Cyber Liability – The Internet of Things

Cyber Liability - The Internet of Things

The “Internet of Things” is the product of the increasing connectivity of corporate computing infrastructures, industrial machinery and electronic consumer devices.

This provides new cyber threats to businesses which will need to be managed through a combination of robust cyber security measures and cyber liability insurance.

The phase, the “Internet of Things” is associated with devices that are capable of communicating via the internet through programmed commands or by “learning “patterns of behaviour and activity so as to recognize common occurrences  in our daily lives and communicating with other devices accordingly

With more devices and people being connected to the internet in the coming years, this will produce a global impact with the estimated market for the “Internet of Things”thought to be $66 billion between now and 2019.

From a business and consumer perspective this has many advantages , whether it be controlling an industrial process remotely to switching on your central heating whilst you are on the way home on a train, it does however come with very real cyber related threats.

The main threat bought by the “Internet of Things” is the vulnerability of the loss of data and the compromising of personal information as devices will have access to such information about a business or individual . This scenario makes it a prime target for a security breach from a targeted hacker attack.

Examples of recent attacks this year :-

  • Hacking attack of a German steel mill where hackers gained control of a smelting furnace and caused it to over heat resulting in damage to the furnace and interruption to the business.
  • Hackers took remote control of cars steering , braking and acceleration
  • Baby monitors being hacked allowing third parties to control the monitors

This year Lloyd’s of London commissioned a report where a hypothetical attack was carried on the  electricity grid of the Eastern US. It was calculated that the loss could equate to $2 trillion which would not all be covered by insurance.

A cyber liability insurance policy will provide coverage for both third party and first party losses. This encompasses a businesses third party liability and first party exposures resulting from a data security breach , the response and associated investigation costs . It can also respond to business interruption loss  and damage to a businesses computer systems and it’s data. The policy however is unlikely to respond to all first party damage and claims involving bodily injury . It will therefore be necessary for other insurance policies to be reviewed by your insurance broker to ensure that an any gaps in coverage are appropriately addressed.


The importance of Cyber Liability Insurance

Cyber Liability Insurance

The importance of cyber liability insurance in the future was highlighted as EU Protection rules were finally agreed between the Parliament, the Council and the Commission . This will be known as the General Data Protection Regulation ( GDPR) and will apply to all current 28 EU members.

This will unify and modernise data protection laws across the EU , it will apply to data processors as well as data controllers.

The next stage is for the Civil Liberties Committee to approve the text of the GDPR and once this has been approved it will be put to the vote by parliament at the beginning of 2016. Regulation will then become directly applicable and will take effect in Member States in 2018.

Some of the main data protection requirements will be as follows:-

  1. Businesses will need to appoint a data protection officer
  2. Data breaches will need to be notified to the relevant data protection authority within 72 hours. Depending upon the breach it may need to be notified to the affected data subjects.
  3. Businesses will need to carry out privacy impact  assessments prior to carrying out any high risk data processing.
  4. Implement privacy by design when carrying out processing personal data.

If a business is found to be in breach of the GDPR , a fine of up to 4% of their total worldwide turnover which demonstrates the importance that the EC attach to this.

This has been a very busy two weeks for the EEC as they also announced last week the first cyber security law , the Network and Information Security Directive . This represents a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance.

Despite the GDPR not coming into force until 2018 , it is important to now consider the implications of the cost of compliance on a businesses such as :-

  • The adequacy of a IT systems
  • The current methodology of data collection and processing
  • The re-training of staff with the new data protection law and implications of non- adherence

Cyber liability insurance will play a significant role in supporting businesses when enforcement of the law takes place.

A current Cyber liability insurance policy can assist as follows:-

  • Privacy liability

Damages and claims expenses associated with the unauthorized disclosure of confidential information.

  • Privacy regulatory defense and penalties

In the event of a data breach the policy would provide coverage for claim expenses incurred as result of a civil regulatory action which includes civil penalties or fines to the extent that they are insurable by law.

  • Privacy breach response costs and customer notification expenses

The policy would assist with the response costs associated with the breach and customer notification costs of individuals that may have had their data compromised.

  • Customer support and credit monitoring expenses

This would involve the support of a specialist crisis management response team and the availability of credit monitoring for a period of time post breach, up to a year.

Cyber liability insurance is an evolving insurance product, with insurers constantly looking to enhance coverage in response to a businesses developing technology exposures and it is anticipated this niche product will further develop in response to the forthcoming GDPR.


Cyber Security – New EEC Directive

Cyber Security - New EEC Directive

This week the EEC announced  the first cyber security law , the Network and Information Security Directive . This is a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance. This will also apply to to the likes of Google and Amazon .

The directive is primarily two fold :-

1.Requirement of companies to report cyber security breaches

2.Requirement of companies to ensure that they have a secure digital infrastructure in place.

A body of teams will be set up manage incidents in the shape of Computer Security Incidents Response Teams (CSIRTS).

This is likely to ensure greater visibility of cyber crime and data breaches within companies. The impact of which could have commercial consequences as to whether companies can be considered to have adequate cyber security in place by its trading partners . The emphasis of this law is clearly to encourage companies to address their  cyber security and it would be prudent that companies are proactive now in order to be ready for the implementation of this law which is anticipated to come into force within the next two years .

This is a timely decision, as in the US this week , the Federal Trade Commsssion won a lawsuit against Wyndham Worldwide Corporation who failed to properly safeguard customers information . Three separate data breaches were suffered affecting 619,000 customers and led to $10.60M in fraudulent credit card charges. As a result of this Wyndham will be required to improve all aspects of their cyber security.

This new directive should not be confused with the General Data Protection Regulation which will bring unformity to data protection laws in the EEC and compulsory data breach notification for all businesses.

The impact of this new directive will no doubt provide insurers in the cyber liability insurance market with some much needed comfort as one of their focuses in their rating and assessment of exposures is the level of cyber security.

If  this is going to improve it will eventually impact on premiums and conceivably exert downward pressure on premium rates.


Small Businesses – Cyber Security

Small Businesses - Cyber Security

It may be obvious but what cyber security exposures does a small business have that could lead to cyber crime or a data breach ?

A typical small business is likely to have the following  cyber security exposures:-

Computer Servers – your servers and servers of other third parties of who you may be dependent upon.

Laptops – of all your employees and any temporary staff.

Mobile Devices – do you know who has a mobile device, do they work from home , do they use wi-fi in the local coffee shop ?

Removable Media – are all USB sticks accounted for and are employees allowed to remove then from the office?

Paper Records – do you still use paper files , these should be replaced by electronic files.

Electronic Files – what data is stored on your electronic files , is it personally identifiable information ?

Company Website – is this protected by the most up to date firewalls?

Databases – what data is stored on your electronic files , is it personally identifiable information ?

Software – how old is your software , does it need to be updated , is it regularly patched ?

Computer Networks – what is your dependency on third parties?

Use of Cloud Services – does your cloud provider purchase professional indemnity insurance ?

Once you are comfortable that your have identified all of your technologies , a risk analysis should be carried out , followed by a review of your internal procedures such as the website privacy policy and conditions. This should be carried out in tandem with all of your external procedures and providers , such as any third party and cloud providers for whom your computer services may be relying on.

Are your Business Continuity Plans and Disaster Recovery Plans up to date ?

Are your staff trained in all the most up to date cyber security company policies ?

Have you considered Cyber Insurance for your business  ? – the purchase of this type of insurance is the balance between owning your cyber related exposures and being confident that you can manage and accept these risks. This is against the risks that you may not be able to manage and the areas that could cause the business a significant loss and impact severely on your balance sheet.

Cyber Security Threats for 2016

Cyber Security Threats for 2016

Cyber security will remain a high profile issue for businesses  as we move into 2016.

Many small businesses do not appreciate the speed at which cyber related exposures are developing and the importance of robust cyber security being in place , it is therefore vitally important to be aware of these as businesses are nowadays almost 100% reliant on technology.

Existing cyber security risks will develop and new ones are likely to emerge, some examples of these are as follows:-

  • Outdated technology may be susceptible to unauthorised access from a hacker if patching has not been carried out on a regular basis.
  • Current security procedures need to be updated to keep pace with the sophistication of hackers  techniques.
  • Forgotten maintenance of the Internet may lead to opportunities for hackers
  • The Internet of Things will provided increased connectivity between many more devices and has the potential to produce vulnerabilities in security loop holes.
  • Businesses are increasing moving towards the use of cloud providers and therefore being able to monitor data is likely to become more difficult. With the abolishment of the Safe Harbour this will have of particular impact to firms trading in the USA.
  • Perceived increased focus by hackers on small businesses that may not have the same standard of IT security as larger companies.

The underlying message is that the cyber risk landscape is constantly evolving and businesses must be increasing on their guard to anticipate this by updating and improving their existing cyber security.

A Data Breach might be happening right now …

A Data Breach Might Be Happening Right Now ....

Data Breach – this can occur when you don’t know it and could be happening in your business right now …….

The average time before a data breach is detected in a business is 205 days and has been know to be as long as 8 years.

In the real world a bank robbery occurs in a matter of minutes , in the virtual world a compromise to your security and the gradual stealing of data could occur over many days and even years without you being aware.

It is therefore very important that a businesses has effective cyber security measures in place to combat and manage a potential data breach.

The key to this process centers around three main areas:-

  • The most up to date software or software that is regularly patched.
  • Effective risk management procedures which are constantly reviewed and supported by management at all levels.
  • Regularly updated business continuity /disaster recovery plans.

With this in place it increases the chances of discovering a compromise of your computer systems at an early stage…. – it is very unlikely that you will achieve 100% certainty.

Once discovered it is vitally important that the management of a data breach is carried out in a prompt and organised fashion . If it is not it could make the difference between a business surviving and not being a viable entity post data breach.

A cyber liability insurance policy can help mitigate the impact of a data breach by providing the following benefits:-

  • Crisis Management – this involves the appointment of a crisis management consultant to assess and manage the data breach.
  • Public Relations Costs – the purpose of a PR consultant is to manage the data breach in the public domain so that reputational damage can be minimal.
  • Call Center Costs – the utilization of a call center will assist in the additional costs incurred in the management of customers concerns about the possible loss of personal information and notification of the incident.