28 Mar 2017

Justin Tivey, Legal Director, answers questions on cyber regulation in relation to the insurance sector.

In the event of cyber breaches, insurers might find it challenging to defend themselves in court without the "safe harbour" provided by standards, leading practices, and a codified structure-all of which reduce the potential for uncertain interpretations. Can you provide some insight into this? 

It is certainly correct that there is no neat codified structure for the standards against which conduct is judged when there has been a cyber incident. This does give rise to the potential for differing interpretations and uncertainty and this is not helpful for Insurers. There are standards which apply in certain industries, for example the payment card industry, but the standard will also change depending on what the issue being looked at is and whether it goes beyond data protection, for example breach of confidence or defamation. Different standards will also apply if conduct is being viewed through the regulatory telescope and therefore the Information Commissioners' Office's expectations will be relevant. 

There can of course also be standards imposed by contract that must be taken into account. Cyber incidents can affect both customers and third party suppliers, those impacted will need to look at the terms and conditions of their relevant contracts to establish the level of duty required. 

There are however some touchstones rather than formal standards for behaviours which organisations should be exhibiting to show that they take cyber liability seriously. 

For example carrying out a data audit and knowing what data the organisation holds. Also conducting an IT audit to know what equipment is used and what software it is using. Considering whether there is adequate physical and electronic security so access to premises, hardware and systems are controlled. There will be obvious system protection software such as a firewalls and anti-malware but as important is the awareness of staff about data risks and staff training. It is difficult to be prescriptive about which hardware and software is acceptable but hardware and software should still be supported by the manufacturer and all updates and software patches should be applied. Supervision of IT systems is paramount as the best protections might be circumvented and it becomes essential for problems to be spotted as soon as possible. 

Organisations should be savvy and conduct themselves in a manner in which shows an awareness of risk. Although the context is different, it is not a million miles from having an awareness of the physical security of property, taking fire precautions or a professional adviser making sure files are compliant with office procedures. It is the same mindset.

Similar concerns surround the sale of cyber insurance: while the market need is recognised as an opportunity, defining and measuring risk is a major concern. Why is this? 

Defining and measuring cyber risk is a major concern for a number of reasons. The lack of a codified structure of cyber standards and approved practices is one issue. However a cyber underwriter can be looking at a range of different types of insureds. For those insureds, IT will not be their day to day business and therefore their data protection measures are likely to vary widely. Commercial pressures on them will impact on how much time and money is invested in IT security.

Things which are difficult to quantify play a significant part in cyber security such as staff training and general cyber risk awareness.

It is more difficult to evaluate the consequences of a cyber breach. While a professional advisor or the supplier or manufacturer of goods can have an idea of the likely consequences of their product or services causing harm, it is difficult for them to say what the consequence will be if their computer system, which they take for granted, is compromised and data is stolen. One benefit of IT is the ability to handle large amounts of data quickly but this also means that problems can escalate rapidly.

As well as uncertainty over the severity of an incident, also lies the issue of how frequently it may happen? Here is the added factor that cyber breaches can be caused by the deliberate acts of malicious outsiders or employees. Malicious third parties can also include terrorists or foreign governments and evaluating risk of that is not easy.

There is also some legal uncertainty in this area, particularly around quantifying recoverable losses and the scope of duties.

All of this uncertainty affects insurance buyers and their insurance brokers. It can be hard to understand the type of risk the insured presents and what level of cover they need.

I suspect that it is also a factor that electronic data is intangible and problems can easily pass unseen in the depths of a server or electronic database or be lost amongst the email traffic.

Finally there is also the fact that IT is a specialist area and many people prefer not to know the details of how their IT system operates - as long as it does operate!

Underwriters say they need more claims to assess the risks. With all the hacking attacks and data breaches making the headlines, one would think they'd have enough information - why do these scandals never make it to court?

Hacking and data breaches do seem to be hitting the headlines more and more regularly, however the level of claims information available to insurers is significantly less than in some more traditional insurance sectors.

While hacking stories are often high profile, they rapidly fall down the list of newsworthy items and the eventual outcome and the costs of the data breaches are not made public.  

Apart from a few notable exceptions there is no compulsory reporting of data breaches at present in the United Kingdom or European Union. This is changing however with the implementation of the General Data Protection Regulation.

Also while the perception may be that there are a significant number of reports of hacking incidents, these are still the tip of the iceberg and a lot more goes on that is not known beyond the boundaries of the organisation affected.

These scandals do not make it to Court for a number of reasons. Many claims that spin out of cyber breaches are commercial disputes and as is usually the case the majority are resolved out of Court. Organisations also seek to resolve problems with customers directly. The value of an individual person's claim is likely to be relatively low and we have not yet seen a group action come to trial although there are some group actions out there.

Cyber incidents do result in a "trial" of sorts when the Information Commissioner's Office (ICO) becomes involved. However while the outcome of the ICO's investigations and the fines imposed are published, the fine imposed by the ICO is not insurable in itself.

A big element of cyber losses and cyber cover is the first party cost to the business concerned in dealing with the incident, stopping it and putting things right. These costs are virtually never publically known.

Despite these difficulties the various elements of loss which can spin out of a cyber incident are not wholly unquantifiable with appropriate advice.

Is there a tendency for companies to cover up data breaches? What drives this, concern for reputational damage? What are the prospects for the cyber market?

There is a tendency for companies to cover up data breaches. There is still an attitude that this is a private operational problem for organisations and not a public issue. Unless there is a reporting obligation then it is possible for the incident to be "covered up" and not made public.

This is perhaps understandable when one has seen what happens when incidents are publicised. Adverse publicity leading to reputational damage, a drop in share value and damage to the customer base are all frequent. There is also a fear that adverse publicity will also encourage claims.

In my view the prospects for the cyber insurance market are very good. I am always impressed by the ability of our insurer clients to develop new products, to quantify what a risk adverse profession like the law would baulk at. The profile of cyber risks and cyber insurance is growing and as the market increases in maturity the uncertainties relating to the cost of cover and the limits on cover available will improve. The implementation of the General Data Protection Regulation will also help drive the market. Cyber cover is definitely going to develop over the coming years and it is an exciting area to be involved in."