By Simon Gilbert for China Brain
The increased frequency and severity of cyber crime in several of Asia's tiger economies has dominated headlines in recent months. Statistics from the International Data Corporatation (IDC) indicate that the impact of cybercrime includes the impact of hundreds of millions of people having their personal information stolen. In 2014, more than 20 million people in China were affected.
The annual cost to the global economy from cybercrime is more than $400 billion. Notably, cyber crime losses from the four largest economies in the world (US, China, Japan and Germany) reached $200 billion in 2014, according to IDC.
Whilst the Chinese insurance framework is not as advanced as those in developed markets, it is moving in the right direction and the pace of change is high to adapt to international norms. The challenge for insurers and reinsurers in China is the speed at which the regulatory framework is developing.
WHY CHINESE BUSINESS NEEDS CYBER INSURANCE
There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again. Cyber attacks are coming thick and fast and becoming almost an inevitability for business. It is essential that Chinese businesses proactively manage their cyber risks.
Chinese businesses in different industries will be feeling particularly vulnerable given the increasing realiance on computer networks and connectivity of data. Recent major cyber attacks in the US and EU serve as a strong reminder as to the importance of regularly reviewing cyber security arrangements. The directors of a business must ensure they understand the most recent threats and are suitably prepared in the event of an attack.
CYBER INSURANCE EXPLAINED
Typically, the cyber insurance industry breaks an event such as TalkTalk into three parts: Event Management, Financial Loss and Liability.
Event Management involves the internal and external expenses of managing the response to a cyber event. Cyber insurers vary in the extent of cover provided in Event Management, but in general they recognise that providing access to third party cyber security experts can mitigate the consequences of a catastrophic event.
This is sometimes spearheaded by a cyber response coach, an industry expert responsible for advising a business on how to handle and manage a cyber event. Typically this will start with an investigation by third parties to establish the extent of the issue. If card data is compromised then insurers can indemnify the costs arising from a specialist Forensic Investigator. Consultation on how to manage legal and regulatory issues will also be covered as well as a crisis communication strategy. Establishing a call centre to field queries and providing credit monitoring are the last elements of cover.
Financial Loss takes into account the increased operational costs and reduction in profits as a result of the attack. This is known as non-physical damage business interruption, and is typically excluded from property insurance. Should any fines and penalties be issued by regulators and industry associations (for the loss of sensitive card payment data), then cyber insurers will cover this with the proviso that these are insurable by law. Costs in managing a cyber-extortion situation — and the ransom itself — can also be covered.
Liability tends to impact some months later. Affected individuals or businesses may bring claims or written demands for failing to protect their information. They may seek compensation for financial losses from hacking, or damages from identity theft. In cases where customers are claiming from multiple jurisdictions, cyber insurers can contribute towards defence costs and any resulting damages from multi-jurisdictional claims.
SUMMARY OF A CYBER INSURANCE POLICY:
Event Management |
Financial Loss |
Liability |
Incident response consultation |
Loss of net profits |
Privacy defence costs and damages |
IT forensics (including PFI costs) |
Increased costs of working |
Failure to notify defence costs and damages |
IT professional services |
Reputational loss |
Hack or virus defence costs and damages |
Legal & regulatory consultation |
Regulatory fines & penalties |
Defamation defence costs and damages |
Notification management |
PCI Awards |
IP defence costs and damages |
Crisis communications |
THE RISK OF GOING UNINSURED
Elmore research has found many Chinese Businesses are running a great deal of cyber risk on their balance sheets. By effecting suitable cyber risk management, such as a robust cyber security framework, including penetration testing and effective threat detection through multi-layer monitoring, as well as suitable testing of incident response plans many cyber attacks can be stemmed from an early stage. An incident response plan, which considers not just business continuity and disaster recovery, but also easy to implement steps and pre-contracted responders, can make the difference between a disastrous impact to reputation and a positive outcome for the entity in question.
Written by Simon Gilbert, Managing Director, Elmore Insurance Brokers Limited, www.elmorebrokers.com. Elmore Insurance Brokers Limited are a specialist international insurance and reinsurance broker, connecting it`s clients to innovative and competitive capacity.