The modern business has an enormous reliance on data, a trend which is only increasing. Whether it be the use on online accounting systems, Customer Relation Management (CRM) for maintaining key accounts, websites, or merchant facilities for acceptance of credit and bank cards by online retailers, the uptake of technology and its integration into business operations will not decrease.
Additionally, many businesses are relying on automated processes. Whereas once critical business decisions may have involved a human element, the rise of machine learning in support of Artificial Intelligence (AI) means manual decisioning is being replaced by algorithms in support of high system availability, and speed of adjudication. For example, Australia’s Department of Home Affairs (DHA), the government agency charged with coordinating Australia’s federal law enforcement including immigration, recently announced it is looking to utilise; robot processing; automation and analytics; machine learning and AI; in determining visa applications. The DHA projects that up to 90% of visas could be automatically determined.
The inclusion of processes underpinned by AI in everyday transactions is most evident in the suggestions promoted by Google, eBay, Netflix, or Amazon which rely on machine learning to serve up targeted offerings. However, while the use of data often dominates the narrative, these consumer offerings in terms of product or service recommendations are informed by the behaviour of the prospect in the first instance. This means personal preferences and behaviours may be stored and analysed by AI agents to customise a user’s experience. The potential for individual harm as a result of data breach in which sensitive personal data is exposed has been of concern to regulators for some time.
What is cyber insurance?
Cyber insurance provides certainty for business in managing the costs of responding to , and often providing access to the resource’s necessary to to data breaches quickly, minimising loss and damage to the company. It also likely covers legal defense and liability expenses if data breach occurred and has put clients or customers are risk.
Typically firms consider risk against the four conventional risk responses of accept; avoid; reduce; or transfer. Cyber insurance is one the most recognised risk reduction strategies in the transfer category whereby an insurance policy indemnifies the costs of dealing with the after affects of a data breach. It is important to consider that most cyber insurance policies extend the definition of breach to include the release of data from an attack by a cyber-criminal or bad-actor, as well as the accidental release of data from an error or omission in an information system.
Differentiating Cyber policies from Material Damage (MD) policies, Cyber covers the breach or outage costs for of data which is an intangible asset. An MD policies responds to physical damage to the tangible server or other computer equipment installed on an insured’s premises, it doesn’t cover data hosted by a third-party cloud service provider. Cyber insurance coverage can also include indemnification of the losses in business revenue flowing from that breach or outage.
What to look for as a cyber insurance buyer
The key in policy selection is understanding the nature of the data the enterprise holds. How critical is to the organisation in terms of business processes, as well as how much of it is personally sensitive such that a data breach could result in harm to the individuals whose information is being stored. The purpose of the policy is to transfer the financial risk that would result from the investigation, containment, notification and potentially mitigation of a data breach. Investigation costs include expenses incurred in investigating an actual, or an alleged breach. Also, if there was an outage from third-party providers, such as cloud services, the policy can top-up lost business revenue.
What do insurance companies look for when deciding coverage?
For SME’s the insured’s broker can access a number of different policy options. For SME’s the risk survey component is surprisingly simple. Questions asked may be merely; i. has the firm previously experienced a breach; ii. that anti-virus or other networks protections are in place. For larger corporates the broker will work with senior leadership to design an appropriate insurance program, which will include cyber insurance.
Making the business case for cyber insurance
Governments have recognised that sales prospects, or people are the product not data. To protect an individual’s privacy the Australian government in February 2012 introduced the National Notifiable Data Breaches (NDB) scheme which requires that an organisation alert both its customers and the Office of the Australian Information Commissioner (OAIC) when there is a customer data breach that exposes in respect of Personally Identifying Information (PII). The OAIC can levy fines of up to A$840,000 when an organisation is found to be in breach of the ND requirements. In May 2018, the 28 members of the European Union introduced the General Data Protection Regime (GDPR) which has the power to impose fines of up to 20 million Euros, or 4 percent of annual global turnover (including non-EU operating jurisdictions).
While these fines are significant, they are not the only expenses that can flow from a data breach; first and third party costs such as investigation; mitigation; Payment Card Industry Data Security Standard (PCI DSS) fines; loss of turnover; and the impact on reputation represent additional financial burdens that can result. Cumulatively this financial risk now means the cost of not complying with the NDB and GDPR is potentially higher than the cost of compliance.
Cyber Claims Services
Cyber insurance services and policies are now made more comprehensive. Coverage includes keeping clients up to date and educated on the threats and ways to respond and providing crisis and claims management tools or systems.