“Think of a massive cyber attack as an intelligent hurricane. If it hits a house that doesn’t fall down it learns why the house didn’t fall and it changes——.”
– Ty Sagalow
On the 21st of October 2016, The Economic Times reported that “… 3.2 million debit cards were compromised; with SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit.”
The newspaper also highlighted more high profile data breaches in recent years as reproduced below.
Around the same time, there was news about another wave of online attacks on Domain Name Server (DNS) provider Dyn Inc., blocking access to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, The New York Times and various other sites — an attack that Andrew C. Harris, CEO of brokerage Liberty Insurance associates in Millstone Township, N.J., calls “… overdue.”
Cyber risks truly are the talk of the town. These are indeed powerful and disturbing wake up calls about the perils of our connected world, reminding us of the need to ensure that society, including the corporate world, is geared up to face cyber risks. They are not just the concern of big companies or the elite. The great achievements in Information Technology have also brought along with them attendant threats significantly affecting various facets of business operations.
Consequences and other implications of Cyber Attacks:
Cyber attacks may result in unauthorized access, unauthorized use or transmission of a computer virus which alters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organization’s computer system causing losses to the victim organization and/or may result in Failure of Security or Denial of Service.
Cyber attacks may lead to disclosure of confidential data (data pertaining to clients, the company’s own financial and other confidential data, sensitive HR data relating to employees) corruption or loss of an organisation’s systems or data, corruption or loss of third party systems or data thereby resulting in significant third party liability as also regulatory actions. Cyber attacks may also cause business interruption and damage to reputation. Apart from putting in place the best practices to prevent and deal with cyber attacks and implementing them in letter and spirit in order to prevent and deal with the attacks, it is advisable to consider cyber risks insurance protection to address the following broad categories of losses and expenses likely to be suffered after a cyber attack.
Cyber Risks Insurance: What does it cover?
- Third party liability claims: Defence costs, settlement costs (for the liability of the insured arising out of a cyber event) and denial of service claims
- Crisis management response costs following a data breach: Investigation, public relations, customer notification, credit monitoring and extortion payments etc.
- Regulatory defence costs and fines and penalties: Costs to investigate, defend, and settle fines and penalties imposed by a regulator.
- Insured’s own losses (first party losses): Business Interruption, data restoration costs and forensic costs
Are the cyber claims costly?
- Yes. Cyber claims can be costly. According to NetDiligence 2016 Cyber Claims Study:
- The average cyber breach claim for a large company was almost $6 million.
- While large companies continue to be targeted, the majority of claims submitted for analysis were for organizations with less than $2 billion in revenues.
- Even breaches involving few records can be costly, according to the report. A reported event involved just one breached record but it cost $1.5-$2 million.
- The average total breach cost was $665,000, with an average payout for Crisis Services of $357,000. The average claim in the Financial Services sector was $1.3 million, while the average claim in the Healthcare sector was $726,000. Breach costs ranged from $290 to $15 million
- Average legal defense costs was $130,000 and the average cost for legal settlement was $815,000.
This NetDiligence 2016 report is available at: https://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf
Businesses of all sizes face cyber threats, but some industries are more vulnerable than others. While Healthcare, Manufacturing, Aviation and Construction sectors are vulnerable, Financial services, particularly the Banking sector, are more vulnerable. In the banking world, there is a need to continuously work on methods to improve the reach and efficacy of online banking, and a need for various initiatives to improve customer service. In this context, the risks from cyber attacks become increasingly unnerving.
While cyber risks do not recognize country boundaries, insurers have started receiving claim notifications even in India. It should be noted that the Information Technology Act, 2000 and Information Technology (Amendment) Act, 2008 provide for remedies including compensation for failure to protect data. As for the compromise of 3.2 million debit cards mentioned in the beginning of this article, the banks that have purchased cyber insurance are very likely to recover at least a part of their losses / expenses.
Cyber risks insurance policy is also subject to certain exclusions which need to be clearly understood and negotiated for carve back of coverage, if possible. Otherwise, insureds may face unpleasant surprises. One exclusion relating to “Failure to Follow Minimum Required Practices” merits special attention here. Broadly, this exclusion precludes losses for the insured’s failure to continuously implement the procedures and risk controls identified in the Insured’s application. Please refer to the complaint filed by the insurer in Columbia Casualty Co. v. Cottage Health System to understand the pitfalls in these requirements.
In the context of Indian banks managing cyber risks, it is pertinent to mention what the Reserve Bank of India (RBI) stated in its notification no. RBI/2015-16/418 DBS.CO/CSITE/BC.11/33.01.001/2015-16 dated June 2, 2016:
On “Cyber Security Framework in Banks”:
“…it is essential to enhance the resilience of the banking system by improving the current defenses in addressing cyber risks. These would include, but are not limited to, putting in place an adaptive Incident Response, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.”
On a final note, here is how Sarah Bloom Raskin, Deputy Secretary of the U.S. Treasury, summed up the need for banks to buy cyber insurance. This is from an Executive Leadership Cyber Security Conference hosted by the Texas Bankers Association.
“Why must banking institutions invest in cyber-insurance?”:
“Cyber-insurance cannot protect your institutions from a cyber-incident any more than flood insurance can save your house from a storm surge or D&O [directors and officers liability] insurance can prevent a lawsuit, but what cyber-risk insurance can do is provide some measure of financial support in case of a data breach or cyber-incident. And, significantly, cyber-risk insurance and the associated underwriting processes can also help bolster your other cyber security controls. Qualifying for cyber-risk insurance can provide useful information for assessing your bank’s risk level and identifying cyber security tools and best practices that you may be lacking.”
P. Umesh
p.umesh@liabilityinsurancepractice.com
Disclaimer: The information contained and ideas expressed in this article represent only a general overview of subject covered. It is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insurance buyers should consult their insurance and legal advisers regarding specific coverage and/or legal issues