The recent Carphone Warehouse (CPW) data breach was a reminder to the UK that cyber-attackers are ever-present and able to strike with costly force.
It highlights the importance of having specific insurance to cover the losses arising from such an event.
The 72 hours following a cyber-attack are critical, often determining whether months of bad publicity, reputational damage, financial loss and penalties will follow.
Cyber insurers recognise that assisting with a ‘crisis panel' of responders mitigates the potential impact of larger losses and customer claims further down the line.
This is why insurers will in some cases allow for nil deductible in the first 72 hours of incident response in order that there is no delay in IT forensics, IT professional services for data and network restoration, and legal regulatory and crisis communication consultation.
The CPW event appears to have been a textbook attack, and one in which cyber-insurance could have responded harmoniously as the crisis unfolded.
Typically, the cyber-insurance industry breaks an event like this into three parts: Event Management, Financial Loss and Liability.
Event Management involves the expenses of an investigation by third parties to establish the extent of the breach; consultation on how to manage legal and regulatory issues; notification management via a crisis communication strategy; the establishment of a call centre to field queries; and the provision of credit monitoring.
Financial Loss takes into account the increased operational costs and reduction in profits as a result of the attack. This is known as non-physical damage business interruption, which is typically excluded from property insurance. Should any fines and penalties be issued by regulators and industry associations (like PCI), then cyber insurers will cover this with the proviso that these are insurable by law. Costs in managing a cyber-extortion situation – and the ransom itself – can also be covered.
Liability tends to impact some months later. Affected individuals or businesses will bring claims or written demands for a failure to protect their information, seek compensation for financial losses from hacking, or damages from theft of identity. In cases where customers are claiming from multiple jurisdictions, cyber-insurers can provide defence costs and any resulting damages from multi-jurisdictional claims.
The UK is the leading innovator in cyber-insurance, particularly in relation to covering losses arising from full system failure and also the ongoing reputational damage following a cyber-event.
There are exclusions in a cyber-insurance policy, some of which are negotiable, such as retrospective cover. Often, a first-time buyer of cyber-insurance will have a retroactive date inception which means events that occur before this date but discovered after are excluded.
Similarly, any electrical or mechanical failure of infrastructure (other than a company's computer system), such as power, telecom or satellite failure will be excluded.
Typically, a conduct exclusion will be seen in policies for loss arising from any deliberate, intentional or reckless act by the insured. Furthermore, cyber-insurers will exclude any failure by the insured to correct defective systems, procedures or software.
There are a number of other exclusions which all need to be carefully considered, including wrongful collection of information. It is essential to take advice from a fully authorised broker specialising in cyber-insurance.
The Carphone Warehouse attack raised important questions: Was this the beginning of a wave of cyber attacks in the UK or a one-off incident? Was CPW an accident waiting to happen, or was it an unfortunate victim of a sophisticated hack which could not have been avoided?
The answers to these questions will only be known in time. What we do know is that many companies are running a great deal of cyber-risk on their balance sheets. By transferring some of these risks to insurers it is possible to take advantage of the benefits a cyber-insurance policy has to offer.
Contributed by by Simon Gilbert, Managing Director, Elmore Insurance Brokers Ltd.