The Cyber Threat Facing Businesses
BUSINESSES FACE THE RISK OF FINANCIAL LOSS AND DISRUPTION DUE TO THEFT OF PRIVATE OR SENSITIVE INFORMATION, ATTACKS ON IT SYSTEMS, AND FRAUD. CYBER EXPOSURES ARE ON THE INCREASE, AS BUSINESSES BECOME MORE RELIANT ON THE INTERNET AND NETWORKING TECHNOLOGIE
SWHAT IS “CYBER THREAT”?
ome of the more recent high-profile incidents, such as the attacks on Bangladesh Bank, Ashley Madison and Sony Pictures Entertainment, have drawn even greater attention to cyber risks, now considered to be among the top risks to global business. According to the Allianz Risk Barometer, cyber incidents ranked third for business risks globally in 2016 (for perspective, cyber risks were ranked 15th in 2013).
CYBER RISKS POLICIES
Cyber risks typically fall outside the coverage of traditional business insurance policies thus a specific cyber risk insurance policy needs to be taken out for protection. As the demand increases for such policies, more insurance products are being developed and offered in the marketplace. Policy wordings differ but typically include coverage for a range of first party risk exposures and third party liability exposures. Examples of first party risks include loss or damage to digital or data assets, business interruption from network downtime, restoration costs, cyber extortion, reputational
damage (with associated costs such as crisis management and pr) and theft of money and digital assets. Losses associated with third party risks might include security and privacy breaches, investigation of privacy breaches, customer notification expenses, multi-media liability, loss of third party data, regulatory fines and penalties, and data warehouse breach.
CYBER BUSINESS INTERRUPTION LOSSES – SOME ISSUES AND CONSIDERATIONS
The concept of business interruption following cybercrime is not significantly different to business interruption resulting from physical damage. However, as cyber risk policies are relatively new and still evolving, we observe a variety of new wordings and believe there is larger scope for policy interpretation disputes compared to traditional interruption policy wordings. For example, ambiguity regarding the interruption period – unlike a property loss whereby the interruption period is usually well-defined, the “start” and “end” date may be less clear in a cyber claim. There may be uncertainty as to when an attack occurred or when the impairment associated with the attack began. It may also be difficult to determine when an attack has ended. To complicate matters further, losses may still be incurred even after systems have been restored. Would this be covered under the policy? Another consideration is determining the losses that result directly from an insured cause, as opposed to indirect losses that are outside of policy coverage. For example, it is possible that negative publicity from a highprofile cyber breach may cause loss of trust among customers to the extent that they do not return, even after systems have been fully restored. This type of loss is unlikely to be covered, although this would be subject to the actual wording of the policy. This consideration could be extended to claimed costs. Many cyber policies allow for costs to investigate an information security breach. Such investigative efforts may involve a number of different disciplines, including both internal and external personnel. Services may also be required to restore networks and data, and to repair or replace equipment damaged in the breach. It is important to distinguish between the costs to investigate and rectify the breach, and the costs to improve and strengthen the system, in an effort to prevent a reoccurrence.
The large volume of data can yield lots of useful information that will be helpful in quantifying the loss.
Recovery is a distinct possibility through “make-up” sales, particularly if the product or service being sold is relatively unique. A consumer unable to purchase a product from a website one day may well try again later and succeed. In such a scenario, the sale has merely been postponed and not actually lost. Another recovery scenario could crop up in the case of businesses that sell online but also have physical stores, whereby potential buyers unable to purchase online visit the stores to transact instead. This type of sales “migration” would not be picked up by an analysis of online sales alone and would result in the loss being overstated. Likewise, with the earlier example of postponed sales, an analysis of the “downtime” period alone would miss the recovery and overstate the loss. These are only a couple of examples of how loss recoveries could be missed.
One advantage of a cyberenvironment is usually the availability of electronic data. On one hand, the large volume of data can yield lots of useful information that will be helpful in quantifying the loss. Detailed data broken down by geographic regions, store locations and product lines allow trends and buying patterns, as well as losses directly related to the cyber event, to be determined. On the other hand, large volumes of detailed data could prove challenging to analyse without the proper software and skills.
THE ROLE OF FORENSIC ACCOUNTANTS IN CYBER INSURANCE CLAIMS
Forensic accountants can assist insurers in the measurement and verification of the loss in cyber claims and can work as part of a wider team of experts including claims handlers, IT analysts, lawyers and adjusters. Forensic accountants ensure that the losses are measured reasonably, accurately and in accordance with the terms of the insurance policy. Their work helps to provide clarity on the financial figures, which assists in settling disputes and helps safeguard insurers from overpaying. As mentioned earlier, the cyber arena is still relatively new; therefore, there is large scope for disputes to arise.
Cyber claims are typically associated with very large volumes of data, which can be overwhelming for most claim departments. Forensic accounting firms have the depth of resource, expertise and experience to handle large volumes of data and target the relevant data to measure the loss.
Forensic accountants can also assist by reviewing claimed costs and providing insight on whether these costs may meet policy criteria. Depending on the individual policy, it could be necessary to distinguish between costs to investigate a potential breach and costs to ‘beef up’ network security (which could be considered betterment and may not be covered).
Many cyber policies allow for costs to investigate an information security breach.