Cover stories

Old risks in new clothes

If you ask those who less intimately involved with cyber insurance about what the potential exposures of technology might be, they might well say “computers stop working”, maybe “loss of earnings” or perhaps “online libel”, but the reality is today cyber and technology risks span virtually every industry and many facets of our lives.  

The buzz-phrase “the internet of things” attempts to reflect just how much technology and connectivity has embedded itself into our lives and the everyday devices that support us. From smart TVs and refrigerators to driverless cars and Wi-Fi-enabled pacemakers, it is increasingly clear when “computers stop working” it is no longer just IT risks that can present themselves.

Limited protection

Although a Wi-Fi-enabled smart appliance has real computing power, it will not typically have the sort of sophisticated mechanisms to protect against malicious code or the ability to be cleansed or patched against such codes a PC, smart phone or desktop would have. It was perhaps no surprise, then, to hear a US-based IT security firm recently uncovered evidence of more than 750,000 spam emails, which had been sent by more than 100,000 internet-enabled home devices such as routers, televisions and fridges, as a result of malicious code within those devices.  

Global banking systems are now entirely reliant on IT, as was evidenced by recent system issues experienced by Natwest when, as a result of a “deliberate” attack by hackers, customers were locked out of their mobile and online accounts twice in one week; and by Lloyds, whose customers were left unable to pay for food and petrol when debit cards, ATMs and internet banking were all affected by technological meltdown.  

Critical infrastructure

Governments around the world are grappling with the concept of protecting “critical infrastructure” from cyber threats such as terrorism. An old risk for sure but this one is now able to manifest itself in the form of a cyber attack on a utility company, a nuclear plant, an air traffic control system, a military control centre or similar, with potentially devastating effects. Terrorists do not necessarily need to find their way into a secure building any more, as they can remotely carry out damaging acts with a similar end result. Stuxnet, an industrial control-system virus, showed this back in 2010 when it was rumoured to have interrupted Iran’s nuclear enrichment programme severely.  

Confidential intellectual property is a further area where in a previous era the theft of secret plans, formulae or ideas might have existed via a more traditional property break-in, but now the threat exists via IT system intrusion, where most of this information is now held.  

Reflecting the concern people may have about the risks hospital patients are exposed to by medical technology developments, former US vice-president Dick Cheney decided to have the Wi-Fi capabilities of his pacemaker turned off amid fears terrorists might have the ability somehow to hack the device.  

Regulatory development

As these risks rapidly evolve so do, by necessity, the laws and regulations that surround them. The EU “cookie laws” introduced in 2011 saw all EU countries adopting privacy legislation that required all websites owned in the EU or targeted towards EU citizens to obtain consent from visitors to store or retrieve any information on a computer or any other web-connected device. EU Data Regulation, which was reformed in 2012 to give a greater standard of protection to personal data, is gathering pace to keep up with the borderless trading environments that come with the growth of the internet.  

As demonstrated by both these legal developments, there has quite rightly been a particular emphasis on the associated risks of the internet, as a channel that is responsible for the increasingly borderless society we are living in today. It will, however, be interesting to observe the changes to more traditional legislation that acknowledge the extent to which traditional risks and products have evolved and now look very different from how they did 20 years ago. A good example of where a traditional body has addressed evolution of exposure is the US Food and Drug Administration in its recent cyber-security guide, which relates to medical devices and makes recommendations to manufacturers and healthcare facilities to take steps to ensure the appropriate safeguards are in place to reduce the risk of failure or problems arising from cyber-security threats.  

Insurance yet to catch up

Many traditional insurance policies do not yet acknowledge these changing exposures and some even fully exclude cyber risks. A policy designed to cover medical device liability, for example, should now be addressing such risks and include whether such a device was adequately protected against cyber threats at the point of manufacture. Seemingly, therefore, the future will dictate more and more “traditional” insurance products and underwriters will need to embrace this space with a more thorough understanding of the evolution of traditional exposures.  

We recently launched our privacy, data and electronic risks (PDE) extension in response to growing concerns from our clients. The PDE extension can be added to our more traditional professional and financial risks products and we see this trend of providing cyber-related extensions to traditional insurances growing in the future. Property and business interruption, commercial general liability, employers’ liability, directors’ and officers’, professional indemnity and many more traditional lines of insurance are now affected in some way or another and can potentially benefit from such additional cover. Standalone cyber cover will still however have its place in the insurance market, for those risks with more acute exposure levels. 

So, if you once considered yourself a traditional lines underwriter beware, as client exposures are evolving and so too must insurance products and underwriters keep apace. The demand for standalone cyber insurance is yet to peak but perhaps convergence of more traditional products with cover for emerging exposures will feature more heavily as we see more and more old risks resurface in new clothes.

Written by Scott Bailey