What is the role of cyber insurance in data protection?
INTRODUCTION
Cyber risks – an unavoidable reality
As our world becomes ever more digitalised and data-driven, cyberattacks and data security breaches have surfaced as prominent threats to businesses and individuals. This has rendered the conduct of business more complex by necessitating the urgent adoption of new cybersecurity and data protection measures.
Increase in regulatory requirements
Businesses also face increasing scrutiny from regulatory authorities, with the introduction of various cybersecurity and data protection standards in recent years. It is therefore important for businesses to keep abreast of this evolving legal regulatory framework and to acquaint themselves with the measures they need to take to navigate the digital landscape successfully.
Businesses seeking to further minimise their exposure to cyber risks have resorted to purchasing cyber insurance, a trend which has seen marked growth recently, with increasing awareness of the liability that can arise from data loss or leakage through security breaches.
WHAT IS CYBER INSURANCE?
Mitigation against losses from cyber incidents
Cyber insurance helps businesses to mitigate losses arising from risks in the use of information and communication technology (ICT), electronic data and the Internet that compromise the confidentiality, availability or integrity of data or services[1]. These include risks arising from incidents such as cyberattacks, denial of service attacks, cyber extortion, malware intrusion, data breaches, system malfunctions and so forth (all referred to collectively and loosely as ‘cyber incidents’ in this article).
Losses sustained from the occurrence of cyber incidents can be first-party or third party losses.
First party losses
First-party losses are losses sustained directly by a business as a result of a cyber incident.
These include loss of or damage to company data, costs of data recovery, loss of income due to business interruption/disruption, cyber extortion losses, and crisis management and resolution expenses.
Third party losses
Third party losses, on the other hand, are losses sustained indirectly by a business. These occur when a business incurs liability to third parties as a result of a cyber incident.
These include product liability or professional services claims brought by third parties against a business for losses that these third parties sustain as a result of a cyber incident.
WHY IS CYBER INSURANCE RELEVANT TO MY BUSINESS?
Generally, the main purpose of an insurance policy is to allow a business to transfer the risk of the occurrence of certain contingent events to an insurer, in exchange for the payment of a premium. In the same vein, cyber insurance serves as a form of risk management against cyber risks, by softening the direct financial impact of a cyber incident on businesses.
Traditional insurance policies may not cover cyber risks
Traditional commercial insurance policies that a business has may not be adequate to address cyber risks.
Commercial general liability insurance policies usually exclude losses arising from cyber incidents (e.g. via an ‘electronic data exclusion’).
Traditional errors or omissions (E&O) insurance policies cover only third party losses and not first-party losses, which tend to arise more frequently out of cyber incidents.
Cyber insurance coverage therefore helps to plug the gaps in traditional insurance policies in mitigating the risks of conducting business in a digital economy.
Cyber incidents are a matter of not ‘if’ but ‘when’
Businesses are caught between the twin pressures of increasingly sophisticated cyber threats on one front and growing regulatory scrutiny on the handling of personal data on the other.
We have to come to grips with the reality that the occurrence of a cyber incident may no longer be a question of “if” but “when”.
In this new reality, the further question that businesses need to answer urgently is not “whether” they need cyber insurance, but “how much” cyber insurance coverage is required and “which forms” of cyber incidents are most likely to arise in their particular field of activity.
Cyber incidents happen to organisations small, medium and large
This is underscored by the fact that even big players such as MNCS, large organisations, public institutions and governmental agencies are not immune to cyber incidents, despite arguably having the resources to implement more effective preventive measures.
To illustrate, major cyber incidents in recent history include the SingHealth[2] data security breach in which the personal data of 1.5 million people were illegally accessed and copied, the leakage of the personal data of 800,000 blood donors held by the Health Sciences Authority[3], the compromise of employee login information in several government agencies and educational institutions, including the Government Technology Agency (GovTech), Ministry of Health, Ministry of Education, Singapore Police Force and National University of Singapore[4], and Facebook’s security breach in 2018 which allowed hackers to take over nearly 50 million user accounts[5].
While the sheer volume and value of data held by larger organisations and government agencies may make them a natural target for cyberattacks, cyber risks are not any less real for private small and medium enterprises (SMEs).
More than half of the SMEs surveyed in Singapore reported having experienced some form of cyber attack or error in the past year[6].
Due to the increasing value of data in the global digital economy (which has been regarded as a more valuable commodity than oil[7]), substantial amounts of personal data are also being collected by SMEs and start-ups, making them just as likely to be targeted for cyber attacks.
Internal failures to blame for many cyber incidents
Security breaches are not only caused by the acts of malicious third parties. Frequently, internal factors are to blame: lack of vigilance or negligence by employees, and failure by management to identify or anticipate weaknesses in data security protocols.
As a grim illustration of this point, one needed only refer to long list of companies that have been fined by the Personal Data Protection Commission[8] for various internal failings and human error, and to the recent accidental disclosure by IKEA Singapore[9] of 410 customer email addresses.
Coupled with the rising trend of businesses allowing their employees to work remotely by accessing company data using public Wi-Fi networks, and the growth of the gig economy, ‘internal’ members such as employees, freelancers and agents may well be a business’ weakest link’ when it comes to issues of cybersecurity.
Both prevention and mitigation crucial
Businesses need to consider adopting a multi-pronged approach, combining preventive and mitigative measures, to minimise their liability arising from exposure to cyber risks.
While preventive measures seek to avert the risk of a cyber incident from occurring in the first place, mitigative measures (such as cyber insurance) aim to control or reduce the impact of a cyber incident after it has occurred.
WHAT SHOULD I DO BEFORE BUYING CYBER INSURANCE?
Just as there is a wide variety of cyber incident types, there is also a broad range of cyber insurance offerings available in the market.
Factors affecting level of cyber risk exposure
The level of exposure of a business to cyber risks depends on several factors, such as the amount of personal data handled by the business, the sensitivity of such data, the size of the company (and therefore the number of employees handling the data and corresponding risk of human error), the extent to which information systems are used in the company or incorporated in products and services offered by the company, and the external accessibility of data through internet connections.
Internal cyber risk assessment
Before committing to a cyber insurance policy, it is prudent to first conduct an internal cyber risk assessment for your business.
In order to make a proper selection of a cyber insurance policy, and to calibrate the amount of insurance coverage, you will first need to identify, understand and prioritise the risks needed to be covered in the context of your business.
A cyber risk assessment can be undertaken internally by suitably qualified personnel with the active participation of all stakeholders, and preferably with the assistance of qualified professionals such as lawyers and cybersecurity advisors.
Typically, an internal risk assessment exercise involves:
- evaluating the extent of exposure of the business to various cyber or data-related risks,
- identifying potential cybersecurity vulnerabilities
- prioritising identified risks
- reviewing existing business insurance coverage to identify gaps or areas of overlap,
- assessing the potential impact of a cyber incident by running simulations
From a liability perspective, the impact on the company of cyber incidents affecting third parties which have business relationships with the company (such as customers, vendors and suppliers) should also be taken into consideration.
Risk management plan
The resulting report from the internal risk assessment exercise should be used as the basis for formulating a comprehensive risk management plan comprising a combination of preventive, corrective and mitigative measures tailored for your business. Ideally, this risk management plan should be updated and remediated periodically to account for changes in the business environment, advancements in technology, changes in the law and of course, new threats from cyberspace.
All too often, businesses treat cyber risks as just an “IT problem” to be dealt with by the appropriate team. In reality, effective risk management requires a more holistic approach, having regard not only to technical considerations, but also to legal and commercial ones.
Legal remediation
For example, to address risks or gaps identified in the internal risk assessment report, your lawyers may recommend amendments to terms in your business’ standard contracts to ensure alignment with data protection laws and to properly allocate cyber risks in commercial transactions. They may also recommend and assist in the preparation of internal cybersecurity and privacy policies, as well as propose changes in the data collection, processing and storage practices of your business.
Some of these changes will require the technical assistance of your IT professionals, who should also be able to recommend and advise on industry best practices for information security.
Lastly, it should be acknowledged that where there are risks which cannot be completely eliminated by the adoption of reasonable preventive and corrective measures, your business will have to put in place mitigative measures to cope with the occurrence of a cyber incident, including implementing cyber incident response and business continuity plans, and purchasing cyber insurance.
WHAT ARE SOME KEY POINTS TO NOTE ABOUT MY INSURANCE POLICY?
Scope of coverage
The scope of coverage under your insurance policy will directly affect what claims your business can make in respect of a cyber incident. It is therefore important to scrutinise the terms of the insurance contract to ensure that the insurance policy provides the coverage desired, as determined by your internal risk assessment report.
Where there is ambiguity or lack of clarity, it is advisable to get the insurer to provide worked examples of exactly what is covered under a particular policy, or to highlight to the insurer the particular risk which is an area of concern, in order to customise the coverage to better suit the requirements of your business.
Some important considerations include the following:
Is it a stand-alone policy or a rider?
Generally speaking, while all policies and riders that cover cyber risks are loosely referred to as ‘cyber insurance’, a stand-alone policy is likely to offer more comprehensive coverage than a rider added on to an existing policy.
Are first-party losses covered? Can costs of crisis management be claimed?
Once a cyber incident has been discovered, the affected business will need to notify the relevant authorities, conduct investigations into the circumstances surrounding the incident and produce an investigation report to account for the cyber incident to the authorities. At the same time, the business will need to plug any internal gaps that led to the occurrence of the cyber incident.
Proper crisis management and response frequently requires the engagement of costly professional expertise on an urgent basis. This includes the deployment of data recovery and cybersecurity experts, forensic investigators, public relations specialists and even lawyers, all of whom may need to work around the clock after the cyber incident to minimise further risk exposure or damage to the business and to contain the legal and commercial fallout.
The professional fees involved in assembling these consultants on short notice for damage control and disaster mitigation can quickly stack up. Ill-prepared businesses may find their very survival at risk from such hefty expenses, in addition to the direct liability arising from the cyber incident itself. As such, it is important to consider whether the policy you are considering covers such first-party losses, and under what circumstances such losses can be claimed.
Is access to crisis management support provided?
Apart from covering the costs of crisis management, many cyber insurance products also provide access to service providers who can assist a business in responding to cyber incidents.
These include lawyers who can advise on relevant disclosure or notification requirements at law, forensic investigators to investigate the cause and extent of the security breach and to assist in breach containment, and public relations companies to manage reputational risk and handle communications with affected customers, business partners, and the press.
For businesses which have limited experience or in-house capability for crisis management, having access to experienced service providers can help navigate the confusing and often overwhelming aftermath of a cyber incident. Timely expert assistance can help reduce the overall level of loss and preventing further damage from occurring.
Are non-cyber data risks covered?
Data breaches can also result from the poor or improper handling of data in physical (rather than electronic) form (such as physical mail delivered to the wrong addressee). Despite its name, a cyber insurance policy may not be limited to the coverage of cyber risks but may also (depending on the insurer and the policy) cover data breaches generally whether they arise via technological interfaces or physical means. This expanded scope of coverage would naturally be preferable.
Are acts of employees covered?
Data breaches are often caused by either a rogue or negligent employee. Naturally, businesses with greater numbers of employees are faced with correspondingly greater risk exposure in this regard, the insurance coverage must extend to acts by employees.
Is worldwide coverage and support provided? Are group companies covered?
Businesses with a regional or worldwide presence should ensure that the insurance policy it purchases not only provides worldwide and group coverage, but also that the insurer has reputable and experienced network partners which can be activated for crisis management in the relevant jurisdictions and in a timely manner.
To maintain standards and ensure that the business is equipped to comply with its legal obligations as soon as a breach occurs, you should examine the service levels promised by the insurer, to ensure that your business and its group companies receive a minimum level of acceptable service from the insurer and its network partners regardless of where the cyber incident occurs.
Can the insurance policy be customised?
Although cyber insurance policies offered by insurers will fall into certain defined ‘types’ for practicality and ease of marketing, this does not mean that a ‘one-size fits all’ cyber insurance policy will be suitable for your business. If necessary, policies may have to be tailored for your business, or you may need to consider a combination of different policies and riders to achieve the protection necessary to safeguard your business.
Period of coverage: are past acts included?
Claims can only be made on an insurance policy in respect of acts, errors or omissions which occur after the policy’s ‘retroactive date’ i.e. claims cannot be made in respect of incidents which arose before the retroactive date.
‘Unlimited retroactive date’
However, many cyber insurance policies provide an additional option for the purchase of an ‘unlimited retroactive date’ at a higher premium. This will allow an insured party to make a claim under the policy in respect of an act, error or omission, regardless of when it occurred.
Legacy risks
If your business has been in active operation for many years, and there is a possibility that incidents may have occurred in the past which may give rise to potential claims in the future, you should consider obtaining a policy with unlimited retroactivity, or at the very least, specify a retroactive date that predates the inception of your policy. Otherwise, losses arising from incidents pre-dating your policy’s specified retroactive date cannot be claimed under the policy and would be unrecoverable.
The prevalence of APTs
The relevance of the retroactive date is particularly pertinent since many cybersecurity breaches are only discovered weeks or even months or years after the initial security compromise occurred. Such is the case for Advanced Persistent Threat (APT) attacks – an increasingly popular and sophisticated form of cyberattack where an attacker gains unauthorised access to a computer network and stays dormant for a prolonged period of time before eventually striking.
An example: SingHealth data breach
As a case in point, an APT was responsible for causing the massive data breaches in the recent SingHealth data breach episode[10], where the APT actor took many calculated steps to remain undetected by the detection mechanisms SingHealth and Integrated Health Information Systems (IHiS) had put in place until it had managed to infiltrate the SCM database, which contained the personal data of over 5.01 million unique individuals, whereupon the personal data of almost 1.5 million unique individuals were exfiltrated[11]. While the Personal Data Protection Commission (PDPC) accepted that the fact that the APT actor had employed “sophisticated and novel tactics, techniques and procedures” in the cyberattack[12], it nevertheless found that the security steps and arrangements in place were “insufficient”[13]. Accordingly, SingHealth and IHiS were fined S$250,000 and S$750,000 respectively for the breach of their data obligations under the Personal Data Protection Act 2012 (Cap. 26).
Fines may not be claimable
Many business owners are under the misconception that reimbursement for fines comprises the bulk of cyber insurance payouts. In practice, however, insurers may not process claims from insured parties in respect of fines imposed by regulatory authorities.
As a matter of public policy, fines imposed as a result of intentional wrongdoing by an insured party will generally be unrecoverable as they would be tainted by illegality[14]. The rationale behind this exclusion is that allowing an insured party to insure and recover the cost of regulatory fines under an insurance policy would remove the deterrent and/or punitive effect of such fines. Further, as a matter of insurance law, an insured party would not generally be allowed to recover losses stemming from its intentional acts or omissions. Otherwise, it would be open to abuse by unethical businesses seeking to defraud insurers.
There is some uncertainty at law as to whether under certain circumstances, data protection or cybersecurity breaches that are less ‘morally culpable’ can be classified as ‘strict or no-fault liability’, and therefore be insurable. Until the position at law is clarified, however, businesses should note that if any fines are imposed by the authorities in respect of data breaches, it is unlikely to be able to look to its insurance policy for reimbursement.
Your duty of disclosure
A duty of disclosure is owed by the insured party to its insurer at the time of entering into the insurance policy. Generally, an insurance policy would be rendered void ab initio upon an insurer’s discovery of any material non-disclosure. Cyber insurance is no different, and the extent of disclosure provided by the insured party helps insurers to assess the scope of risks intended to be insured against and decide on the appropriate exclusions if necessary.
An insured party cannot rely on questions in standard insurance application forms to elicit all material information that it is expected to disclose. The onus lies on insured parties to be forthright and to disclose to their insurers all material information which they know or ought to know could affect the insurer’s assessment of risk under the contemplated policy. This is to prevent the insurer from voiding the policy at a later time as a result of the insured party’s non-disclosure of a material fact.
CONCLUSION
Business survival
In this digital age, cybersecurity and data protection have become forefront issues that businesses must address. Without proper measures in place, businesses face losing consumer confidence and can even suffer significant financial losses and penalties should customer information and confidentiality be compromised. Further, given the extensive ‘clean up costs’ associated with cyber incidents, continued business survival may be challenging for smaller businesses after a cyber incident.
Risk prevention
It is therefore crucial that businesses adopt a holistic and comprehensive approach to mitigating cyber risks. Business owners need to ensure that they have the necessary legal safeguards, compliance procedures and documentation in place to ensure the compliance by all relevant parties to their obligations relating to cybersecurity and the handling of confidential or personal data. Such parties could be internal parties such as employees, agents or contractors, or external parties such as service providers. Businesses must account for every person whose contact with their data or IT systems could expose them to a cyber incident. Where possible, minimum standards must be imposed on third parties, and risks of breaches allocated to them on a fault basis by way of contractual disclaimers and indemnities, for example.
Risk mitigation
At the same time, cyber insurance also has an important role to play in mitigating the risks and impact of a cyber incident. The right cyber insurance policy, properly customised for a business, can act as a safety net for businesses affected by a cyber incident by helping to mitigate the losses arising out of non-compliance with regulatory laws and also where, despite a business’ best efforts, a cyber incident has occurred.
Choose wisely
While this article highlights some key points to consider when selecting a cyber insurance policy, these should not be taken as exhaustive. Due to the variety of cyber insurance policies available on the market, as well as the fact that cyber insurance is a relatively new product, substantial variation in the scope of coverage offered by different policies can be expected. Businesses would do well to scrutinise the finer terms and conditions of each policy in consultation with independent legal and insurance professionals before committing to one.
References
[1] See definition by the Geneva Association in “Ten Key Questions on Cyber Risk and Cyber Insurance” (November 2016) which defines cyber risk accordingly.
[2] https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach
[3] https://www.straitstimes.com/singapore/health/800000-blood-donors-personal-data-accessed-illegally-and-possibly-stolen-police
[4] https://www.straitstimes.com/singapore/compromised-log-ins-passwords-from-several-govt-agencies-on-sale-online-says-russian-cyber
[5] https://www.channelnewsasia.com/news/technology/facebook-security-breach-hacking-user-accounts-10770458
[6] https://www.businesstimes.com.sg/sme/over-half-of-smes-in-singapore-have-experienced-a-cyber-error-or-attack-last-year-poll
[7] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
[8] https://www.pdpc.gov.sg/Commissions-Decisions/Data-Protection-Enforcement-Cases
[9] https://www.straitstimes.com/singapore/ikea-says-sorry-for-customer-data-breach
[10] See generally Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3.
[11] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [139].
[12] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [100].
[13] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [134].
[14] By application of the ex turpi causa doctrine.
This article was written by Wan Li Seow, Head of IP and Technology at Xavier & Associates LLC. A version of this article was first published on Asia Law Network and edited by Yun Wen Soh from Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practising lawyer in your jurisdiction. Asia Law Network, Xavier & Associates LLC and their respective members, partners, shareholders and consultants do not accept or assume responsibility, and shall not have any liability, to any person in respect of this article.