Why should organisations invest in Cyber Insurance?

What is Cyber Insurance?

Cyber insurance is a type of insurance that covers an organisation from losses arising from cybersecurity breaches such as malware, hacking, ransomware, data breaches, and other cyber incidents. In the digital age, this is one aspect of business operation that an organisation has to consider. Why?

Trends in the Digital Age

Data Protection (privacy) governs how data is collected, used, stored, and disclosed (or disposed of) whilst Data Security protects data from being compromised by deliberate external attackers (hackers), malicious or even ignorant insiders. Hence a Data Security or more commonly known, an Information Security Management System is required to protect the three aspects of information:

• Confidentiality: only authorised persons have the right to access information.
• Integrity: only the authorised persons can change the information. Data is therefore reliable and as accurate as was input.
• Availability: the information must be accessible to authorised persons whenever it is needed.

In the digital age where data is the lifeblood of organisations for transactions, both data protection and data security become important aspects of business operations.

Some of the recent high profile cybersecurity cases in the US were those involving its major supply chains, for instance, the top fuel pipeline operator Colonial Pipeline, and largest beef supplier, JBS SA. Even government organisations are not spared; Singapore’s largest healthcare group, SingHealth, suffered a cyberattack in which the personal particulars of 1.5 million patients including that of the prime minister was exfoliated.

Taking a proactive approach, organisations now acknowledge that more must be invested in protecting its data assets, which includes cybersecurity. This should encompass both:

1. a pre-emptive measure of setting up a Data Protection management programme/ Data or cybersecurity system and
2. a “damage control” measure of having cyber insurance.

Increasing Risks of Cybersecurity Breaches

With the pervasive use of online for transactions, work in the digital economy, especially during the COVID-19 pandemic, cybersecurity is fast becoming a concern for organisations and individuals. The DPEX Network resource contains a summary of various data/cybersecurity enforcement cases that give an idea of the different areas of weakness. 

In an analysis released by the insurance company, Chubb Limited, the global occurrence of cybersecurity incidents in 2020 has increased 540% over 2012.

In a similar vein, the DPEX Network survey found that 22% of Singapore DPOs indicated their organisation experienced some form of a data breach. The Straits Times reported a bleaker number: that 68% of companies in their survey experienced a “cyberattack involving a material data breach”.

Source: DPEX Network DPO Survey 2020

The impact from Cybersecurity Breaches

In addition to increasing risks, the financial impact of each breach is also significant. The IBM-Ponemon Institute study reported that the global average cost of a data breach for the 2020 study is US$3.86 million, up from US$3.5 million in 2014. It takes a long time to estimate the cost of a cybersecurity breach because of the prolonged investigation process.

Case Study: Marriott hotel chain data breach

The breach was discovered on September 8, 2018, but it came much earlier when Marriott acquired Starwood in 2016. The Starwood IT network had been compromised sometime in 2014 — back when Starwood had been a separate company. According to reports, Marriott leveraged on Starwood's reservation system, unaware it was infected with malware and breached by hackers for another two years before the breach was finally discovered.

Marriott faced significant penalties as a result of this data breach. Various class-action lawsuits were filed against Marriott for negligence. In addition to the lawsuits, Marriott agreed to pay for passport replacements for customers who were victims of the data breach.

Marriott also faced a financial penalty from the United Kingdom’s Information Commissioner’s Office of US$25 million for failing to meet security standards required by GDPR.

How cyber insurance protected Marriott in the short run

As of March 2019, it was reported that the company had incurred US$28 million in expenses related to breach — and yet that only lowered the company's bottom line by US$3 million. By May, its losses were reduced to a mere US$1 million. How? Cyber insurance, which covered much of the initial costs associated with the crisis and seems to have paid off for Marriott.

It is true that financially, Marriott will likely survive this data breach. However, it would definitely be affected in the long run. Customer satisfaction scores dipped in 2019, bringing the brand down indicating that the breach may cause more long-term harm to guest loyalty and investors’ outlook.

Cyber insurance: The Three Pillars of Coverage

There are generally three pillars in cyber insurance coverage:

1. Regulatory penalty (fines from the regulators under various jurisdictions e.g., GDPR, Singapore PDPA, HK PDPO).
2. Direct loss arising from business disruptions and ransom paid to hackers who unleash the ransomware.
3. Lawsuits arising from consumers and customers (B2B customers whose contracts the affected organisation is unable to fulfil).

It is clear that cyber insurance coverage would have helped minimise the immediate damage in the case of the Marriott and SingHealth attacks.

Developments in the Cyber Insurance Sector

However, as cyberattacks are becoming more frequent, insurance companies are rethinking their business model. To be feasible, insurers have to adopt a combination of approaches: from increasing the premium to lowering coverage or even discriminating against high-risk cases. Since this year, US insurer AIG has taken a tougher underwriting approaching, putting in place an additional 25 questions on clients’ security measures.

Cyber insurance broker, Andrew Lai shared with DPEX Network that insurers are now more discerning about potential clients that they insure. Some of the questions asked include:

• Where is the revenue coming from? Do they rely on e-commerce? Do they have large numbers of personal data (or personally identifiable information)? Are they from high-risk sectors?
• Where are staff located?
• What are the businesses of the subsidiary/ies and related companies?
• What are the risks posed by their third-party providers?
• What is the nature of their contracts with the clients? (in case of lawsuits)
• Do they conduct regular penetration tests/cyber audits? – what are the findings?
• Do they have disaster recovery plans?/business continuity plans? Do they test the RTO? The ability to respond in the first 48 hours is critical.
• Do they have offsite backups?
• Do they (and their third-party providers) have a robust pre-emptive measure to protect the data and cyber infrastructure? Do they have a data protection management programme or an information security programme? (e.g., DPTM in Singapore, ISO/IEC 27001 or ISO/IEC 27701 certified)

Watch the full video interview here:

How do I start?

Contact a company that underwrites cybersecurity insurance.

Before you do so you may want to do some preparation work, such as knowing your risks and having evidence that the organisation is mitigating its risks. This involves:

Having an in-house manager on data protection and cybersecurity. This is why many jurisdictions make it mandatory to have a DPO.

The DPO must be trained in the requirements of a robust DPMP and ISMP. There is training courses available for both information security management and privacy information management to train personnel in these areas.

Should the resource be insufficient, the organisation can outsource such a service managed by the DPO.

Article by: Leong Wai Chong, GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEX Network.