As businesses align their strategies with online routes to market, major firms companies continue to suffer losses due to cybercrime. For organizations, losses may be reputational as well as financial--business interruption, customer claims, the cost of recreating data, and loss of future business.
Later this year we expect the long-awaited amendments to the Personal Data (Privacy) Ordinance to be enacted. Although the public consultation and the Privacy Commissioner's Office suggested laws requiring those who suffered security breaches resulting in lost personal data to inform affected persons (and regulators) of the losses, this hasn't been included in the bill currently being debated by LegCo.
Until then, we are left with the current voluntary scheme, which allows breach reporting to be taken off the "must do" list of regulatory risks.
Insurance as part of the response
Businesses have turned to cyber-insurance to mitigate risk. "Cyber Liability insurance was first launched back in 2000--today we're seeing increased interest in this area," said Stella Tse, managing director at insurance broker and risk management firm Marsh. "Insurers are redesigning their products to include liability arising out of breach of data privacy; civil fines and penalties; notification and monitoring expenses; loss of business income; forensic investigation expenses; cyber-extortion and public relations professional costs to repair reputation."
Payments by insurers for claims occasioned by cyber attacks are only a partial response--no amount of risk transfer to insurers can compensate for reputational losses, nor rectify lax employee practices.
But in case of a systemic failure to grasp the problem, insurance plans can help mitigate an organization's risk.
Elements of a risk-based approach should include: 1) an evaluation and prioritization of the risks affecting the subject organization 2) studies of the workflows and technical measures associated with these risks 3) detailed consideration and pricing of the available insurance options 4) communication and education of the enhanced processes across the organization.
A specialized cyber-risk insurance policy is necessary. Coverage would not usually be triggered under a commercial general liability policy--many of which also have exclusions. Importantly, property-damage policies typically do not acknowledge "data" as property. "Cyber liability" is essentially comprised of two defined risks:
• Security Liability: the unauthorized access and/or use of a network. Employees or others with access to the network can misappropriate identity information, business secrets, transmit malicious codes, and undertake a denial of service attack against your network or other networks.
• Privacy Liability: the breach of personal data protection laws that allow individuals to control the collection, access, transmission, use, and accuracy of their personal information.
The available policy coverage options start with General Internet Crime Liability. This addresses the first and third party risks associated with e-business, the Internet, networks and informational assets.
However, it is critical to review your business activities to ensure appropriate coverage. To this needs to be added appropriate Property, Directors and Officers, Business Interruption and Fidelity wordings. For those businesses offering software and services susceptible to outage or malfunction associated with a cyber-attack, Electronic Errors and Omissions coverage should also be obtained.
Finding the right coverage is not straightforward. The first hurdle is to understand your risk profile. Try completing a proposal form for a cyber-insurance policy--this will likely highlight your areas of weakness (or lack of understanding). If coverage is expensive or difficult to obtain, you may be able to work with your insurance broker to improve practices and training such that coverage becomes obtainable.
"Many of these [coverage items] are optional, so it's important for the companies to work with their broker to carry out a range of reviews to identify their main exposures, current mitigation activities and potential solutions," said Tse. "There are various forms of insurance policies and with due care, they can be constructed to provide the desired protections."
Risk managers should take heart that help is at hand in the fight against cyber risks.
Note that the views expressed by ViewPoint contributors do not necessarily reflect the views of Computerworld Hong Kong or its editorial staff.
This story, "Can Insurance Cover Cybercrime Damages at Your Business?" was originally published by Computerworld Hong Kong.