Cyber Risk
As the benefits of new technology increase, so do the risks. Cyber Risk is the downside to the remarkable gains made in recent times by the adoption of new technology
Most cyber risk is related to software and data, but there are recorded incidences where it has affected the “real” world and caused physical damage. The most publicised example of this is the Stuxnet virus, which affected the Iranian nuclear program. However, there have been others where safety systems have been overridden leading to overheating and fires. The more common risk is closer to home and nowhere near as noteworthy – a hacker stealing data or a virus locking a computer accompanied by a ransom demand. There are countless real examples of these things happening and they are gaining more and more attention in the media.
Key Risks
The risks can be broadly categorised into First Party Risks and Third Party Risks. While both will impact on your business and could ultimately be your responsibility, the difference lies in who is initially affected and whether you will pay the costs up front or have to respond to a claim against you by a third party.
First Party
This includes the actual downtime where your business cannot trade due to disruption to your system, as well as the ongoing losses caused by damage to your reputation. Points worth discussing:
• How reliant are you on your system – could you trade if your system was unavailable for an extended period?
• How reliant are others on your system – if your customers rely on your system for their business will they continue to pay the monthly costs for a system they can’t use?
• What plan do you have in place following a cyber event, for example notifying affecting parties, mitigation of the damage (redundant systems, data backup, restoration costs) and steps to prevent a recurrence?
Third Party
These are claims made against you by affected third parties which could include your customers or suppliers. Anyone who relies on your system or you hold data about could potentially be affected.
• Privacy breach – just because data appears innocuous, it doesn’t mean someone won’t want to steal your data and the affected parties won’t want compensation.
• How many parties depend on your business to operate as these could all lodge a claim against you for their losses caused by the disruption
• Commercially sensitive information – do you hold any third party information which could be considered commercially sensitive and therefore be a target for hackers?
Risk Management
The risks need to be reviewed regularly and ideally a board member should be responsible for cyber risk. Most businesses have some form of network security in place and employee policies around passwords and access to information. While these are a good start there needs to be more thought put into proactive steps such as retaining expertise to deal with cyber threats (either in-house or outsourced), penetration testing by cyber security specialists and regular reporting on activity.
Risk Factors
While all businesses have a degree of cyber risk the magnitude will vary depending on a number of factors.The amount of third party data held isn’t the only risk factor, the type of data held will impact as well. Consider a hospital holding medical records compared to a patent attorney holding commercially sensitive information which supports patent applications.
The stage of your business also has an impact. Is your business developing new products, which aren’t yet in the market or is there a highly sensitive sale and purchase taking place?
How connected is your business to the world, and what systems are in place if that connection is lost? Can systems work offline or will the business shut down until they are restored? What effect does regulation have on your business? This is particularly relevant if you are in multiple jurisdictions as you may have to comply with different rules in each jurisdiction. How good is the security used by your customers and suppliers?
To discuss your Cyber Risk profile with an Apex broker call 09 520 9441 or email enquiries@apexinsurance.co.nz
Insurance Solutions
Cyber Insurance
This policy will cover all the risks outlined above. It has been specifically designed for these risks, and more importantly provides the emergency response capability so the company can react quickly.
Professional Indemnity / Technology Liability
These policies will respond to most of the third party losses and may have limited cover for the first party losses. None have a Cyber Exclusion yet, but there are indications that these may appear. Most have a War & Terrorism exclusion which will exclude some claims depending on the facts of the case.
Directors & Officers (D&O) Liability
This policy may respond to some of the third party claims and may have some cover for first party (reputation, crisis response) costs. There is currently no cyber exclusion in D&O policies but the War & Terrorism exclusion may apply. Note that some D&O policies have a “Failure to Maintain Insurance Exclusion” which may also apply as Cyber insurance becomes more common.
Cyber risk is a business risk, not an IT issue
All businesses should have IT security in place which is appropriate given their risk profile. A major benefit of a Cyber Insurance policy is the 24/7 response as that can minimise the damage caused.
There are some key points to remember when assessing and dealing with Cyber Risk in your business:
There needs to someone senior in the business who is responsible for staying on top of the risk
It is important to retain the expertise, whether in-house or outsourced, to properly address the risk
Identifying the risks is only half the battle, you must then decide what to mitigate, transfer or accept We are always available to work with you to identify and assess the risks in your business