Why is Cyber Liability Insurance important for Hong Kong businesses?

Only a few years ago, cyber security incidents and data breaches involving Hong Kong businesses were sufficiently rare as to be newsworthy events. Today, these events have become a common occurrence. As a result, more businesses are seeing cyber liability insurance as an essential line of business insurance, alongside general liability or directors’ and officers’ insurance. Nicholas Blackmore, Special Counsel at Kennedys, looks at why cyber liability insurance is important for Hong Kong businesses.

Cyber security incidents and data breaches
Most cyber insurance policies provide cover for both cyber security incidents and data breaches (events). While they sound similar, they are actually quite distinct.

A “cyber security incident” means any situation in which a third party interferes with, attacks or gains access to your computer systems. This covers the classic “hack” in which an intruder gains unauthorised access to your computer systems, but also a range of other situations such as a malware or ransomware infection or a denial of service attack.

A “data breach” means any situation in which there is unauthorised access to or disclosure of data, or loss or theft of data held by your business. This can cover everything from a hacker gaining access to data stored on a network drive, to accidental publication of data on a website, to loss of a data storage device.

Some cyber security incidents result in a data breach, but not all. For example, a hacker may succeed in gaining access to your system, but be unable to access password-protected files. Many forms of ransomware encrypt data to disrupt the operation of software, but do not attempt to upload a copy of it.

Similarly, data breaches can arise without a cyber security incident. Many data breaches are the result of human error or bugs in software. For example, a data breach may occur because an employee emails a file to the wrong recipient, or because an error in the code of a web server displays customer data to the wrong customers. Despite their name, many cyber policies also cover data breaches involving non-electronic data. Traditional paper files and folders can be lost by couriers or disposed of carelessly.

How common are cyber security incidents and data breaches?
It is hard to reliably track the number of cyber security incidents and data breaches experienced by businesses in Hong Kong, as many of these events are still kept confidential and dealt with in secrecy.

The South China Morning Post reported in December 2018 that Hong Kong was increasingly a major target for hackers, with more than 9,000 cyberattacks in that year and associated financial losses of HK$2.2 billion.

A survey conducted by a major insurer earlier this year found that 70 percent of small-medium enterprises in Hong Kong had experienced a cyber incident in the previous twelve months. 

How expensive are cyber security incidents and data breaches?
Each year, the Ponemon Institute publishes a study on the cost of common, “medium-scale” data breaches (those involving less than 100,000 records), with data drawn from 477 participating organisations around the globe.

In 2018, the Ponemon study found that the average cost of a data breach was US$3.86 million, which equates to US$148 per record. By comparison, the study also found that a “mega-breach” involving tens of millions of records (such as those suffered by Facebook and Equifax) could cost anywhere from US$150-350 million.

There were three major components which each made up roughly a third of these average costs:

• the costs of detecting, investigating and escalating a data breach;
• the costs of responding to a data breach in the longer term; and
• the costs of “churn” or lost business following a data breach.

Interestingly:

• having cyber insurance in place reduced the cost of a data breach by US$4.80 per record (or approximately US$120,000 for an average breach); and 
• having access to an incident response team (which many cyber insurance policies provide) reduced the cost of a data breach by US$14 per record (or approximately US$350,000 for an average breach).

What does cyber insurance cover?
Cyber insurance is a relatively new insurance product, and as such there is variation in terms of what a cyber insurance policy covers as insurers seek to differentiate their policy in a crowded market. However, most cyber insurance policies cover four basic things:

• costs of responding to and remediating an event;
• costs of responding to regulatory investigations arising from an event;
• business interruption loss arising from an event; and
• liability to third parties arising from an event.

Responding to and remediating an event
Cyber security incidents and data breaches often require an urgent response because:

• When discovered, a cyber security incident or data breach is often ongoing. An attack on your systems will generally continue until you take technical measures to contain or stop it. Time is of the essence in these situations: the longer the event continues, the more damage may be done and the more people may be affected.
• In the case of ransomware, the amounts demanded to decrypt data usually increase as time goes on. It is important to quickly determine to what extent your systems are affected and whether it is possible to restore your systems from back-ups.
• You may be legally required to notify regulators or affected individuals. While data breach notification is not mandatory under Hong Kong law, the European Union’s General Data Protection Regulation and the Philippines’ Data Privacy Act both require data breaches to be notified within 72 hours of discovery. Laws in Australia and South Korea require notification of data breaches as soon as practicable. Even where it is not required by law, the early notification of affected individuals can allow them to take steps to protect their identity, and therefore reduces potential liability to those individuals.

Beyond simply covering the costs of responding to an event, many cyber insurance policies also provide practical benefits to policyholders, such as 24-hour access to a breach coach or incident manager. This allows the policyholder to quickly report an incident and obtain immediate practical advice on how to respond to the incident. The breach coach effectively takes over the response on behalf of the insured, assembling a response team and managing its performance. Effectively, this allows the insured to “outsource” a significant part of the incident response process.

The process of remediating and dealing with the fallout from a cyber security incident or data breach is often a complex process that requires a team assembled from experts in different areas:

• A technical forensic investigator initially works to identify the scope and extent of the incident, contain the incident to the affected systems and takes action to stop the incident if it is ongoing.
  Once the threat has passed, the investigator then moves on to the task of remediating affected systems, restoring or reinstalling software and data, and in some cases replacing damaged hardware. The investigator will also draw conclusions about the causes and extent of the incident.
•  A lawyer advises on the legal requirements to notify regulators and affected individuals in relevant jurisdictions. Determining whether notification is required usually requires working with the technical investigator to determine what personal data the intruders accessed and other circumstances of the incident. 
• A public relations consultant assists in dealing with affected individuals, business partners and the media. They will develop a communications strategy to ensure that all affected parties are kept informed and that the incident is portrayed in the best light. If notification is required, they will assist with this and in setting up inbound communications (such as a call centre) to handle follow up queries from the public. 
• Identity protection services are often provided to individuals affected by a data breach, particularly when there is a risk of identity theft. There are several kinds of identity protection services – some monitor the individual’s credit record or block credit applications, others monitor the “dark web” to identify whether the individual’s personal data has been shared or offered for sale.

While not all of these experts will be required to respond to all incidents, engaging such a wide range of specialists for an urgent response is inevitably expensive, and very few companies could afford to have this expertise in-house on the off-chance that they will suffer an event.

Responding to regulatory investigations
In the aftermath of a major data breach, it is common for regulators to at least consider conducting a regulatory investigation.

The Hong Kong Privacy Commissioner for Personal Data (the Commissioner) may investigate a data breach in response to a complaint from an affected individual, or on its own initiative. The Commissioner has broad powers to conduct an investigation. It can:

• make enquiries by correspondence or by interview;
• require information or documents to be provided;
• enter premises to carry out an inspection; or
• hold hearings or less formal proceedings.

It is usual to seek legal advice and assistance throughout the investigation process. A lawyer can assist in preparing responses to the Commissioner, advise on maintaining legal professional privilege, be present to ensure that interviews and inspections are carried out within the law, and represent the data user at any proceeding. 

The Commissioner also has the power to issue an enforcement notice, which requires the data user to take specific measures such as:

• preparing internal policies and processes;
• conducting compliance training for staff;
• taking steps to protect affected individuals from potential consequences of the breach;
• publishing apologies; and
• compensating affected individuals.

Most data privacy regulators in other jurisdictions have similar investigative powers, and it is not uncommon for regulators in different jurisdictions to cooperate and conduct investigations simultaneously.

In addition to data privacy regulators, investigations may also be commenced by other bodies, such as industry regulators (particularly if a licence term, industry code or guideline may have been breached) or law enforcement agencies (if there is evidence that a crime may have been committed).

Business interruption loss
Unsurprisingly, a cyber security incident can be disruptive to your business’s trading activities and cause a loss of profit. Business interruption covers you for this loss.

Ransomware, for example, could make your computers unusable or your data inaccessible until you either pay the ransom or restore from a backup. In an ideal world, this would be hours, but in practice this can take days or weeks. A denial of service attack can mean that your customers are unable to use your e-commerce website for hours or days. A hacker can vandalise your systems or delete data to cover their tracks.

Business interruption cover varies from insurer to insurer. Typically, it requires that a cyber security incident cause an outage, disruption or deterioration in the availability or performance of your systems which is longer than a specified minimum period. Once this requirement is satisfied, the insurance will cover any loss of profit your business incurs (up to any applicable sublimit) until your systems are restored.

Assessing business interruption loss is not a simple task and often requires an examination of business records by a forensic accountant.

Liability to third parties
Finally, a cyber insurance policy will cover claims made against you by a third party resulting from a cyber security incident or data breach. Most policies will cover any amounts paid for damages or as a settlement, as well as the costs of a lawyer to advise and represent you in the dispute.

Individuals affected by a data breach may take action against you by demanding compensation under section 66 of the Personal Data (Privacy) Ordinance (the PDPO). The individual would need to prove that you had breached the PDPO, usually by failing to comply with the obligation under Data Protection Principle 4 to take all practicable steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use. This is not necessarily the case in every data breach – a breach may occur despite your best efforts. If successful, the individual would be entitled to recover compensation for any loss that they have suffered as a result of the data breach, including for emotional distress.

Conclusion
As the number of cyber security incidents and data breaches increase, cyber insurance is increasingly indispensable for business. Cyber insurance policies not only cover the policyholder for third party claims, but also provide coverage of the costs of responding to an event which can be substantial.