Why cyber-risk insurance is rising rapidly in Ireland
Published 04/09/2014 | 02:30
Cyber risk in its various forms is one of the growth areas for the insurance industry. It's no big mystery as to why.
Every day, we see news headlines about data breaches, cyber security issues and privacy debates. Whether it's Jennifer Lawrence's intimate photos being stolen, retailers' databases being hacked or privacy breaches at major institutions, web-connected activity can be a risky business.
And it's getting more complicated all the time. Where once the landscape was dominated by computers and servers, now we have big data, cloud computing and social media. With them come the risks and exposures faced by companies and other organisations
A few examples stand out. In May, eBay added its name to the list of big companies to suffer a major cyber-attack after a data breach forced it to ask 145m active users to change their passwords.
The news came soon after the resignation of the US retailer Target's chief executive Gregg Steinhafel. Steinhafel stepped down as a result of last year's data breach, which exposed up to 110m Target customers' details, showing the potential impact of incidents, in addition to the costs ($61mn in Target's case).
Irish companies have not escaped either.
Loyaltybuild, an Ennis-based company that provides services to companies running holiday break promotions, was hit by a major data security breach in late 2013. The breach involved the compromise of personal details of about 1.5m people across Europe. This included 90,000 Irish customers.
The statistics speak for themselves. PwC's 2014 Global Economic Crime Survey found 17pc of businesses and 39pc of companies in the financial sector had been victims of cybercrime.
In Ireland, the Grant Thornton Cybercrime Survey 2014 estimates the costs of cybercrime to the Irish economy at over €400m per annum.
There also continues to be a rise in the number of security breaches in Ireland.
In 2013, the Office of Data Protection Commissioner, dealt with 1,577 personal data security breach notifications, which represents a massive increase when compared to the 410 reported in 2010, when the Personal Data Security Breach Code of Practice was introduced by that office.
By the end of the decade, Cisco forecasts that there will be 50bn internet-connected devices, up from 12.5bn in 2010, massively expanding potential vulnerabilities.
According to Anthony Hess, a principal adviser with KPMG's information protection and business resilience team, the spread of information technology logically increases the potential risks. Technological capabilities meanwhile, widen exposures enabling hackers to not merely target information but, through smart phones for example, track movements or even bug conversations.
"The technology is more interconnected and closer to the individual than ever before," says Hess.
The Heartbleed vulnerability in Open SSL software discovered in April revealed not only the potential for common weaknesses, with half a million websites susceptible, but also the fragility of the "internet of things", with connected printers, videoconferencing systems and even thermostats among the devices affected.
Likewise, devices affected by the end of support for Windows XP in April, when Microsoft stopped patches and upgrades for the operating system, include over 95pc of the world's ATMs.
Neither the statistics nor individual cases fully capture the changing nature of cyber risks, but they do help to illustrate the challenge they pose.
Given the evolving nature of cyber risks, insurers must adapt and respond with a comprehensive risk management solution for cyber and data protection issues. This solution needs to provide an additional layer of protection to the most powerful first line of defence against cyber and data protection threats which is a company's own IT system. Insurers must enhance their level of cover and aim to provide additional loss control services. Direct and immediate access to a team of specialist consultants needs to be provided, who will be able to assist in the event of a data breach or loss.
From a risk management perspective, companies need to put a system in place which compliments the existing firewall, antivirus and any other security arrangements an organisation may have. For example, by simply blocking network communications, both incoming and outgoing, from a list of known criminals, who have been tracked by IP address for over 14 years.
Cyber risks are now seen to be as tangible as physical threats to a company's assets. Cyber insurance is still a relatively new cover in the Irish insurance market but has certainly become more and more prominent over the past year. The demand for cyber insurance is significant because any company that stores, manipulates or transmits data is at risk of a cyber or physical data theft event. Businesses face risks from hackers, hactivists, malware, negligent and rogue employees and poor IT controls. Clear and structured protection is required to include protection for financial loss and reputational damage.
Following a data breach or loss, a firm may be subjected to regulatory fines, damages and litigation expenses associated with defending third party claims. Diagnosing the loss or breach source, reconfiguring networks, re-establishing security and restoring data and systems has other disastrous impacts.
Scott Diamond is deputy financial lines manager at AIG.