According to a PricewaterhouseCoopers survey, in 2013 the number of cyber security incidents globally soared to 42.8 million, up 48 percent from 2012, while the average loss for a large company rose from $3.9 million to $5.9 million. Companies that have seen recent, major cyber breaches include Target, Home Depot Inc., Neiman Marcus and JP Morgan Chase & Co.
To help understand the scale of these breaches, the Target incident saw the debit and credit cards of 40 million customers stolen as well as the PIN numbers, e-mails, and addresses of 70 million people. A number of class action lawsuits have been brought against Target with some analysts anticipating the Target breach costs to pass $1 billion, exceeding their insurance limits.
In early September, Home Depot announced that a cyber attack that lasted for 5 months from April resulted in credit card details for 56 million customers being stolen. And it was only last week that JP Morgan Chase confirmed 76 million households and 7 million small businesses were impacted in their cyber attack of June and July this year.
The threat and now prevalence of these cyber attacks is so great that many American firms are actively seeking insurance coverage to protect themselves against the expense of a cyber attack and of losing sensitive and confidential customer information.
Not unexpectedly, Insurers are moving quickly to capitalise on this increasing market demand, for coverage that has been around since the late nineties and which is becoming increasingly more relevant and essential to a firm’s insurance portfolio.
Cyber security insurance goes by many names such as those that are trademarked like CyberSecurity by Chubb, or generic names like Cyber Insurance, Cyber Liability Insurance, Cyber Crime Insurance, Cyber Risk Insurance and even E-Risk Insurance.
We prefer the phrase cyber security insurance since it should complement a good online and IT security risk management strategy that employs a wide array of techniques in companies’ efforts against the cyber risk and to thwart cyber attacks.
What is available?
Cyber security insurance coverage will vary from policy to policy, and insurer to insurer, but the base idea is that the policies will provide insurance protection for companies against lost revenue, lawsuits, damage to reputation and brand and other costs related to a cyber attack or “being hacked”.
In the cyber risk world the phraseology “first party” and “third party” are often used to distinguish between the elements of cover being provided.
“First party” is designed to protect your business, and meet the costs of the immediate needs of a company resulting from a data breach or cyber attack such as the cost of independent IT services to determine whether a breach has occurred, the costs of notifications to relevant parties such as customers and employees, the costs of PR and crisis management, consequential loss and additional expenses such as staffing costs arising from a covered claim and Cyber extortion (ransom) reimbursement.
“Third Party” is designed to indemnify your business for any of the legal costs that are associated with a cyber attack, such as defence and liability coverage for lawsuits brought against the business by a customers or third parties, and covering the costs of the defence, judgments and awards or settlements, including breaches of or infringement of copyright.
For those businesses NOT offering online services for such as purchases and payment systems and the like, then, for the most part, they would not be interested in the “third party” form of coverage.
. . and in Thailand
The insurance market in Thailand does not yet have the understanding, sophistication and availability of coverage that one would find in the UK or the US but there are a number of Insurers here with the capability of providing basic cover.
Coupled with a broker who will take the time to fully understand your needs it should be possible to tailor a cyber security programme suited to your risk exposure and your budget.