US legislators want firms to have ethical hackers to carry out tests on their own security


At a time when cyber fraud and espionage are reaching epidemic levels, insurers urgently need to learn to quantify the rising level of risk their clients face from corporate cyber fraud, according to KCS Group chief executive Stuart Poole-Robb.

Lloyd’s Risk Index 2013 lists cyber-crime risk as now being the world’s number three risk overall. According to research company CapGemini, cyber crime costs the UK economy alone around £27bn per year. Approximately 80% of this cost, £21bn, is borne by British companies.

The US connection

In the US, legislators are moving towards compelling organisations to appoint independent ethical hackers to carry out at least one, and maybe more “penetration tests” each year to prove the robustness of  IT systems. Penetration tests involve using an independent and reputable adviser to test an organisation’s IT security to the limit.

While the same rules may not yet apply to UK-based organisations, they will also soon find themselves obliged to commission penetration testing for their own systems if they intend to do business with US firms. Any US company wary of potential IT breaches would need to ensure that organisations with any level of access to its communications  network do not represent a vulnerability. US companies will expect partner organisations, service providers and even some clients to show proof that their communications networks have been thoroughly tested and been found secure.

Companies in the UK may also soon find that they will be obliged to carry some form of cyber insurance in order to fulfil basic liabilities in the event of cyber crime. The European Commission intends to introduce new General Data Protection Regulation, which will mean organisations that lose or have personal data stolen through a cyber-security breach, such as a hacking incident, will have to notify not only the data regulator but also the data subjects whose privacy may have been compromised.

The insurance industry in the UK, therefore, will soon have to grasp the nettle and try to assess the full scale of what is a worsening problem. In the US, cyber crime gained an early foothold and has now reached epidemic proportions, with annual losses now measured in trillions of dollars.

And while wealthy institutions such as banks have the most to lose, no organisation is immune and many companies are now seeing their very survival being put at risk by cyber crime. This means insurers will increasingly need to take into account of the robustness and security of a business’s IT when covering it for other eventualities.

Firms face heavy price for data breach

Insurers in the US have already been rudely woken up to the fact that struggling small to medium sized businesses can be wiped out entirely by even a relatively small cyber-breach. According to the Ponemon Institute, the average out-of-pocket cost to a company experiencing even a small breach, involving under 100,000 records, is $2.4m, with an additional $3m being the average lost revenue.

This is a result of the vast amount of sensitive data companies now routinely store on their servers and communications networks. This can be customer information, unique business processes, industry intelligence and other data stored on the organisation’s servers. It is precisely these digital assets which are most at risk from cyber fraud, organised crime and cyber espionage carried out by business rivals or, in some cases, foreign governments.

For example, KCS advised a UK-based company within a particularly competitive and sensitive sector of industry. During a period of re-financing with a view to a possible sale, the organisation suffered a covert cyber attack by a competitor and possible buyer attempting to steal all its proprietary intellectual property and proprietary ‘know-how’ at an early stage of the negotiations.

However, some insurers are already starting to quantify cyber risk to an extent where they are able to offer concrete policies based on solid calculations of what a cyber attack might cost a particular organisation. Chubb, for example, offers a combination of third-party liability insurance and optional first-party protection.

Third party cyber insurance includes: lawsuits alleging unauthorised access of private information; copyright infringement, reputational injury and impaired access injury, including suits arising from system security failure resulting in a client’s systems being unavailable to their customers.

First party cover includes: the cost of data recovery; notification to customers of a suspected data leak; loss from business interruption; crisis management expenses and extortion expenses, including the cost of a professional negotiator and ransom payment.

It is, however, difficult to predict the kind of losses that could result from, for example, when a business’s entire system is taken out or the company is subject to extortion.

There are also concerns that the perceived possibility of a ‘cyber hurricane’, a concerted and sustained attack on a developed country’s IT infrastructure by a hostile foreign government or terrorist group, could make reinsurance problematic as few reinsurers would wish to bear the brunt of the incalculable costs of an IT meltdown.

ACE swings into action

For this reason, some insurers are putting a cap on the kind of cover they are prepared to offer. Insurer Ace GPS, for example, shares costs of up to £10m on first party liability and £5m on third party.

But insurers cannot afford to write policies on companies whose IT security may be poor or nonexistent. It is therefore vital, both from the point of the insurer and that of the company being insured, that the organisation concerned has secured its IT infrastructure as far as it is able.

This typically involves safeguards such as carrying out due diligence on key employees who may have access to sensitive data and ensuring that staff do not have access to sensitive data or passwords while using personal devices they have acquired such as smart phones.

Another essential precaution is penetration testing of a company’s IT systems to reveal weaknesses that could be exploited by a hacker.