Cyber security and cyber threats are growing, both in numbers and in costs. They will certainly continue to increase as they follow the increases in Internet use and the rapid changes in how electronic information is gathered and stored. “90 percent of information is electronic,” said Thomas Dunbar Sr. VP and Chief Risk Information Officer (CIRO) of XL global services, on a panel at the European Insurance Forum in Dublin last week. “Where it’s placed and where it comes from is a business risk.”
He explained that databases used to be kept within the company, but it’s becoming more and more common for it to be managed outside the company; i.e. outsourced. As a result the risks of that data being hacked have increased. One needs to look no further than Sony, Target and now E-bay – an estimated 145 million records hacked – to understand this reality.
Remarkably, “only around 25 percent of companies at risk” are considering using insurance coverage to address the problem, said PwC Partner Ciaran Kelly at the same conference. There are a number of different threats. Aldona Treia of the European Cyber Crime Center, Europol, cited malware, phishing and data theft as the most common. The data obtained is frequently used by cyber criminals on line to commit crimes, or it is sold to others who do so.
One of the greatest concerns, however, for companies, governmental and non-governmental organizations is the risk to their reputation. Dan Hopkinson, an underwriter for Beazley, who specializes in cyber coverage, said “health care service providers, universities and companies are those most frequently targeted.” These are “reputational risks” that can have “a big impact on the bottom line.”
In an interview after the panel discussion Hopkinson explained that Beazley has developed a policy designed to address those risks. The insurer, which operates both independently and through the Lloyd’s market, has been actively expanding in the U.S. since 2005. The U.S. is at present the principle market for cyber risk policies, as it is a “more advanced market,” he explained.
As the policies are aimed at protecting the client’s reputation and brand name, they are designed to try to prevent data breaches and thefts in the first place, and to provide quick and positive responses, aimed at minimizing brand damage, when they do occur. The approach is very similar to how insurers structure Kidnap and Ransom policies, which just happens to be another Beazley specialty line.
“You need a suite of experts,” Hopkinson said; “to address two main priorities.” Firstly, expert teams examine the possibilities of a breach, and design a plan to reduce the risks as much as possible. Secondly, they design a response plan in the event that there is a breach so that the targeted company, and its insurer, are prepared to act quickly and decisively to curb potential losses. Beazley recently expanded its response teams.
“Beazley’s ‘breach service teams’ are independent contractors, and are a separate unit, not part of the claims department,” Hopkinson said. “They are an extension of our in house resources, which we bring in for support.” They provide not only technical expertise, but also legal and financial experts to assess potential losses.
When there’s been a breach, “things move very quickly,” he explained. “You need to get it [the response] right, and to assess the exposures and the notifications.” In some cases he explained that it’s preferable not to shut down a network after a breach, as, using “forensic experts,” it might be possible to identify those responsible. In which case shutting everything down “might do more harm than good.” It depends on the circumstances involved.
“A breach might not be a disaster, unless it’s mishandled,” Hopkinson said. “You need a calm and level head. The expert teams provide this. Beazley already has 7 dedicated UK based underwriters and approximately 13 in the US; in addition the team has a network of claims and breach specialists to support organisations pre and post breach. All of the teams operate locally, and in five different languages.
Protecting against data breaches is a growing field. As of the end of 2013 Hopkinson said Beazley had handled more than 1000 incidents, and they are growing. “We’re currently getting one and a half to two a day,” he said. And we’re seeing interest and budget support, “especially in the retail, health care and financial sectors.”
Was this article valuable?
Here are more articles you may enjoy.