Skip to main content
Article

Data Breaches and How the Cyber Insurance Would Respond

Financial, Executive and Professional Risks (FINEX)|Cyber Risk Management
N/A

By Damy K. Nugraha | November 9, 2020

This article reveals that Cyber risk is now become emerging risk in Indonesia that need to be placed by stakeholders as one of top priority risks.

As per Willis Towers Watson cyber claims analysis report (reported by clients from 2013 to December 2019 with total of number of claims nearly 1,200 claims from nearly 50 countries), data breaches are the most frequently reported losses and have the largest total amount of costs associated with them and malicious data breaches carried out by third-parties (as opposed to accidental data breaches by the company or malicious data breaches carried out by rogue employees) are the most frequently occurring and most expensive type of data breach loss.

There is a huge variation in the size of data breach losses that we see, ranging from a single data subject to over a million impacted records. Whilst claims in this area are clearly divergent, the following can be discerned:

  1. The mean number of breached records per claim is over 693,000, whilst the median is much lower at 135.
  2. Nearly one in ten breaches involved more than 20,000 records.
  3. From our analysis, the direct event cost per breached record is $7.95.

Data Breach Loss Event

Overall, data breaches are the most frequently reported losses and have the largest total amount of costs associated with them.

Business disruption and ransomware events have a high average severity. There has been a very noticeable increase in ransomware events in 2019. This low investment, low risk and high reward method of cybercrime has the added benefit to the criminals of the anonymity provided by receiving ransom payments in their chosen cryptocurrency.

Social engineering frauds are no longer just aiming to obtain funds via fraudulent transfer instructions. This method is now also being used to divert salary payments and fraudulently obtain tax data on employees. However, the most frequently notified social engineering event is still that of impersonation of a vendor/supplier.

Data breaches, in depth analysis

Data breaches come in many different forms, from sending e-mails with client details to unintended recipients, to hackers infiltrating systems to obtain payment card information. Below figure shows how these different types of losses rank in terms of frequency and severity.

Data breaches – number of records

From our analysis, the direct event cost per breached record is $7.95. When the breach involves a higher number of records there are economies of scale (due to many crisis management and investigation costs being more fixed in nature) which reduce the costs per record significantly.

Data Breaches Incident in Indonesia

There were several incidents of data breaches in Indonesia which gave negative affect to stakeholders. As per CNN report, there were more than 5 massive incidents of data breaches occurred in Indonesia i.e. data breach of COVID-19 patients, data breach of election voters, some data breaches in E-commerce sectors. Those of data breach incident are mostly infiltrated by hackers. Most data stolen are consist of user ID, email, full name, date of birth, gender, mobile phone number including hashed password.

How Big is the Company's Financial Losses When Data Breach Occurs?

  • When a data breach occurs, an investigation by an external IT Forensics Team will be required
    When a data breach occurs, the company must immediately take action to understand the cause, scope and overall impact of the breach with the assistance of IT Forensic experts. For this reason, every company should have an "incident response plan" to help IT staff detect, respond to and recover from cyber security incidents, and involve external expertise when necessary. The complexity and the magnitude of potential losses must be minimized immediately by the forensic IT team. Sufficient budgetary resources should be set aside for these events, particularly if the company wants to use a “Big Four” IT Forensic firm such as Mandiant or KPMG.
  • Fulfillment of obligations towards law enforcement in Indonesia
    When a data leak occurs, the Company is required to respond to any requests for information by the Regulator which will likely include providing information regarding what occurred, the scope of data loss, and steps taken so far to mitigate damage.

    The results of investigations from the IT Forensics team can support the Company's legal team in complying with an investigation. Failure to comply with government regulation may result in verbal warnings, financial penalties, or the complete shutdown of business operations.

    The Company will require the assistance of professional legal services to understand their immediate legal obligations when a data breach occurs. Errors in the fulfillment of reports and non-cooperation of the company in providing explanations and compliance with regulations may lead to fatal consequences such as the closure or suspension of the Company's operations.
  • Third party claims such as clients, competitors, shareholders, etc.
    Accidental or malicious data leaks may result in lawsuits from third parties who feel they have been negatively impacted by the event. Such third parties may allege that the company has failed to implement sufficient network security which resulted in the data breach (for example a hacked password will result in the illegal use of credit cards). This cost will usually be far greater than the initial incident response expenses as the company may need to defend themselves (with the help of a third party law firm) against such allegations in a court of law and pay any settlements if required. With class actions possible in Indonesia under several types of legislation - including Consumer Protection Law - companies can find themselves liable to reimburse a large group of people for the losses they have incurred.
  • Damage to the Company's reputation
    In some cases, companies will be unaware they have been impacted by a data breach until it is discovered on a public forum. Negative publications from the media can have a significant impact on the response from the public and may cause substantial damage to consumer trust and perceptions which may have taken years to build.

    The role of the Company's Communications Team is to help reduce the negative response by making an official statement or apology that can restore the Company's reputation. In order to minimize negative news, collaboration with other professional and experienced Public Relations experts is needed to help restore the Company’s reputation.
  • Other costs
    Companies will need to prepare a budget to provide notification of the data breach to their customers, set up a call center, and issue a letters of apology. Other costs such as compensation or gifts that aim to restore trust may be budgeted for if necessary. If it is discovered in the course of the IT Forensics investigation that the company had weak IT security in place, improvements may be required in order to comply with regulation and prevent event reoccurring.

    The above points outline the baseline costs associated with a cyber incident and while these may seem negligible, they can rapidly escalate. The worst-case scenario would be for the company to go bankrupt due to the diminished reputation and loss of trust from customers, or due to its operations being closed by the government either temporarily or permanently (because it cannot meet regulatory standards).

How can Cyber Insurance help?

Potential losses from cyber events can be measured and minimized using risk management strategies (Avoid, Reduce, Transfer, or Retain the risks). Cyber Insurance (i.e. Risk Transfer) is one tool that can help the Company manage a data breach or network outage which could cause a catastrophic financial loss too large for the company to retain themselves. Cyber insurance can also provide organisations with peace of mind that they will be able to adequately respond to and recover from a cyber incident effectively and efficiently. Indeed, cyber insurance could provide the following benefits during data breach incident:

Potential losses from cyber events can be measured and minimized using risk management strategies (Avoid, Reduce, Transfer, or Retain the risks). Cyber Insurance (i.e. Risk Transfer) is one tool that can help the Company manage a data breach or network outage which could cause a catastrophic financial loss too large for the company to retain themselves.

A Breach Response Manager will be appointed immediately to understand the nature and details of the incident. This is commonly a law firm so we can establish legal privilege over the Claim from the very outset. The Breach Response Manager will, subject to the agreement of the Company and/or insurers, mobilise the members of the investigation team (including representatives of the Company) and begin the implementation of the Response Plan. Depending on the incident, and subject to the agreement of insurers & the Company, this may involve:

  1. Engaging IT forensics and other technical support to determine the cause of the cyber incident and to immediately commence preservation of all relevant operating logs;
  2. Determining what, if any, immediate actions need to be taken to mitigate the incident losses or extent of the losses;
  3. Engaging other third-party service providers including public relations firms, forensic accountants and credit monitoring services;
  4. Commencing the process of notifying the regulator and individual customers of the policyholder, as appropriate;
  5. Determining if any public announcement is to be made;
  6. Responding to enquiries of the policyholder;
  7. Considering the reports on the cause of the incident and findings of the IT forensics and advise whether any remedial services are required; and
  8. Assist the Company to resume business as usual.

All the above costs will be fully covered by the Insurance Company (subject to policy terms and conditions).

How to ensure effective Cyber Insurance protection?

Prior to making a purchase of cyber insurance, companies need to have an in-depth analysis of business risks and exposure. Loss due to cyber risks can be measured qualitatively and quantitatively and a step-by-step approach can be taken to ensure effective risk transfer.

  1. Diagnose organizational capabilities regarding cyber security using the standard cybersecurity frameworks issued by NIST (National Institute of Standards and Technology) or ISO standards.
  2. Evaluate the financial impact of a data breach of network outage on the company, looking at frequency and severity.
  3. Conduct a deeper analysis of Cyber Risk by creating cyber risk scenarios in the Company such as how large the impact and likelihood will occur. At this stage input is needed from Operations, IT, Finance, Legal, Compliance, Risk Management, etc.
  4. In order to have proper and optimum risk transfer with having cyber insurance, a company can use insurance brokerage services that can combine all the above elements so that the company can choose the optimal insurance program and carry out effective risk transfers.

    Conclusion

    Cyber risk is now become emerging risk in Indonesia that need to be placed by stakeholders as one of top priority risks that would significantly affect their business. One of cyber risks that may significantly affect the business is Data Breach. It has been proven; such risk has been ruining business of many companies in the world including Indonesia.

    Cyber risk is now become emerging risk in Indonesia that need to be placed by stakeholders as one of top priority risks that would significantly affect their business. One of cyber risks that may significantly affected the business is Data Breach. It has been proven; such risk has been ruining business of many companies in the world including Indonesia.

    Every company would need to consider their current risk management approach and strategy for cyber risks including protecting their internal and customers’ data because data have a high value and it should be protected. Having cyber insurance would be beneficial for companies even though they already have strong cyber security team or how cyber savvy they are as indeed still would have many gaps and also human errors that would lead to data breach incidents. For sure, those risks that need to be transferred to insurance company.

    However, prior to making a purchase of cyber insurance, companies need to have an in-depth analysis of business risks and exposures. Companies should look how much cost versus benefit to have insurance by measuring their cyber risks qualitatively and quantitatively in order to have ensured effective risk transfer. You can contact your insurance consultant or us to discuss about your data breach exposures.

Download
Author


Contact Us