Corporate Use of Data and Technology and Its Implications
Perception is that only companies who collect, store, transfer and generally manage large sets of personally identifiable or health-related data need cyber insurance solutions. Consider a breach of data extending well beyond the personally identifiable or health data, and covers the potential liability for the theft of corporate data [such as data subject to legal privilege or is not available to the general public including trade secrets, designs, forecasts, formulas, reports, etc.].
Cyber insurance extends well beyond issues of privacy. Solutions have been developed to align insureds with IT, legal, PR, and notification specialists to help manage cyber events. Further, customized 1st party solutions have been expanded to cover:
- Data and System Restoration – costs in reinstalling and developing systems and software if they are affected by a cyber-event, and all costs in recreating data that is affected by a cyber-event
- Business Interruption [non-physical perils] – the loss of net income and increased costs of working in the event that a company suffers a cyber-event
- IT vendor Business Interruption [Contingent BI] – the loss of net income and increased costs of working in the event that a named IT vendor suffers a cyber event and is unable to deliver to the insured, stopping them from being able to provide their business services
Therefore, cyber insurance solutions exist for all different types of industries.
Consider a widget producing manufacturing company in the US or outside of the US, regardless of its size. The company is worried about the operational risk associated with their production systems being taken offline and the financial implications of non-delivery. Regardless of jurisdiction or size, the insured is most likely to need a robust 1st party System Damage, Business Interruption and supply chain management proposition, which also covers any contractual liability associated with non-delivery.
Retailers globally face many of the same challenges. From transacting credit cards to hosting of loyalty schemes, retailers have a high degree of exposure to privacy breaches. However, the shift to hosting ecommerce platforms has led to a proliferation of data stored by retailers, and the integration of technology into shipping and inventory management means that is more dependent on system and network accessibility. Regardless of their size or jurisdiction, retailers should consider:
- A comprehensive robust 1st party System Damage, Business Interruption and supply chain management proposition, as well as;
- A proposition to protect them from a breach of privacy including the costs of notifying affected individuals and any applicable regulators, as well as any liability or regulatory investigations which arises due to the breach of personal information or credit card information.
Management consultants have a less obvious exposure to cyber events. They do not tend to hold high volumes of personally identifiable information, and their business interruption exposure is minimal (depending on their engagement, net income is more likely to be deferred rather than lost). However, Management Consultants are vaults of information not available to the general public and subject to legal privilege. Client lists, prospectuses, designs, forecasts, etc. all carry a value well beyond the inherent cost of producing the physical documents. If this information is inadvertently released or made public, the consultant could be liable for any damages their clients incur as a result of the privacy breach. Management consultants should therefore consider a robust cyber proposition offering coverage for defence costs and damages incurred in the event that corporate secrets are lost.
Globalisation is no longer only an issue for large global corporates. The outsourcing model and ecommerce means that local entities are often servicing a global platform. Subsequently, breach notification and data protection laws have been, and continue to be, developed to transcend boarders and protect local consumers and business. The outcome is that while your local data protection laws might not be severe, it is important to understand how your clients potentially expose you to unforeseen issues.
The US has very different privacy laws from Thailand. In addition, US and Thai-based insureds will have a different inherent understanding of the threat cyber risks present to their operations and as such will not have the same insurance obligation.
A US-based airline is likely to be concerned about the financial implications of managing through and litigating a large data breach and will be more likely to invest in a comprehensive Privacy and Network Security Liability proposition.
A local Thai-based airline who services internal flights through Thailand will be more concerned about the operational risk associated with system interruption and data corruption [as opposed to data theft] and will look to purchase a robust 1st party System Damage, Business Interruption and supply chain management proposition.
The national Thai-based airline who services the global tourist flying in and out Thailand are likely to be more concerned around the issues in Example 2. However, given they service a global network they should be aware of customers based in jurisdictions with more stringent data protection legislation such as the US and Europe. As such, the insured should be considering a blended network Interruption and privacy breach proposition. In reality: None of the approaches are wrong, and these examples simply highlight different strategies for managing perceived business enterprise risk. EmergIn understands these distinct approaches and has developed privacy and system redundancy propositions within our cyber solutions.
Size does not matter. While many of the headline cyber events are targeted attacks over a sustained period of time, the reality is that the majority of cyber breaches are opportunistic. Malicious actors will exploit the easiest target, which is often small-to-midsized-companies, companies who likely have less structured IT security management plans or minimal employee training schemes. The same is also true when the headline cyber events occur, in that often it is easier to gain access to the targeted company by piggybacking a smaller, less secure entity which may have network access to the target company. Subsequently, all companies are at risk, and insurance solutions must appreciate that the risk transfer needs of a large insured may vary significantly from the support smaller companies rely on.