personally identifiable information. Attacks on industrial control systems have recently caused companies in energy, mining, heavy industry, and manufacturing to reconsider their cyber risk exposure and insurance solutions. Companies in all industries are thinking more critically about their reliance on technology, online communication, big data, and the business continuity impacts that a technology failure could create.
From optional to critical?
With the proposed EU Data Protection Regulations set to be finalised by 2015 and with fines of 2% global turnover or €100 million for noncompliance, data breach risk isn’t going to become any less expensive. Neither is our collective reliance on technology showing any signs of reducing the exposures. Cyber risk is a multifaceted issue that stretches from the data centre to the boardroom.
The most forward thinking companies no longer view cyber insurance as merely optional, but rather a critical weapon in their cyber risk management arsenal.