Facts and myths about cyber risks and the role of insurance
With cyber risk being a relatively new phenomenon in the business world, there is much to know and much to be wary of
Compared to other risks – such as damage or loss of property due to fire, theft and piracy, which have existed for hundreds of years – cyber risks originated more recently. Cyber risks are transmitted into a company through the use of information technology (IT) – mainly computers.
Cyber risks are, therefore, synonymous with IT risks, and their development coincided with the evolution of computers and information processing systems in business.
Like anything new, cyber risks and their insurability are fraught with myths and inaccuracies. It is, therefore, important for firms to get the underlying facts right, before deciding on the most appropriate response strategy to these risks.
This cautionary note derives from a basic insight – when business decisions are taken on the basis of inaccurate underlying facts, they can be misleading and destructive.
What then are the myths that typify the discourse on cyber risks and cyber insurance today?
The first myth holds that cyber risks are relevant only to big businesses. As a matter of fact, we now live in the information age where data is the stock-in-trade for most businesses – big and small. It is difficult to conceptualise a situation where a modern business (of whatever size) is not information-driven in some way or another.
Myth number two holds that hackers are very experienced and mature people who have been working with computers for a very long time. On the contrary, many hackers are mere teenagers who have not worked with computers for as long as is often assumed. This is scary, because it means that cyber risk is perhaps the most unpredictable of all risks faced by a modern business.
Myth number three holds that cyber risks arise from external sources. This, too, is a fallacy because studies show that a significant proportion of cyber risks emanate from within – from employees (past and present) with third-party vendors being among the main culprits.
A disgruntled employee, who is currently in the employ of the company, or who has left, can be as viable and even more dangerous a source of cyber risk than an unknown hacker or terrorist.
Current and former employees carry the added danger that they have an intimate knowledge of the firm and know which areas, if targeted, can hurt the business the most. Companies often focus on threats from further afield and ignore those closest to home.
Perhaps the biggest myth of all is that insurance provides comprehensive protection against most cyber risks. Nothing could be further from the truth. While it is understandable that insurers would leave no stone unturned when informing firms of the importance of cyber insurance, the reality is that this is still a very new product and is not always available in all markets.
Even in developed markets, such as the United States (US), Canada and the United Kingdom (UK), policies offered are not comprehensive in terms of coverage. Most provide limited cover and contain wide-ranging conditions and exclusions which, when reduced to their logical conclusions, leave the insured with limited protection.
There are many aspects about cyber risks that still need to be conclusively resolved by insurance markets. For example, where insurance contracts are designed to cover loss or damage to tangible or physical property, a question arises whether loss or corruption of data actually constitutes loss or damage to tangible or material property.
Courts in the US have grappled with this question for several years and in many states appear to have found ways to justify the finding that data or information is material property capable of being stolen, damaged or sold.
Another problem currently faced by insurers in most markets is capacity, which is still very limited. This is a problem even in developed markets.
While insurers would argue that cyber insurance is critical to the survival of any modern business, insurance markets are still a long way from establishing a common taxonomy of cyber risk and the losses for which they are prepared to pay.
There are many types of loss that can be caused by data security breaches. Some of these include theft of intellectual property, business interruption, data and software loss, extortion, fraud and identity theft, transfer of funds, invasion of privacy, damage to reputation, liability to third parties, regulatory penalties, costs of a forensic audit, crisis management costs and investigation as well as death or bodily injury.
These losses can be incurred by any organisation – whether public or private, small or large.
The question then becomes – which of these are insurable and how?
There are two types of insurance that can be used to cover cyber risks. First-party insurance covers the insured for losses suffered. Thus, if a homeowner insures a house against any form of damage, it is done through first-party insurance, which involves two parties only: the insurer and the insured.
Then there is third-party insurance, which protects the insured – not from his or her own personal or business losses, but those that he or she (or the company) may cause to someone else (the third party) for which the insured is legally liable.
Under third-party or liability insurance, the insured is not the person or company suffering the loss, the insurance covers the loss suffered by a third party as a result of the business activities of the insured. A major complication with third-party insurance is that the third party cannot even be identified ex ante, or before the loss.
Whether one buys first-party or third-party insurance, the reality is that it is rare to find an insurer who is willing to sell a single product that provides protection for most of the types of potential losses.
What is more likely is that insurers would sell different cyber policies for specific types of risk. This differs from how other risks are handled. For example, insurance of a motor vehicle.
Finally, the motor vehicle policy may also provide limited medical expenses for passengers and all these risks can be comprehensively covered in the same policy. Currently, this approach is very limited in the cyber-insurance market.
That said, first-party insurance can be used to insure loss such as theft or fraud made possible by data breaches, the costs of forensic auditing or investigation, business interruption, data loss and restoration and other direct losses.
However, nothing is guaranteed; it all depends on the market in question. Third-party insurance can provide coverage for litigation and regulatory costs, notification costs, crisis management costs and liability for intellectual property violations.
These covers are by no means integrated and insurers are still in the process of learning about cyber risks in general. Policies currently on the market have extensive restrictions on the type of coverage they provide. Companies must, therefore, avoid falling into a false sense of security.
The question then is: while insurance markets are still developing, what can companies exposed to cyber risks do? It must be noted that, even at their most advanced stage, insurance markets will never be a panacea for all cyber risks. In fact, only a small proportion of these risks will be transferable through insurance, even under the best of circumstances.
It is for this reason that perhaps the best response to cyber risks must come from business themselves. There is a need for businesses to develop their own risk-management systems for cyber risks that take into account their own unique circumstances. Some of the issues that must be well understood are the location of a firm’s critical data, how that data can be accessed, by whom it can be accessed, and its uses.
Once this is done, targeted risk-control measures can then be put in place to prevent that data from being accessed or used for sinister purposes. Perhaps the most important thing for firms to avoid, however, is buying into the myths around cyber risk.
Legally Speaking is a regular column by Albert Mushai from the school of Economics and Business Sciences, University of the Witwatersrand. Mushai holds a master’s degree from the City University, London, and was the head of the insurance department at the National University of Science and Technology in Zimbabwe before joining the University of the Witwatersrand as a lecturer in insurance.