At a glance
- Companies of all sizes are now vulnerable to data loss and cyber attacks
In recent years, there has been an unprecedented rise in data and privacy breaches and many businesses, regardless of size or sector, may experience an incident.
According to the Verizon 2012 Data Breach Investigations Report, there were 855 breaches reported last year, with over 174 million records accessed illegally. In addition, the World Economic Forum Global Risks report notes cyber security is one of the top five corporate global risks.
Cyber criminals use complex malware, worms and RAM scrapers to infiltrate systems or launch denial of service attacks – Verizon’s report indicates that 58% of all activity last year could be tied to ‘hactivist’ groups.
Taking responsibility is crucial
Organisations face risk when they exchange sensitive information and data with partners, third party vendors, and even their own subsidiaries. Taking responsibility is essential – namely knowing what happens to data, where it is stored, whether it is sold to others, and how it is shared.
Even so, there is no fool-proof risk management approach, and risk managers need help in mitigating risk and covering the financial cost of failures. This starts with creating an incident response plan, a useful self-auditing tool, which should include:
- system monitoring;
- review of data collection activities and storage;
- employee training and 24/7 response team availability understanding regulatory requirements;
- access to third party vendors
- communication to affected parties
Any breach needs proactive management, with remedial action communicated to affected customers. If not, reputational damage and loss of business may occur. This is where the right insurer and cover are vital.
- Fewer than 10% of companies in Europe purchase cyber insurance, feeling a breach is unlikely to happen. Smaller businesses may not install measures such as firewalls and up-to-date anti-virus software or ensure sensitive data is segregated, network and mobile access encrypted and have specialised insurance.
- Some traditional property and casualty insurance policies provide limited cover, but this is generally insufficient. For example, most general liability and professional indemnity policies exclude virus attack.
- Cyber policies provide a dedicated security and privacy liability programme, with tailored coverage to address first and third party expenses associated with data breaches and privacy issues.
Find out more
Data and privacy breaches are a serious risk which companies face. As a leading insurer of cyber risk exposures, Zurich is helping its customers face these challenges and control security and privacy risks. In Zurich’s Security and Privacy Risk Insight magazine, you can benefit from the latest industry expertise from Zurich’s underwriting, claims handling and legal partners, covering:
- emerging security and privacy risks;
- relevant data and privacy legislative changes from around the globe;
- guidance on legal and financial liability following a breach from the US State and Federal law perspective
First party cover includes costs to:
- notify affected third parties;
- conduct forensic investigations;
- provide credit monitoring and fraud remediation services;
- hire a public relations firm to mitigate reputational damage.
Third party liability cover can protect against:
- regulatory defence costs;
- fines and penalties (in some jurisdictions);
- business or consumer claims defence and indemnity expenses;
- extortion or reward payments;
- internet media liability.
EU Data Protection Directive – getting tough
The impending changes to the EU Data Protection Directive, expected to be implemented in 2014, are anticipated to have a huge impact. Three of the most important potential changes are:
- Reporting data and privacy breaches with 24 hours
Failure to do so could result in fines being levied against the company, and employee training is essential in this area.
- Duty of protection
Companies with more than 250 employees will be required to appoint a data protection officer, to act as an independent assessor of compliance and reports at board level.
- Fines on global turnover
Proposed fines of up to 2% of global turnover – a big rise from the current £500,000 which the ICO can levy in the UK.