Cyber risks are everywhere as the world becomes more digitalised. Ms Cecilia Chang of GC&C Asia says while traditional policies may cover some cyber risks, there are serious gaps in that cover. A comprehensive cyber insurance solution is needed in such cases.
Cyber risk pertains to loss derived from cyber attacks and non-malicious IT failures. In this day and age, any individual or business that uses technology is exposed to cyber risks and therefore would benefit from cyber insurance.
Cyber loss has historically been equated with data or privacy breaches. With the advancement of technology, it has now evolved to encompass a broader scope of risk exposures, both tangible and intangible. The difficulty to quantify and predict these risks make cyber risk management a highly talked about but tricky and at times, controversial subject – one that can lead to confusion and varying interpretations.
First and third party losses
Generali has identified the following first and third party losses related to cyber risks:
- Breach of privacy event – cost to investigate and respond to a privacy breach event, including IT forensics and notifying affected data subjects. Third party liability claims arising from the same incident, fines from regulators and industry associations.
- Business interruption – lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber attacks or other non-malicious IT failures.
- Cyber extortion – cost of expert handling for an extortion incident, combined with the amount of ransom payment.
- Data/software loss – cost to reconstitute data or software that has been deleted or corrupted.
- Death and bodily injury – third party liability for death and bodily injury resulting from cyber attack.
- Incident investigation and response costs – direct costs incurred to investigation and to “close” the incident and minimise post incident losses.
- Intellectual property – loss of value of a patent, trademark or copyright expressed in terms of loss of revenue (as a result of reduced market share).
- Network failure liabilities – third party liabilities arising from certain security events occurring within the organisation’s IT network or passing through it in order to attack a third party.
- Physical asset damage – damage to physical property as a result of cyber attacks.
- Reputation impact – loss of revenue arising from loss of customers or reduced transaction volumes which can be directly attributed to the publication of a security breach event.
Gaps in cover
While one or a combination of these risks may be included in some traditional products, below are recent cases that show some gaps in traditional coverage and how the extent to which cyber risks are covered may not be enough.
-
Cyber extortion – Hospital cyber ransom for bitcoin incident in Los Angeles, USA
Computer systems of the hospital experienced a malware attack. This prevented sharing of electronic communications and risked compromising critical life support systems. Doctors had to rely on telephones and fax machines to relay patient information. Communications between hospital and staff were bogged down by paper records, difficulty reading doctor handwriting, and reports of ambulances being diverted from the hospital.
The decryption key to unlock the system was received after the hospital paid a ransom worth US$17,000 in the form of bitcoins. Fortunately in this situation, patient care was not compromised. However, medical malpractice policy could have been triggered if bodily injury had resulted from the incident. Most medical malpractice coverage focus on data privacy and even then is only offered as an extension.
- Cargo theft – Hacking of cargo truck coordinates and route information
Fake emails allegedly originating from the Suez Canal Authority were sent to vessels asking for detailed and confidential route information. Had this resulted in theft, robbery and hijacking of cargo, it could have been considered a marine cargo loss even if no physical robbery or bodily injury had actually occurred.
Issues we face
From these examples, we can see that while traditional coverages have expanded to include certain cyber risks, there are still blurred lines and gaps in coverage that customers need to understand.
We can typically find these gaps in the areas of third party liability, breach response, remediation costs, business interruption costs, and fines/penalties. An experienced and knowledgeable cyber insurance broker or coverage attorney can help evaluate coverage options and assess which coverages are essential to specific companies.
Key considerations include:
-
What events are covered in the policy
-
What events are excluded from the policy
-
Types of data covered, ie paper records left in a dumpster, data breach by a third party cloud services provider
-
Gaps of traditional coverage
-
What response costs and services are covered in a breach
Given the complexities and scale of cyber risks, we at Generali are assessing our capabilities vis-à-vis the market needs in order to put together a fully comprehensive cyber insurance solution for our clients. A
Ms Cecilia Chang is Head of Financial Lines at Generali Global Corporate and Commercial Asia.