liability

Cyber Insurance – The Moody Teenager

by
cyber insurance

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex !  In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed  to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-

1.Knowledge

Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional  indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.

 

Data Breach – is the Healthcare Sector next?

by
Data Breach

Is the healthcare sector the next target in the UK for hackers to bring about a major data breach?

In the US over the past year there have been a number of high profile and costly data breaches, the largest of which was suffered by the health insurer , Anthem Inc where 80 million personal records were stolen, in addition to this there were four other known multi-million record data breaches in this sector. In the UK the number of data breaches so far have been small in comparison and have been limited to loss of laptops and USB’s causing minor data breaches.

According to the 2015 Global Ponemon Institute Study on data breaches there are signs of a significant increase in cyber attacks in the healthcare industry . The study identified that 91% of healthcare organizations have been subject to one data breach. Cyber attacks in this sector were also up by 125% from 2010 to 2015.

The healthcare sector in the UK data extends to many establishments , the foremost being hospitals , clinics, health insurers , care & retirement homes , universities and colleges.

So what types of data are stored by these bodies that would make them attractive to a hacker ?

Patient Information

  • Medical records
  • Test Records
  • Appointment information
  • Medical insurance details
  • Credit card and bank card details

Employee Information

  • National Insurance records
  • Salary details
  • Bank details
  • e-mail addresses
  • telephone numbers

In addition to this these bodies are likely to be dependent on third parties who may provide or store some of this data.

Where would a possible threat come from that might cause a data breach ?

Insider Threats

Employee negligence where as a  result of an error causes a security failure or they carelessly leave a lap top on a train

Employee  ignorance where inadvertent disposal of personal data occurs or perhaps a lack of training and awareness

A malicious employee who may be unhappy and wishes to cause disruption

Outsider Threats 

Hacker attack which can take the form of many methods such as by the injection of malware into a computer system or the bringing a phishing attack.

Theft being caused as a result of social engineering tool to disguise e-mails that may lead to an extortion threat in an effort to release data.

Third party vendors who may have been breached themselves and caused a subsequent data breach to the primary entity.

Why are healthcare records being targeted by hackers?

  • Healthcare records are worth 5 times more than the value of credit cards
  • Credit cards can be cancelled
  • The value of healthcare data can be utilized for a wider variety of purposes

What are the end use for healthcare records?

  • Personal Identity Theft
  • Financial Identity Theft
  • Various forms of insurance fraud
  • The falsifying of prescriptions

The Healthcare sector in general has a number of challenges including the management of on-going conversion from paper records to digital files and maintaining of computer security that constantly require updating to keep pace with the technology that hackers now possess.

Aside the threat of a data breach is the threat that more medical devices are connected to the network and the ensuing connection to IP networks which exposes devices to more cyber attacks. The “Internet of Things” is also a real threat to this sector and more so to patients where there is an ability to hack medical devices like insulin pumps or pacemakers.

Cyber liability insurance can play an important role to help mitigate a serious data breach and should be a important consideration by organizations in this industry. This sector is perceived to be in a high risk category by the insurance market and it is therefore an area that cyber security consultants can add considerable value here to help insurers assess the relative exposures and offer commensurate premium and terms.

The importance of Cyber Liability Insurance

by
Cyber Liability Insurance

The importance of cyber liability insurance in the future was highlighted as EU Protection rules were finally agreed between the Parliament, the Council and the Commission . This will be known as the General Data Protection Regulation ( GDPR) and will apply to all current 28 EU members.

This will unify and modernise data protection laws across the EU , it will apply to data processors as well as data controllers.

The next stage is for the Civil Liberties Committee to approve the text of the GDPR and once this has been approved it will be put to the vote by parliament at the beginning of 2016. Regulation will then become directly applicable and will take effect in Member States in 2018.

Some of the main data protection requirements will be as follows:-

  1. Businesses will need to appoint a data protection officer
  2. Data breaches will need to be notified to the relevant data protection authority within 72 hours. Depending upon the breach it may need to be notified to the affected data subjects.
  3. Businesses will need to carry out privacy impact  assessments prior to carrying out any high risk data processing.
  4. Implement privacy by design when carrying out processing personal data.

If a business is found to be in breach of the GDPR , a fine of up to 4% of their total worldwide turnover which demonstrates the importance that the EC attach to this.

This has been a very busy two weeks for the EEC as they also announced last week the first cyber security law , the Network and Information Security Directive . This represents a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance.

Despite the GDPR not coming into force until 2018 , it is important to now consider the implications of the cost of compliance on a businesses such as :-

  • The adequacy of a IT systems
  • The current methodology of data collection and processing
  • The re-training of staff with the new data protection law and implications of non- adherence

Cyber liability insurance will play a significant role in supporting businesses when enforcement of the law takes place.

A current Cyber liability insurance policy can assist as follows:-

  • Privacy liability

Damages and claims expenses associated with the unauthorized disclosure of confidential information.

  • Privacy regulatory defense and penalties

In the event of a data breach the policy would provide coverage for claim expenses incurred as result of a civil regulatory action which includes civil penalties or fines to the extent that they are insurable by law.

  • Privacy breach response costs and customer notification expenses

The policy would assist with the response costs associated with the breach and customer notification costs of individuals that may have had their data compromised.

  • Customer support and credit monitoring expenses

This would involve the support of a specialist crisis management response team and the availability of credit monitoring for a period of time post breach, up to a year.

Cyber liability insurance is an evolving insurance product, with insurers constantly looking to enhance coverage in response to a businesses developing technology exposures and it is anticipated this niche product will further develop in response to the forthcoming GDPR.