Sunday Nov 24, 2024
Wednesday, 15 December 2021 00:00 - - {{hitsCtrl.values.hits}}
Addressing liability claims for false advertising, data entry issues, data loss, unauthorised system access and so on, cyber liability insurance arose in America, with the UK (Lloyd’s initially) and other markets quickly following suit
With increasing incidents of malware, phishing, and of course ransomware occurring in “corporate” Sri Lanka coupled with a new Personal Data Protection Act winding its way through Parliament and exposures stemming from “work from home”, information technology professionals and their management are now looking at insurance for solutions in managing these risks – and finding the insurance industry in Sri Lanka, wanting.
Cyber risks generally refer to the risk of financial loss, disruption and damage to reputation of an organisation, resulting from a failure of its information technology systems.
These risks can occur in a number of different ways.
Although many “corporates” and their IT personnel may not want to admit to it, there have been an increase in the frequency of incidents in Sri Lanka resulting in financial losses. Whilst many of these stems from unauthorised access to systems or phishing attacks, some incidents are also the result of accidental or deliberate transfer of information.
Cyber insurance should have been able to address many of these risks and indeed insurers began advertising that they were able to provide viable solutions. In 2021 this advertising suddenly stopped. The reason for this is that no insurer in Sri Lanka has the ability to taken onboard such risks without special reinsurance support. This support has virtually dried up and with that insurers ability to support businesses with practical solutions to some aspects of risk.
In the mid to late 1990’s along with the dot-com bubble in America, there was a massive adoption of the internet and IT. These dot-com companies sought quick revenue growth over profitability, reflected not only in investments into these ventures but also in relation to how these companies advertised and promoted themselves in a scramble for market share.
Consequently, addressing liability claims for false advertising, data entry issues, data loss, unauthorised system access and so on, cyber liability insurance arose in America, with the UK (Lloyd’s initially) and other markets quickly following suit.
Over time, the insurance solutions being offered for such risks evolved to address the emerging and changing IT landscape. More importantly laws were adopted in America and the European Union holding businesses responsible for IT systems they offered to the public and more importantly for data they were collecting and the use of such data.
Today the insurance product, if one can procure it, covers several different areas. These include third party liability i.e., the clients responsibility to third parties in such areas as privacy and confidentiality breaches, failure of a network to protect third parties data systems and websites, liability for electronic publication which results in defamation and copyright infringement, regulatory costs and fines, costs of internal investigation in response to a regulatory issue and contractual penalties for breach of security of payment cards.
As can be seen, this liability coverage addresses developments in Western markets and until recently was thought not to be too onerous a risk for Sri Lanka due to the manner in which our legal system operates. The proposed Personal Data Protection Act will change this perception.
However, in addition to liability, the insurance policy can also pick up coverage for business interruption due to a cyber-attack, cost of managing a crisis consequent to a cyber event and, of more relevance to businesses in Sri Lanka, loss of money due to a hacker unlawfully accessing a system. More recently coverage has expanded to include costs of dealing with a ransomware attack -including payment of the ransom.
Generally, cyber insurance policies do not cover the following.
Within the scope of this article, it is not possible to detail these and other exclusions in the policy. Some of these areas are also negotiable, subject to additional premium. Special care should be taken on the employee exclusion clause as in many cases some level of employee involvement in an incident may be possible. Care should also be taken to look at the war exclusion specially in the context of cyber warfare and cyber-attacks by (any) State players.
In 2020, the total global market premiums for cyber insurance (standalone policies or part of packaged covers) were around $ 2.7 billion, up 22% from the previous year. Claims though was up a whopping 73% from 43% in 2019. The increased claims trend continues in 2021 and as does the increased demand for cyber insurance. The average ransom demand was also up at $ 1.2 million whilst the average paid loss under cyber insurance policies also increased from $ 145,000 to $ 358,000.
All of this has resulted in sharp increase in premiums on an average by about 50% but in many cases more than 100%. Underwriters have also begun to restrict coverage and in some markets (Canada, for example) coverage for ransomware is being excluded.
As mentioned at the beginning of this article, here in Sri Lanka due to the global issues sketched above insurers as struggling to persuade their reinsurers to provide viable terms to interested clients. Compounding the issue is that such reinsurers require reams of background information – forms which may be 20 pages of technical information long – which the IT divisions with a corporate entity are reluctant to provide or reluctant to spend time in providing.
In the absence of such information, reinsurers are declining coverage for Sri Lanka or providing terms with very high premiums and restrictive coverage.
That said these forms provide a useful guideline to understanding cyber risk and completing these questionnaires creates awareness in IT personnel areas and issues which they may not otherwise focus on. Whilst insurance is an option so too is improving security of systems. There are some simple practical steps that can be taken as for instance spending on cyber security upgrading and training, multifactor authentication, and the blocking of ports of remote desktops.
So, what can be done in relation to insurance? Firstly, consult a broker. Insurance by itself, leave aside cyber insurance, is far too complicated to be handled on your own. And the services of an insurance broker are without cost. Next, spend time in completing the relevant insurance forms and in providing the supplementary information which may be required and evaluate any insurance quotation that may be provided. Use the information in the forms to benchmark your security.
Such evaluation must be weighed against other steps which could be taken to reduce cyber risks (like spending on increased security) and the financial impact of a possible loss against the insurance premium and coverage offered. There are also IT security experts now in our market who could support IT divisions in strengthening and monitoring security of IT systems.
What is clear is that doing nothing could end up being more costly.
There used to be this mild joke about insurance being something you do not want until you cannot have it. With cyber insurance this appears to have occurred.
(The writer is the Managing Director of George Steuart Insurance Broker Ltd., a leading corporate and personal insurance broker in Sri Lanka. GSIB is a subsidiary of George Steuart & Co. Ltd, the oldest commercial establishment in Sri Lanka. He has over 40 years of experience in the industry and can be reached at [email protected]).