Cyber Risk and Cyber Liability Insurance PDF (University of the Witwatersrand)

Summary

This document provides an introduction to cyber risk and cyber liability insurance, discussing the topic's relevance in today's digital age. It explores various types of cyber risks, methods of attacks, and strategies for managing them. The document also touches on the global context of cyber risk and its implications for businesses.

Full Transcript

UNIVERSITY OF THE WITWATERSRAND SCHOOL OF BUSINESS SCIENCES BCOM. HONOURS INSURANCE AND RISK MANAGEMENT BUSE4024A Advanced Liability Insurance and Risk Management 2023 Lecturer: Ms Penny Spentzouris LECTURE 11- Cyber-risk, Cyber Security and Liability Insurance Introduction The topic of cyber risk a...

UNIVERSITY OF THE WITWATERSRAND SCHOOL OF BUSINESS SCIENCES BCOM. HONOURS INSURANCE AND RISK MANAGEMENT BUSE4024A Advanced Liability Insurance and Risk Management 2023 Lecturer: Ms Penny Spentzouris LECTURE 11- Cyber-risk, Cyber Security and Liability Insurance Introduction The topic of cyber risk and cyber security is increasingly relevant in today's digital age: cyberrisk, cyber security, and liability insurance. As we become more dependent on technology and digital systems in our personal and professional lives, we also become more vulnerable to cyber-attacks and data breaches. The society we now live in is the information society. Many decisions and activities that firms engage revolve around data. Due to globalisation, more and more businesses are now turning to the internet to enhance their competitiveness. The risks associated with cyber incidents are multifaceted and can have significant consequences for individuals and organizations alike. These risks can range from reputational damage and financial losses to legal liabilities and regulatory fines. Therefore, understanding the nature of cyber-risk, the principles of cyber security, and the role of liability insurance in mitigating these risks is crucial for anyone operating in today's digital environment. Confidential information can be obtained when there has been an information security breach and used for a variety of sinister purposes such as fraud, identity theft, extortion against the company and breach of privacy (e.g. when information is shared on social platforms). Privacy and cyber security are growing areas of potential liability for firms globally. Firms that misuse personal information or fall victim to data breaches can face reputational damage risk, regulatory fines and other penalties and class action lawsuits by 3rd parties. We will explore the various types of cyber risks, the methods of cyber attacks, and the strategies for managing and minimizing those risks. We will discuss the principles of cyber security, including the importance of risk assessments, threat intelligence, and incident response planning. Finally, we will delve into the role of liability insurance in protecting organizations against the financial and reputational impacts of cyber incidents. Nature, definition and global context of cyber risk Cyber is a fairly new business risk that rose to prominence with the increase in the use of information technology (IT). Most businesses and services like education are increasingly being conducted on the internet. For example, in 2012 Canadian firms sold in excess of $122bn worth of goods and services over the internet. The increase in the use of the internet comes with risks called cyber risks i.e. risks associated with usage of IT to conduct business. The risks could take the form of reputational damage, regulatory penalties and claims by 3rd parties. Most of the claims are linked to data that firms hold relating to clients or other 3rd parties and its security. 1 Some industries are more exposed to cyber risk than others. The nature of a firm’s business is a key determinant of the extent of exposure that the firm faces. A Verizon study conducted in 2015 identified the following industries as facing the highest cyber risk exposure: § § § Public entities e.g. justice department, entities dealing with public order issues, electricity and gas supplying entities as well as entities that supply other public utilities. Information processing and vending entities e.g. publishing houses, software publishers, motion picture production companies, telecommunication companies, data processing and hosting companies, broadcasting companies etc. Financial services firms e.g. banks, insurance companies, securities trading companies, brokers, credit management companies etc. Now even SMMEs are also beginning to realise that they are not immune to cyber risk. This risk has been identified by the World Economic Forum alongside climate change as one of the risks to watch over the course of this century. Cyber risk is a business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise (Marsh, 2015). From the above text-boxed definition it is clear that the tentacles of cyber risk are multiple. Cyber risk can be transmitted to an organisation in various ways including ownership, operation, involvement, influence and adoption of IT. As long as a firm is directly or indirectly reliant on IT-related inputs or outputs it is vulnerable to cyber risk. Information and some of its sinister uses It is often said that we are now living in the information age. This simply means that information and its processing is now an integral part of the value chain of most businesses. It is therefore not surprising that access to information is associated with a number of sinister activities that can be used to harm businesses. If information or data gets into the wrong hands, it can be used in harmful ways such as: § § § § § § Fraud Perpetration of theft including identity theft Extortion against firms Defamation Breach of privacy (invasion of privacy) Blackmail Apart from the above, there are other ways that information can be used to the detriment of firms if it comes into the wrong hands. This is because cyber risk is always evolving. Cyber criminals continue to look for other ways to achieve their sinister objectives whatever those may be. 2 According to Marsh (2015), cyber risk is similar to IT risk – it is risk to a “business associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise”. It is therefore apparent that cyber risk is broad in terms of its conceptualisation and firms are exposed to it from a variety of perspectives such as usage of IT, influence of IT on operations and activities of the firm as well as ownership. Cyber risk has become an increasingly important issue for insurers in recent years. According to a report by Swiss Re(2019), the global cyber insurance market is expected to reach $7.5 billion in annual premiums by 2020, representing a significant growth opportunity for insurers. In response to the growing demand for cyber insurance, many insurers have developed specialised cyber insurance products. These products typically provide coverage for a range of cyber risks, including data breaches, network interruptions, and cyber extortion. They may also offer additional services such as risk assessments, incident response planning, and cyber security training. Insurers have also been exploring new approaches to underwriting cyber risk. This includes the use of advanced analytics and data modelling techniques to better understand and quantify cyber risks. Some insurers are also partnering with cyber security firms to provide more comprehensive risk management solutions to their clients. At the same time, insurers are also grappling with the challenges of underwriting cyber risk. Cyber risks are complex and constantly evolving, making it difficult to accurately predict and price these risks. There is also a lack of standardisation in the cyber insurance market, which can make it challenging for insurers and clients to compare policies and coverage. There are various sources of cyber risk, which can be broadly classified into two categories: external and internal. External sources of cyber risk include: 1. Hackers and cyber criminals who attempt to exploit vulnerabilities in computer systems and networks to gain unauthorised access to data or disrupt operations. 2. Malware, such as viruses, worms, and Trojan horses, which can be used to steal data, damage systems, or launch attacks. 3. Phishing and social engineering scams, which trick individuals into providing sensitive information or clicking on malicious links. 4. Nation-state actors and cyber espionage, which involve foreign governments or organizations targeting other nations for political or economic gain eg. organised crime syndicates, including terrorists. Internal sources of cyber risk include: 1. 2. 3. Insider threats, which involve employees or contractors who intentionally or unintentionally cause harm to computer systems or data. This can include malicious insiders who steal data or sabotage systems, as well as unintentional insiders who make mistakes that lead to security breaches. Human error, which can include mistakes such as misconfigurations, weak passwords, or failing to update software. Equipment failure, which can include hardware or software failures that cause disruptions or data loss. 3 It is important to note that cyber risks are constantly evolving and can arise from a wide range of sources. Organisations should regularly review their risk profile and take steps to mitigate and manage cyber risk, including implementing robust cyber security measures and investing in cyber insurance. It is clear from this that cyber risk invariably involves the human element. Motives of cyber criminals could be financial or non-financial (e.g. pure malice or vindictiveness). The figure below shows the taxonomy of cyber risk for a typical firm. Taxonomy of Cyber Risk for Corporations Cyber risks vary depending on the capability and sophistication of the attack (bespoke attacks committed by cyber experts), persistency (short-term, opportunistic, automated or long-term) and proximity of the attacker (internet/remote attack, local network external attack eg. wifi, insider attack with network access, physical access to IT infrastructure). Typically, cyber risk can produce different types of harm or damage for firms. The forms of damage do not affect all firms all the time – much depends on the business activities of the firm and its sensitivity to an information data breach. The forms of damage arising from cyber risk are: • • • • • • • • • • • Intellectual property theft Business interruption Data and software loss Cyber extortion Cyber-crime e.g. fraud Breach of privacy Network failure leading to liability to 3rd parties Damage to reputation Physical asset damage Death and bodily injury Incident investigation and response costs. 4 In one incident, hackers breached a computer system at a German steel plant causing an unscheduled shutdown causing massive physical damage. In the US a retailer that suffered a data breach involving 40m payment card records and the personal data of around 70m further individuals following an infiltration of its corporate network via a link with a 3rd party contractor incurred costs in excess of US$200m. See: 2021 Cisco Cyber Threats Trends Report: https://umbrella.cisco.com/info/cybersecurity-threat-trends-report?utm_medium=searchpaid&utm_source=google&utm_campaign=UMB_23Q3_AF_EN_GS_Nonbrand_Threats&ut m_content=UMB-FY21-Q4-content-ebook-2021-cyber-security-threattrends&_bt=617330338008&_bk=cybersecurity+threats&_bm=p&_bn=g&_bg=12440764007 1&gad=1&gclid=CjwKCAjwrpOiBhBVEiwA_473dNGIr9CzP5VTw9r7NsCCZJ1YepHTkOE9vr4-1uM62pfRnvW-Q2Z0hoCJAIQAvD_BwE Cyber Risk and Insurance The insurance market for cyber risk is still developing. Even in developed countries, cyber risk insurance coverages are still associated with significant conditions restricting the scope of coverage. In addition, it is extremely rare to find policies that offer comprehensive cover for cyber risk. That said, cyber insurance has been issued in various forms in developed markets for more than 10 years. Therefore, when compared to other types of insurance such as marine and fire insurance, cyber insurance is still in its infancy. However, this type of insurance has entered the spotlight in the past few years due to the increasing influence of IT and the internet in business transactions. There are 2 types of insurance policies used to cover cyber risk. These are 1st party policies on the one hand and 3rd party policies on the other. First party policies provide indemnity for direct financial losses and expenses suffered by the insured as a result of a data breach. A common data breach loss covered under 1st party policies is business interruption. Third party insurance covers losses suffered by 3rd parties following a data breach for which the insured is legally liable. Policies vary significantly in terms of the scope of coverage that they provide. Available policies exclude losses arising from or claims associated with the following: § Intellectual property theft § Cyber espionage § Death and bodily injury Third party cyber policies can be written on claims made basis or loss occurrence basis. First party cyber policies indemnify the insured for the following loss types: § § § Destruction or loss of client data through theft or fraud Forensic investigation costs to determine the source of the data breach and its magnitude Business interruption – lost income and related costs following a data breach or cyber incident 5 § § Extortion – costs incurred in the investigation of cyber threats or money paid to extortionists Costs associated with data loss and restoration e.g. cost of restoring damaged hardware or software. The above losses and costs are incurred by the insured directly as a result of a data breach incident or cyber incident. For this reason, they fall under 1st party insurance coverage. As far as 3rd party (liability) insurance coverage is concerned, the following 3rd party claims against the insured are normally covered: § § § § § Litigation and regulatory costs – costs of defending civil lawsuits, settlements (damages), judgments and penalties. Regulatory response costs e.g. in the event of a data breach or cyber incident, regulation may require the insured to adopt certain measures that come at a cost. For example, the insured may be required to issue immediate notification to all clients that may be affected by the incident in question. Crisis management costs Media liability including copyright, trademark or service mark infringement Privacy liability arising from data infringement. Like with any other 3rd party claims, the policy pays where the insured’s legal liability is proved. In Block 1 it was indicated that liability arises where 3 things exist – (a) a wrongful act (2) the act must be recognised at law as entitling the 3rd party to a civil remedy, and (3) occurrence of harm. From current global evidence on cyber liability shows that one of the main sticking points in these claims relates to the conceptualisation of harm. In the discussion on liability for climate change and global warming, we saw that the main sticking point affecting the success of most claims for climate change and global warming revolves around the legal requirement to prove causation. In liability for data breach, the main legal hurdle relates to proving that harm has indeed occurred not that harm may or could potentially occur in future. If personal information of clients is stolen, does this constitute occurrence of harm in itself or harm only occurs when the data thief actually uses the information for sinister purposes? In the US, the Supreme Court has held that for a data breach incident to constitute actionable harm, it must be shown that the harm in question is concrete, particularised and actual or imminent. The mere anticipation or speculation that harm might occur in future is not enough to be actionable (See: Lujan v Defenders of Wildlife 504 US 555 (1992). This is a very controversial issue because courts in a number of US states have not followed this Supreme Court guideline and have imposed liability in some cases where harm is not concrete, actual or imminent. 6 However, conceptualisation of harm is not a problem in certain types of data breach claims. For example, data breach involving credit and debit cards in financial institutions always produces losses that are concrete and particularised. In addition, approaches used to conceptualise harm differ between the judiciary and administrative/regulatory agencies. Regulatory agencies have tended to adopt a less strict conceptualisation of harm compared to that set by the US Supreme Court for example. For example, regulatory agencies can bring claims against companies that they consider to be putting personal client data at unreasonable risk. Cyber-crime cases in South Africa Cyber risks have become increasingly prevalent in modern society, and South Africa is no exception. With the rise of digitalisation and the internet, the country has experienced a surge in cybercrime and cyber-related legal cases. In this essay, we will discuss some of the legal cases in South Africa that involved cyber risks and their impact on the country's legal system. of the most notable cyber-related cases in South Africa was the data breach of Liberty Holdings, one of the country's largest insurance companies. In 2018, Liberty Holdings experienced a cyberattack that resulted in the theft of sensitive customer information, including names, email addresses, and policy numbers. The company responded by launching an investigation and notifying its customers of the breach, but the incident still caused significant damage to the company's reputation and resulted in legal action from affected customers. Another high-profile case was the 2017 hacking of the South African Police Service (SAPS) database, which exposed the personal information of over 16,000 police officers. The breach was a major blow to the country's law enforcement agency, as it compromised sensitive information that could be used to target police officers and their families. The case highlighted the importance of cybersecurity measures within government agencies and the potential consequences of failing to protect sensitive data. In addition to data breaches, South Africa has also seen a rise in cyber-related fraud cases. In 2019, a businessman was sentenced to 15 years in prison for running a Ponzi scheme that defrauded investors of over R23 million (approximately $1.6 million USD). The scheme relied heavily on social media and online platforms to lure investors, highlighting the need for increased regulation and awareness of online investment scams. The legal system in South Africa has struggled to keep up with the rapid pace of technological change, and cyber-related cases often pose unique challenges for the country's courts. One notable example is the use of blockchain technology in cryptocurrency transactions, which can make it difficult to trace and recover stolen funds. Another challenge is the cross-border nature of cybercrime, which often involves perpetrators operating from outside the country's borders and requires international cooperation to prosecute. Despite these challenges, South Africa has made significant strides in developing a legal framework to address cyber risks. In 2019, the country passed the Cybercrimes Act, which criminalizes various forms of cybercrime and establishes penalties for offenders. The act also includes provisions for the investigation and prosecution of cybercrime, as well as measures to enhance cybersecurity within the country. 7 In conclusion, cyber risks pose significant challenges for South Africa's legal system, but the country has shown a commitment to addressing these challenges through legislation and increased awareness. As technology continues to advance and cyber threats evolve, it will be critical for South Africa to remain vigilant and adaptable in its response to cyber risks. Cyber Risk Management Issues Managing cyber risk like any other risk requires a systematic approach that aids appropriate decisions and measures to be taken at the right time. A useful risk management framework for cyber risk could be structured as follows: Step 1 – there is need to understand the firm’s or organisation’s cyber ecosystem. This simply refers to an understanding of the extent to which an organisation’s activities, processes and procedures are driven, dependant or influenced by IT. Step 2 – Assess and understand the type of information or data that the firm or organisation is holding. Focused and effective security controls can only be adopted where there is a good understanding of the type and nature of information that the organisation is holding. Step 3 – Of the information or data that the firm is holding identify what components of it are most valuable. This requires an assessment of the data’s legal and commercial sensitivity. In addition, this step requires an understanding of the statutory and regulatory requirements applicable to the data or information in question as well as its business importance. Step 4 – Identify where the data is located, who has access to it, at what intervals and how. This is the stage where things could go wrong hence focused controls need to target this step of the framework. If there are information vendors involved, these must be managed and what they can access should be monitored. Step 5 – Assess and measure potential impact of any data security breach on the organisation and on 3rd parties. Step 5 – Apply focused controls on potential areas of vulnerability. This requires building secure and resilient IT systems. Step 6 – Put in place an appropriate system of incident notification and remediation. More often than not, cyber risk in the form of data breach requires some form of crisis management system to be activated. In some cases, measures contemplated under this stage of the risk management framework could be statutory or regulatory. § § § § § § § A fundamental aspect of cyber risk management is enhanced cyber security. In order to build a secure and resilient IT system, it is important to bear the following in mind: § § § § Know the firm’s crown jewels. The firm must understand what is at risk. Know the firm’s threat landscape – every firm must know what cyber risk means to it and its business operations. Know what is needed to build a resilient IT system i.e. the firm must know what is required to mitigate its exposure to cyber risk. Take decisions and prioritize what needs to be done. Cyber risk has the potential to precipitate a crisis for the affected firm for 3 reasons: § The scale of damage is usually extensive and sometimes it could be international 8 § § Speed of the impacts from a data breach incident The scale of reputational damage that such events may cause – cyber risk can undermine investor and customer confidence similar to a run on a bank Unlike common risks that firms encounter on a routine basis and managed through the risk register, cyber risk poses a complete different challenge because managing this risk type through the risk register is unlikely to be adequate. Furthermore, for cyber risk, reliance on insurance alone is unlikely to be adequate as well for several reasons. The scope of insurance coverage is more likely than not to be limited or the insurance may not even be available. In addition, insurance may not respond fast enough especially where a data breach incident triggers a crisis. Insurance companies usually must investigate and quantify the claim before indemnity is tendered. This takes valuable time that an organisation facing a data breach crisis simply may not have. Therefore, firms need a robust cyber risk governance framework resting on the following blocks or pillars. These are: § § § § An effective risk governance structure – this requires an understanding of the operating model of the organisation concerned. Effective risk governance requires an effective Board Risk Committee to be in place. This committee must be independent of executive management to provide oversight on the effectiveness of the organisation’s risk management system and processes. Governance forms the ‘human fire wall’ against cyber risk. Effective risk assessment- Identity and access management system – this is a complex process to manage. It requires the identity life cycle within the organisation to be managed i.e. people joining and leaving the organisation. It is also helpful to promote multi-factor authentication to ensure that only the right people have access to the sensitive data. It is also a good practice to encourage regular change of passwords by those with access to the data. Effective risk assessment involves identifying and evaluating potential cyber risks and their potential impact on an organisation's operations and assets. This assessment should be conducted regularly to ensure that new risks are identified and addressed promptly. A comprehensive set of policies and procedures should be developed to guide an organisation's approach to managing cyber risks. These policies should cover areas such as data classification, access controls, incident response, and employee training and aware Technical Controls/ Application security i.e. system applications used by the organisation and their security. Applications that the firm uses for information collection or dissemination must be as secure as possible. Technical controls, such as firewalls, intrusion detection systems, and encryption, are critical components of any cyber risk management framework. These controls should be implemented and maintained to protect against cyber threats and vulnerabilities. Vulnerability and patch management (i.e. configuration fixes) – vulnerability and patch management focuses on 2 main aspects. The first is identifying possible breaches and the other is putting in place remedial measures necessary to prevent such and other breaches in future. Identifying possible breaches involves things such as penetration testing, Vulnerability scans and application scans. Remedial 9 § § § measures entails patch management i.e. system configuration fixes. The importance of vulnerability and patch management is important because it enables effective security measures to be developed ex ante rather than on an ex-post or reactive basis. Incident response – this requires that an organisation develops a system of incident response along the following lines: (1) Identification of incident or data breach (2) Containment of the incident (3) Eradication of the breach (4) Recovery (5) postincident measures. An incident response plan outlines the steps that an organisation will take in the event of a cyber-attack or data breach. It should be regularly tested and updated to ensure that it remains effective and relevant. Employee training and awareness- Employees are often the weakest link in an organization's cyber defenses. Therefore, a robust cyber risk management framework should include ongoing employee training and awareness programs to promote a culture of cybersecurity within the organisation. Continuous monitoring and improvement- Cyber threats are constantly evolving, so a robust cyber risk management framework should include ongoing monitoring and regular review to identify new risks and vulnerabilities. This continuous improvement process ensures that the organization's cyber defenses remain effective and up to date. A robust cyber risk management framework should include a comprehensive risk assessment, policies and procedures, technical controls, an incident response plan, employee training and awareness, and ongoing monitoring and improvement. By implementing these components, organisations can effectively manage cyber risks and protect against cyber threats. Therefore, we have seen that the information age is characterised by information technologyrelated risks. The priority in the management of these risks is to build secure and resilient IT systems with insurance playing a complimentary role. The use of artificial intelligence to model the impact of cyber risk on cash flows of firms is growing. AM-PS (Reviewed April 2023) 10

Use Quizgecko on...
Browser
Browser