01/08/2017
It is often said that data is the new oil of the digital economy.
For many companies, the harbouring and capture of data is at the heart of their business. Tech start-ups in particular are driven by data, as they search for digital oil to turn into innovative new services.
Data is the value asset of these businesses, but like any traditional asset, data is at risk of:
Recent global cyber attacks have underlined the importance of properly preparing for cyber attacks before problems arise.
That applies to all commercial enterprises, from tech start-ups through to multinational companies and their insurers.
The problem
Ransomware has become the fastest growing cause of cyber insurance claims, with powerful malware such as ‘Wannacry' attacking an increasing number of businesses. This may, however, be a mere tremor, with an earthquake yet to come — WannaCry inflicted relatively little damage compared to the more recent ‘Petya’ attack.
This new breed of ransomware appears to be more dangerous, and has caused chaos for businesses around the globe.
Early indications suggest that ‘Petya’ could cost 10 times more than ‘Wannacry' to unravel and resolve. In real terms, that means that businesses across the globe will be paying many millions of pounds in legal and regulatory costs, customer mitigation initiatives and IT/forensic costs.
In addition to these immediate costs, businesses should be mindful of the sideways exposure of cyber attacks. In particular, business interruption and the longer term impact of lost competitive advantage and customer confidence.
The trend should not be ignored. There is a constantly developing technical ability for these types of attacks to infiltrate themselves into some of the world’s most sophisticated organisations.
Ever-increasing exposures
Regulatory exposures are also developing, and businesses need to meet this burden head on. For example, the long-awaited General Data Protection Regulations (GDPR), which come into force in England and Wales in May 2018, will impose more onerous regulatory burdens and introduce the potential for considerably higher fines to be handed out by the Information Commissioner’s Office.
Even more troubling, GDPR will make it easier for third parties to bring claims against those responsible for losing their data.
In cases where several thousand customers are affected by a data breach, the attritional effect of multiple customer claims could be substantial.
The Federation of Small Businesses has recently highlighted cyber risks as being a key area which requires priority attention in the FinTech industry, and other industry bodies are making similar noises.
Whilst there are no easy solutions when it comes to cyber risks, both insurers and businesses need to be thinking about practical issues and what can be done now.
Contingency planning for insurers
Most insurers will have already built a financial contingency plan for dealing with the fallout of mass attacks such as ‘Wannacry’ and ‘Petya’. However, attention also needs to be focused on the practical implications of dealing with an attack simultaneously affecting hundreds or thousands of their insureds.
For example:
These are difficult issues to plan for, but insurers will be able to use ‘Wannacry’ and ‘Petya’ as ‘dry runs’ to build a robust, and practical, contingency programme.
Contingency planning for commercial entities
Cyber contingency and remediation planning is an absolute must for businesses of all sizes.
All commercial entities need to think about:
Kennedys advises tech companies and their insurers on a wide range of legal issues. We can assist on company and commercial pre-emptive measures.
Kennedys also provides a range of post-breach services to companies affected by data loss incidents or cyber attacks.
Read other items in the Professions and Financial Lines Brief - August 2017
