By Tim Smith partner at leading risk and insurance law business, BLM
Threats to actuaries
Cyber risk is a broad umbrella term for a number of very real and substantive risks faced by all professionals. In particular it encompasses:
-
The loss or theft of personal data.
-
The loss or theft of trade secrets, confidential and commercially sensitive information.
-
Multi-media risk (including defamation, copyright and trademark infringement and domain name disputes).
-
Physical damage caused by the use of computers and/or the internet.
-
Denial of service attacks and/or hardware and software malfunction.
-
Cyber extortion.
The use of personal data is governed by the Data Protection Act. In essence, it includes any data from which a person may be identified such as names, addresses, credit card details and medical data. Actuaries may find themselves dealing with significant amounts of personal data.
In addition to facing claims from clients for losing their information and the reputational harm caused to the actuaries themselves, any actuarial business will also face the risk of regulatory fines imposed by the Information Commissioner if there has been a breach of the Data Protection Act. At present a fine of up to £500,000 may be imposed. However, this is likely to go up significantly when new EU Data Protection Regulations are introduced in the next 12-18 months. In addition, any organisation subject to regulation by the Financial Conduct Authority (FCA) may also be fined by the FCA.
Denial of service attacks occur when hackers overload a target businesses’ computer network with so much information that it causes the target computer to shut down. Such attacks can be coupled with extortion (where, for example, a third party locks a company out of its own systems or otherwise prevents access to them). A system malfunction caused by flawed software or hardware may have the same effect. Many businesses are now almost completely dependent on the smooth running of their computers. As such they are extremely exposed to consequences of system down time. This can have an impact on the business itself and its customers.
Why are the risks increasing?
A number of factors have come together to increase the risk faced by all professionals:
-
Organisations are increasingly reliant on the availability of their computer systems to conduct their business and increasingly store all of their key information on their computer systems.
-
Ease of access to computers, the internet and to the black market for malware and systems capable of delivering ‘denial of service’ attacks is now much greater than before. In effect, hacking/system disruption is no longer restricted to those with a high level of technical expertise but can be done by anyone with access to the internet. Increasingly, activists, disgruntled employees, competitors and criminals, have access to complex programmes which are designed to enable them to steal information and/or damage and disrupt computer systems.
-
An increasing awareness among protagonists of the effectiveness of these tools in the light of major cyber incidents involving high profile companies such as Target, Home Depot and Sony.
-
The introduction of compulsory reporting of cyber breaches will lead to greater awareness among potential claimants of the fact that there has been a breach. Claims organisations are likely to take this opportunity to promote the bringing of claims against organisations who have lost data much in the same way as they have with PPI insurance.
-
The increased level of fines being examined by the European Union.
-
Changes in the approach taken by the courts to awarding compensation. Historically it has been extremely difficult to pursue a claim for compensation where no actual financial loss has been suffered (which is often the case where, for example, health data is lost or stolen). However, the courts in the UK have increasingly been willing to award nominal damages to people whose data has been lost/stolen. Where that material relates to a very large number of individuals groups actions are a significant threat.
-
Criminals and hackers are looking for easier targets than historic targets such as technology companies and banks.
Reasons to address cyber risk
The Government is pushing for the UK to raise its standards of cyber security and risk management in order to make it an attractive place for businesses to operate. Organisations in the front line such as the Government, defence suppliers, energy companies and financial institutions are increasingly conscious that in order to fully protect themselves and manage their risk they need to ensure that all of those involved in their supply chain have similar cyber security risk management in place. Professionals will not be able to do business with such organisations without having suitable arrangements in place.
Guidance was issued in 2014 in which the Government identified specific risks for those professionals in the UK involved in takeovers and mergers. The guidance was supported by the London Stock Exchange, the Takeover Panel, the Law Society and the Corporate Finance Faculty of the Institute of Chartered Accounts. It highlighted a recent report by the Director of GCHQ, Iain Robban that Britain was experiencing “industrial espionage on an industrial scale”. Corporate finance transactions were considered to be particularly attractive due to the range of parties involved and the fact that commercial data, intellectual property and sensitive client data would be involved. The threats included:
-
Individuals with an appreciation of the value of the sensitive data that could be stolen and sold on.
-
Organised crime networks who might seek to use illegally obtained information to profit on the Stock Exchange.
-
Competitors who might look to gain advantage in tenders or negotiations by accessing confidential information pricing data.
-
Nation states who might be seeking to further their interests or those of their own businesses.
-
Activists driven by political or moral opposition to a particular company, deal or transaction.
-
Employees or contractors who acted with a lack of care and whose errors increased the risk of security compromise.
Managing your risks
Companies can protect themselves to some extent by investing in IT security. However, human error remains the primary source of breaches. This risk can be addressed through training but in reality, as with any walk of life, human error will occur. In such circumstances insurance has a significant role to play in enabling companies who have done all they can to manage their risk to transfer that risk. Cyber insurance products cover all of the risks identified above and can either sit alongside existing cover, be built in as part of that cover or sit above traditional policies and “drop in” to any gaps.
Those policies not only cover the damages and losses that might flow from a breach but can provide assistance in identifying the cause of breaches and prevent them from happening again. They can also provide credit monitoring for customers whose information has been lost and public relations support to deal with any adverse publicity.
The Government’s guidance indicates that whilst good cyber security measures will help to protect sensitive and valuable information, they cannot eradicate cyber risk. Organisations should have a cyber-accident incident management plan in place for the intrusions that occur during the normal course of business. The key to effective management is identifying and understanding threats, understanding the level of risk involved and putting in place security measures that are appropriate and proportionate to those threats and risks. These threats are constantly evolving and businesses will need to constantly develop to keep pace.
|