The ‘Data Covenant’: Cyber Risk & Reputation Damage
Article – July 2016
Insurance / Legal / Corporate / Quantification / Investigation / Financial Lines / Forensic Investigation
Reputation losses from cyber incidents can be significant but can also be mitigated with the right risk management strategy and an understanding of potential exposure.
Commentators often claim that we are in the midst of a new industrial revolution. However, if that is the case, the current industrial revolution is fundamentally different to the one that fills the pages of History textbooks. In the 18th/19th century, it was all about tangibles: people making things. Fast forward to the 21st century and intangibles are the name of the game. Change is driven not by our manufacturing ability but by our access to and use of ever-increasing amounts of data.
We now live in a world where Uber, the world’s largest taxi company owns no vehicles, and where Facebook paid $22 billion for a mobile messaging application, WhatsApp, that had generated only $10.2 million in annual revenue but with a growing user base of more than 400 million active users. Data is at the centre of this new world and this is fundamentally changing the nature of modern business. Our increasing reliance on data has opened many doors for modern businesses but also exposes them to new risks. Reputation losses from cyber incidents – when the data we rely on is lost, made inaccessible or compromised – can be significant but can also be mitigated with the right risk management strategy and an understanding of potential exposure.
The term ‘cyber’ means different things to different people, complicating any discussion of cyber risk. However, at its simplest, ‘cyber’ means data and the IT infrastructure that stores and processes it.
Cyber incidents negatively impact business in several ways. Firstly, breaches of cyber security can lead to physical damage. A famous example of this comes from June 2010 when it was discovered that Stuxnet, a 500-kilobyte computer worm, had infected the software of a uranium-enrichment plant and at least 14 other industrial sites in Iran. The worm gained access to the control systems of the fast-spinning centrifuges at the uranium plant causing them to fail at an unprecedented rate. Another example comes from Germany where hackers manipulated and disrupted the control systems of a steel mill so that a blast furnace could not be properly shut down. According to a report by Germany’s Federal Office for Information Security, the hackers gained access to the steel mill through the plant’s business network via a spear-phishing attack and worked their way into production networks to access systems controlling plant equipment – resulting in “massive” damage.
Cyber incidents also include systems failures and software upgrade issues which create an inability to process data. An example of this can be found close to home when, in January this year, a technical glitch with the implementation of a fare increase by Transport for London meant passengers were unable to use their Oyster cards and so barriers were left open at stations around London for about three hours leading to around 100,000 free train and bus journeys and £250,000 in lost fares.
Finally, there are data breaches where customers’ personal information is ‘stolen’ by hackers. In 2014, JP Morgan Chase revealed that the names, addresses, telephone numbers and emails of 76 million households had been compromised as a result of a cyber-attack.
Data is a target for cybercrime for the simple reason that it has a cash value. In an ironic incident from May this year, Nulled, a popular marketplace for stolen account details was itself hacked, compromising the email addresses and personal messages of more than 470,000 of the site’s members. Incidents like this underline the value of data to those with criminal intent.
The Eleventh Commandment – A Data Covenant?
With all the data that is out there and all the alarming examples of breaches of data security in the media, public and consumer attitudes have shifted. Society has formed what I call a ‘Data Covenant’, an unwritten rule about modern life. People now accept that there is a vast amount of data about them controlled by corporates that needs to be protected. Companies are seen as being responsible for protecting this data and failure to do so is perceived to be a breach of this ‘Covenant’ that can lead to substantial reputational damage and loss of trust. The trouble for the insurance industry is that quantifying reputational damage can be a more complicated process than quantifying physical damage and assessing traditional business interruption claims.
Data Loss – What Drives the Business Interruption?
Cyber incidents can cause significant business interruption. In particular, a breach of cyber security has the potential to lower the estimation in which a business is regarded and this reputational loss can, in turn, lead to lost revenues over a prolonged period.
The extent of reputational losses as a result of cyber incidents is determined by a number of factors. In short, it’s all about context. A big factor is the sensitivity of the customer base. The public in the US is becoming increasingly immune to data breach incidents due to the greater number of reported cyber events that have occurred there compared with the UK or Europe.
The level of sensitivity in Europe will likely be increased by the implementation of the EU-wide data protection framework, the General Data Protection Regulation or GDPR, which will come into force in 2018. With the change in notification requirements of a data breach and potential fines, cyber incidents will likely have a higher profile than is currently the case and, as a result, the reputational impact may be more significant.
Cyber events can impact revenues in a number of ways and with a lasting effect.
In the recent case of the hacking of the personal details of almost 157,000 Talk Talk customers, revenue losses were likely to have resulted from customers leaving immediately post breach, customers leaving at the end of their contract, a reduction in new customer enquiries and a reduction in the rate of conversion of enquiries into contracts.
If contracts typically last a number of years or are renewed annually, losing one customer can affect revenues over a number of contract cycles.
The consequences of a cyber incident are, therefore, far reaching and complicated to calculate necessitating a large degree of specialist expertise.
Although cyber events can be significantly damaging to a company, effective risk management can mitigate cyber risk. Companies need to ask themselves four key questions, namely ‘what data do I hold?’, ‘where do I hold the data?’, ‘what happens if a data breach occurs?’, and ‘what happens if I cannot use my data?’ By understanding the risks that it is faced with, a company can ensure that it has taken the necessary steps to protect its business, including ensuring that it has adequate insurance cover.
As data becomes more and more integral to our modern economy, cyber risk will become an increasing concern. However, with the right risk management, companies can fully understand their potential exposure and so know what steps they need to take to mitigate this risk.