Cyber-risk – it is now a potentially catastrophic exposure, and the first step is to understand it.

How powerful is one Tweet in today’s global communication network? Back in April this year, hackers were able to infiltrate the Associated Press Twitter account and placed a bogus Tweet claiming the US President had been injured in a terrorist attack aimed at the White House. Within minutes thousands of retweets had circulated social media channels and, before the account was taken offline, the world’s stock markets lost over 100 points, wiping billions of dollars from global companies before recovering.

Like major terrorism acts and hurricanes, the threat of cyber attacks can now be regarded as a catastrophic risk. However trying to predict where and when they may strike remains the greatest challenge for technology risk underwriters. Risk managers probably believe they now know everything about cyber risk, due to the proliferation of seminars and press reports on the continual threat to the world’s data systems. If an insurer doesn’t service cyber, through a programme or a product, then the technological zeitgeist has clearly left them behind at ‘Web 1.0’.

However the profession needs to slow down and take stock. When building a global programme, board members should be aware that there is a clear distinction between what is classed a technological risk, and what is covered under a cyber policy. More importantly, businesses of whatever size and sophistication should understand what they are buying and whether they are in fact exposed to existing, and yet unknown risks.

What constitutes a technology risk in particular needs to be defined. If a company’s main business is to design, build or sell technology software / hardware, or to provide a technology based service such as outsourcing or telecommunications then purchasing a specific technology professional indemnity (PI) product is essential. Both hardware and software engineers/designers can be exposed to huge E&O claims if the systems they build or host, fail or are hacked.  Similarly if the service provided is substandard or worse yet fails entirely.

Outside the realms of pure technology, almost everything else can fall into the cyber liability category rather than technology PI. Any company that stores Personally Identifiable Information (PII includes name, email address, phone number, address, credit card details, national insurance numbers etc. of both employees and customers) has a cyber exposure.  This can include anyone from retailers (online or otherwise), to energy companies to charities.  Likewise anyone with any online presence at all has exposure as any internet access to any company can be hacked allowing for internal disruptions, lost confidential information, viral attacks, lost of income or just bad press. 

These types of clients will most likely need to buy a separate cyber product which can address a lot of these risks, even though the company is not a “technology” company in the traditional sense. This is often where the lines become blurred in the debate about which is more appropriate - technology PI or cyber - and though policy wordings can look onerous, anyone who relies on the internet to do business needs to be adequately insured.

In cyber terms, cover should protect a company from breaches of privacy and loss of data; cyber fraud or extortion; business interruption (especially if the company exists only online); and any breach of regulatory or compliance rules. In the case of business interruption, a claim can be made against the calculation of loss of revenue during the period the retailer or company was offline. For example two years ago a major technology company had to close down its gaming network due to a hacking attack or “external intrusion” as it was described. The company was criticised heavily by gamers via various social media channels and then had to admit it may have lost personal information, such as customer credit card details, and the whole network was compromised.

Regulators in both Europe and the US are introducing data protection rules that could be costly in the future. The EU Data Protection Directive introduced in 2012 is being constantly reviewed to protect civil liberties. In the US, privacy liability has become the hot topic where any breach of privacy or data loss by a company of customer information can cost approximately $1,500 per missing record. To put that figure into perspective, in 2012 there were a significant number of massive data breaches, where millions of US consumers had their passwords, credit card details and tax records hacked, stolen or lost.

Another development in the US has been the Securities and Exchange Commission (SEC) decision to release last year its Disclosure Guidance on Cybersecurity which requires companies not only to report the material risks associated with a specific data breach or other cyber incident, but the disclosure of the financial and legal impact along with the controls and processes in place to prevent such losses.

Insurers are fighting an endless battle to keep up with the myriad threats not just from the ‘black hat’ hacking community, obsessed with attacking multinational’s reputations, but also the global regulators and government agencies adding extra layers of complexity into the sector. Over the next 5-10 years, technological and cyber risks will become the equivalent of the arms race in insurance terms. According to the Brand Finance Global 500 Report, reputation accounts for 24% of a company’s value. A cyber attack can damage a brand’s reputation in seconds. For the risk community,understanding the product is the first step.

James Tuplin is Technology Risks Underwriter at Allianz Global Corporate and Specialty.

James Turpin - Technology Risks Underwriter - Allianz Global Corporate and Specialty