Patching IT up
Written by Peter Davy
The recently updated National Risk Register features data and infrastructure security among the most pertinent of operational risk considerations. Peter Davy considers the impact on cyber liability
The most expensive data security breach for a UK company to hit the headlines this year has been Zurich’s loss of 46,000 customers’ details on an unencrypted back-up tape. It went missing during a routine transfer to a data storage centre in South Africa, prompting the FSA to fine the firm £2.275m for a lack of adequate controls. However, the most embarrassing has to be down to solicitors ACS: Law. Its list of the names and addresses of more than 5,300 broadband users alleged to have illegally shared pornographic movies online – alongside the titles of the films shared – was posted online last month, following an attack by hackers.
As lobby group Privacy International’s director Simon Davies puts it: “You rarely find a case where almost every aspect of the Data Protection Act (DPA) has been breached, but this is one of them.”
Such cases, though, are just the most notable. Data breaches have become increasingly prevalent in recent years, and at this year’s Airmic conference cyber liability was identified as the most significant emerging liability exposure in its benchmarking study into the casualty insurance market.
Three factors are driving that. The first is the increased publicity around these events, particularly in the US, where there is now mandatory reporting of data breaches in all but a few states. Even in the UK, the Information Commissioner’s Office (ICO) earlier this year recorded the 1,000th reported incident since 2007. High profile cases such as Zurich’s – not to mention others at Nationwide, Aviva, HSBC and various NHS Trusts – have brought the issue to the fore.
As Chris Cotterell, partner at specialist cyber risks broker, Safeonline, says, “You just need to open a paper today and there is always something about identity theft, information loss or hackers.”
That’s probably reflective of another factor: that technology has transformed the risk. Even ten years ago company laptops were still fairly few; now everyone has one. And most people also have smart phones, memory cards and USB memory sticks, all of which have vastly increased the amount of data that can be easily lost.
“Employees could always leave a paper on a train, but now they can lose a laptop or smart phone that has hundreds or millions of pieces of information on it,” explains Adrian Davis, senior research consultant at the Information Security Forum. Finally, there’s regulatory pressure, with Zurich’s fine the largest to date imposed by the FSA and the ICO from April given the power to impose financial penalties up to £500,000. All have helped drive cyber security up the corporate agenda.
“The focus has moved away from the IT department and it is now the board who are looking at solutions,” says Cotterell. “People are worried about it.” There are, of course, still sectors that faced heightened risk. As Chris Francis, a director of THB Professional & Financial Risks says, the high street retailers and hospitality industry, processing large credit card information on and off line, are obvious examples. However, there is a huge variety of companies affected from cinema chains worried that digitally distributed films leave them vulnerable to hackers, to professional service firms and healthcare groups processing high volumes of confidential data, to higher education (“Lots of highly computer literate people with plenty of time on their hands”). “In terms of vulnerability, I think all companies are exposed,” says Francis. “Everyone uses technology in some way and most companies have their systems connected to the Internet.”
And it’s only going to become more important. For a start, technological advance will only exacerbate the problem. Cloud computing, for instance, will continue to present new issues around data ownership. Regulatory pressure, too, is likely to increase. Mandatory reporting is being introduced for ISPs and telecoms companies in the UK from next May, and most expect Europe to follow the lead of the US in widening this to all industries within a few years.
That would have a significant impact. At present, the temptation for a UK company faced with a data breach is to keep it quiet to avoid the potential reputational damage as well as the fines from the ICO or FSA. With mandatory reporting, that’s not an option, and the resulting costs are significant. According to a study in the US by researchers at Ponemon Institute, data breach incidents cost US companies $204 for each compromised customer record in 2009.
As Gareth Tungatt, head of the cyber liability operation at Barbican Insurance, explains, the fines handed down to the likes of Zurich and Aviva (£1.3m) might sound like big numbers, but they are nothing compared to the US. Not only do companies in some states have to offer services such as credit monitoring to affected customers (or even customers whose records might have been breached), there’s also the possibility of class actions as a result of disclosing the breach.
“The same sort of thing there would probably have cost a company several hundred million dollars,” says Tungatt. Not surprising, then, that you rarely see a major organisation in the US that isn’t at least working towards full encryption of all sensitive information, he adds. “In the UK, outside some major blue chip organisations that’s not usually the case.”
However, while Ben Beeson, executive director at broker Lockton International, agrees that it’s mandatory reporting that has really driven the risk out in the States, there are nevertheless already influences here continuing to push data protection up the agenda. First, pressure from the likes of the PCI, founded by the big credit card companies, and its insistence that companies comply with its data security standards. Then there are other contractual arrangements, where information is being outsourced, such as for payroll or credit card processing.
“Companies are coming to us because they are signing new clients who demand they insure the data risk they are taking on,” says Beeson. “Even if the government isn’t going to drive it yet through legislation, contractually it is already starting to happen.” Fortunately, the insurance solutions available to companies to handle this risk have also come of age at just the right time.
GETTING TO GRIPS WITH THE RISK
Traditionally, there has been some reluctance on the part of insurers to provide cover, partly because the lack of mandatory reporting meant there was little claims or events history in the UK to look back on. Some were put off entirely; others only provided cover with the reassurance of pretty intrusive examinations of clients’ network security controls by IT consultants, for example. Some say it’s still a problem.
“It sometimes seems you have to collect so much data and have such tight procedures that by the time you have convinced the insurer to cover you, you have pretty well convinced yourself that you don’t need it,” says one commentator. However, for a start, that caution was not entirely misplaced. After all, a few players who were attracted by the potential of the market and came in over the last few years did so with wordings that were arguably too broad and without appropriate sub limits, and were burnt as a result.
Furthermore, to a large extent, most of the teething problems have now been resolved. There is now a good range of policies in the market, say most, covering not just notification costs but also credit monitoring, business interruption and reputational harm, as well as wider wordings covering other cyber-threats as well, such as publishing risk, cyber extortion and network security events.
“Some of the products have been around for a long time but the solutions available over the last two or three years have become a lot more comprehensive,” says Tungatt. On top of that, brokers say the number of players keen for a share in the market also mean there’s good capacity and premiums are affordable.
The two concerns that remain are possibly standardisation, with a wide range of cover still in the market reflecting the fact that the policies have developed from various different lines, and the related question of broker expertise. Perhaps not surprisingly, the specialists argue other brokers may lack sufficient understanding to ensure clients buy appropriate cover.
Arguably the bigger problem that remains, however, is persuading companies that insurance is needed.
Of course, many businesses do increasingly take data security seriously and invest heavily in protection from hackers and viruses (although it’s clear some still don’t). However, internal threats – which according to Forrester Research are responsible for 70 per cent of all data losses – can be harder to manage.
“People have put a huge amount of protection on their perimeters to protect them from external threats, but with inside attacks and mistakes it is down to the procedures your staff follow and there still seems to be a lack of training,” says Paul Skinner, UK and Ireland practice leader of ICT underwriting at Chubb. “You can buy as much security to stop people coming in as you like but even a small error internally can cause just as serious a breach as a hacker.” Or, as Aviva’s chief security officer Paul Wood has put it, “There’s no patch for human stupidity.”
This fact, combined with the sheer scope of risks companies face means that for most a loss is probably inevitable. As David Rees in the technology practice at Marsh says, “These days it is not a case of if, but when you have a data breach.” That is why insurance remains so important.
Ultimately, of course, it’s not an argument that will be won completely until mandatory reporting in the UK catches up with the US. However, as Beeson says, “We might not be there yet, but it is clear that it is coming.”