INTRODUCTION
As our world becomes ever more digitalised and data-driven, cyberattacks and data security breaches have surfaced as prominent threats to businesses and individuals alike. The increasing emergence of threats originating in the digital space has rendered the conduct of business more complex by necessitating the urgent adoption of new cybersecurity and data protection measures.
Businesses are also facing greater scrutiny from regulatory authorities, in light of cybersecurity and data protection standards which have been introduced in recent years to address common risks associated with the digital environment. Thus, it is important for businesses to keep abreast of the evolving legal regulatory framework for cybersecurity and data protection, as well as to acquaint themselves with the measures they need to take to navigate the digital landscape successfully and manage their risks accordingly. Businesses seeking to further minimise their exposure to potential cyber risks have resorted to purchasing cyber insurance, a trend which has seen marked growth recently, with increasing awareness of the liability that can arise from data loss or leakage through theft or security breaches.
WHAT IS CYBER INSURANCE?
Cyber insurance is a type of insurance which helps businesses to mitigate losses arising from risks in the use of information and communication technology (ICT), electronic data and the Internet that compromise the confidentiality, availability or integrity of data or services[1]. These include risks arising from incidents such as cyberattacks, denial of service attacks, cyber extortion, malware intrusion, data breaches, system malfunctions and so forth (all referred to collectively and loosely as ‘cyber incidents’ in this article). Losses sustained from the occurrence of cyber incidents can be first-party or third party losses.
First-party losses are losses sustained directly by a business as a result of a cyber incident. For example, loss of or damage to a company data, costs of data recovery, loss of income due to business interruption or disruption, cyber extortion losses, and expenses incurred and man-hours lost as a result of the crisis management processes undertaken to resolve the cyber incident, or at least up to a point where normal business operations can resume.
Third party losses, on the other hand, are losses sustained indirectly by a business. These occur when a business incurs liability to third parties as a result of a cyber incident. Examples of third party losses include product liability or professional services claims brought by third parties against a business for the losses that these third parties sustain as a result of a cyber incident.
WHY IS CYBER INSURANCE RELEVANT TO MY BUSINESS?
Generally, the main purpose of an insurance policy is to allow a business to transfer the risk of the occurrence of certain contingent events to an insurer, in exchange for the payment of a premium. In the same vein, cyber insurance serves as a form of risk management against cyber risks, by softening the direct financial impact of a cyber incident on businesses.
Businesses need to be aware that traditional commercial insurance policies may not be adequate to address cyber risks. Commercial general liability insurance policies usually exclude losses arising from cyber incidents (e.g. via an ‘electronic data exclusion’), and traditional errors or omissions (E&O) insurance policies cover only third party losses and not first-party losses, which tend to arise more frequently out of cyber incidents. Cyber insurance coverage helps to plug the gaps in traditional general commercial insurance policies and allows for the risk of cyber incidents to be hedged against.
Caught between the twin pressures of increasingly sophisticated cyber threats and growing regulatory scrutiny on the handling of personal data, businesses have to come to grips with the reality that the occurrence of a cyber incident may no longer be a question of “if” but “when”. In this new reality, the further question that businesses need to answer urgently is not “whether” they need cyber insurance, but “how much” cyber insurance coverage is required and “which forms” of cyber incidents are most likely to arise in their particular field of activity.
This is underscored by the fact that even big players such as MNCS, large organisations, public institutions and governmental agencies are not immune to cyber incidents, despite arguably having the resources to implement more effective preventive measures. To illustrate, major cyber incidents in recent history include the SingHealth[2] data security breach in which the personal data of 1.5 million people were illegally accessed and copied, the leakage of the personal data of 800,000 blood donors held by the Health Sciences Authority[3], the compromise of employee login information in several government agencies and educational institutions, including the Government Technology Agency (GovTech), Ministry of Health, Ministry of Education, Singapore Police Force and National University of Singapore[4], and Facebook’s security breach in 2018 which allowed hackers to take over nearly 50 million user accounts[5].
While the sheer volume and value of data held by larger organisations and government agencies may make them a natural target for cyberattacks, cyber risks are not any less real for private small and medium enterprises (SMEs). More than half of the SMEs surveyed in Singapore reported having experienced some form of cyber attack or error in the past year[6]. Due to the increasing value of data in the global digital economy (which has been regarded as a more valuable commodity than oil[7]), substantial amounts of personal data are also being collected by SMEs and start-ups, making them just as likely to be targeted for cyber attacks.
Furthermore, security breaches are often due not only to the acts of malicious third parties, but also to a lack of vigilance or negligence by employees in the course of day-to-day operations, or even to failures by management to identify or anticipate weaknesses in their data security protocols. The long list of companies that have been fined for data protection breaches by the Personal Data Protection Commission[8] for various internal failings and human error, grimly illustrate this point, as does the recent accidental disclosure of 410 customer email addresses by IKEA Singapore reported in the news[9]. Coupled with the rising trend of businesses allowing their employees to work remotely by accessing company data using public Wi-Fi networks, and the growth of the gig economy, ‘internal’ members such as employees, freelancers and agents may well be a business’ weakest link’ when it comes to issues of cybersecurity.
Given the above, businesses will need to consider adopting a multi-pronged approach, combining preventive and mitigative measures, to minimise their liability arising from exposure to cyber risks. While preventive measures seek to avert the risk of a cyber incident from occurring in the first place, mitigative measures (such as cyber insurance) aim to control or reduce the impact of a cyber incident after it has occurred.
WHAT SHOULD I DO BEFORE PURCHASING CYBER INSURANCE?
As can be expected, there is a wide variety of cyber incident types and therefore a broad offering of corresponding cyber insurance policies available in the market. The level of exposure of a business to cyber risks will vary, as it depends on several factors, such as the amount of personal data handled by the business, the sensitivity of such data, the size of the company (and therefore the number of employees handling the data and corresponding risk of human error), the extent to which information systems are used in the company or incorporated in products and services offered by the company, and the external accessibility of data through internet connections.
Before committing to a cyber insurance policy, it is prudent to first conduct an internal cyber risk assessment for your business. Commercial insurance is, after all, obtained to mitigate business risk. Without prior identification and understanding of what these risks are in the context of your business, the proper assessment and selection of the right insurance policy, as well as the calibration of the appropriate amount of coverage for your business cannot be carried out effectively. This will of course also need to be weighed against factors such as your business’ ability to bear the additional expense of cyber insurance, the value of the data being handled, and the potential liability that could arise in the event of a cyber incident in order to find the right balance between being over- or under-insured.
A cyber risk assessment can be undertaken internally by suitably qualified personnel with the active participation of all stakeholders, and preferably with the assistance of qualified professionals such as lawyers and cybersecurity advisors.
Typically, an internal risk assessment exercise involves an evaluation of the extent of exposure of the business to various cyber or data-related risks, identifying potential cybersecurity vulnerabilities, prioritising identified risks, reviewing its existing insurance coverage to identify possible gaps or areas of overlap, and assessing the potential impact of a cyber incident by running various simulations. From a liability perspective, the additional risks that your business may be exposed to as a result of cyber incidents affecting parties it has business relationships with (such as customers, vendors and suppliers) should also be taken into consideration.
The resulting report from the internal risk assessment exercise should then be used as the basis for the formulation of a comprehensive risk management plan comprising a combination of preventive, corrective and mitigative measures tailored for your business. Ideally, this risk management plan should be updated and remediated periodically to account for changes in the business environment, advancements in technology, changes in the law and of course, new threats from cyberspace.
All too often, businesses treat cyber risks as just an “IT problem” to be dealt with by the appropriate team. In reality, effective risk management requires a more holistic approach, having regard not only to technical considerations, but also to legal and commercial ones. For example, to address risks or gaps identified in the internal risk assessment report, your lawyers may recommend amendments to terms in your business’ standard contracts to ensure alignment with data protection laws and to properly allocate cyber risks in commercial transactions. They may also recommend and assist in the preparation of internal cybersecurity and privacy policies, as well as propose changes in the data collection, processing and storage practices of your business. Some of these changes will require the technical assistance of your IT professionals, who should also be able to recommend and advise on industry best practices for information security. Lastly, it should be acknowledged that where there are risks which cannot be completely eliminated by the adoption of reasonable preventive and corrective measures, your business will have to put in place mitigative measures to cope with the occurrence of a cyber incident, including implementing cyber incident response and business continuity plans, and purchasing cyber insurance.
WHAT ARE SOME KEY POINTS TO NOTE ABOUT MY INSURANCE CONTRACT?
Scope of coverage
The scope of coverage under your insurance policy will directly affect what claims your business can make in respect of a cyber incident. It is therefore important to scrutinise the terms of the insurance contract to ensure that the insurance policy provides the coverage desired, as determined by your internal risk assessment report. Where there is ambiguity or lack of clarity, it is advisable to get the insurer to provide worked examples of exactly what is covered under a particular policy, or to highlight to the insurer the particular risk which is an area of concern, in order to customise the coverage to better suit the requirements of your business.
Some important considerations include the following:
1. Is your ‘cyber insurance’ a stand-alone policy or a ‘rider’?
Generally speaking, while all policies and riders that cover cyber risks are loosely referred to as ‘cyber insurance’, a stand-alone policy is likely to offer more comprehensive coverage than a rider added on to an existing policy.
2. Does the policy cover first-party losses? Can the costs of crisis management be claimed?
Once a cyber incident has been discovered, the affected business will need to notify the relevant authorities, conduct investigations into the circumstances surrounding the incident and produce an investigation report to account for the cyber incident to the authorities. At the same time, the business will need to plug any internal gaps that led to the occurrence of the cyber incident. Crisis management and response requires a substantial expenditure of manpower through the deployment of data recovery and cybersecurity experts, forensic investigators, public relations specialists and even lawyers, all of whom may need to work around the clock after the cyber incident to minimise further risk exposure or damage to the business and to contain the legal and commercial fallout. The professional fees involved in assembling these consultants for the purposes of damage control and disaster mitigation can quickly stack up, and ill-prepared businesses may be staring at a hefty bill which they are unable to pay off in addition to the direct liability arising from the cyber incident itself. As such, it is important to consider whether the policy you are considering covers such first-party losses, and under what circumstances such losses can be claimed.
3. Does your insurer provide access to crisis management support?
Apart from covering the costs of crisis management, many cyber insurance products also provide access to service providers who can assist a business in responding to cyber incidents. These include lawyers who can advise on relevant disclosure or notification requirements at law, forensic investigators to investigate the cause and extent of the security breach and to assist in breach containment, and public relations companies to manage reputational risk and handle communications with affected customers, business partners, and the press. For businesses which have limited experience or in-house capability for crisis management, having access to experienced service providers can help navigate the confusing and often overwhelming aftermath of a cyber incident, thereby reducing the overall level of loss and preventing further damage from occurring.
4. Does the policy cover all data breaches, even if they are not cyber-related?
Data breaches can also result from the poor or improper handling of data in physical (rather than electronic) form (such as physical mail delivered to the wrong addressee). Despite its name, a cyber insurance policy may not be limited to the coverage of cyber risks but may also (depending on the insurer and the policy) cover data breaches generally whether they arise via technological interfaces or physical means. This expanded scope of coverage would naturally be preferable.
5. Will the policy cover your business for the acts of your employees?
Data breaches are often caused by either a rogue or negligent employee. Naturally, businesses with greater numbers of employees are faced with correspondingly greater risk exposure in this regard, the insurance coverage must extend to acts by employees.
6. Does your insurer provide worldwide coverage and support? Does protection extend to other group companies?
Businesses with a regional or worldwide presence should ensure that the insurance policy it purchases not only provides worldwide and group coverage, but also that the insurer has reputable and experienced network partners which can be activated for crisis management in the relevant jurisdictions and in a timely manner. To maintain standards and ensure that the business is equipped to comply with its legal obligations as soon as a breach occurs, you should examine the service levels promised by the insurer, to ensure that your business and its group companies receive a minimum level of acceptable service from the insurer and its network partners regardless of where the cyber incident occurs.
7. Can the insurer customise the insurance policy for your business, if needed?
Although cyber insurance policies offered by insurers will fall into certain defined ‘types’ for practicality and ease of marketing, this does not mean that a ‘one-size fits all’ cyber insurance policy will be suitable for your business. If necessary, policies may have to be tailored for your business, or you may need to consider a combination of different policies and riders to achieve the protection necessary to safeguard your business.
Period of coverage: are past acts included?
Claims can only be made on an insurance policy in respect of acts, errors or omissions which occur after the policy’s ‘retroactive date’ i.e. claims cannot be made in respect of incidents which arose before the retroactive date.
However, many cyber insurance policies provide an additional option for the purchase of an ‘unlimited retroactive date’ at a higher premium. This will allow an insured party to make a claim under the policy in respect of an act, error or omission, regardless of when it occurred.
If your business has been in active operation for many years, and there is a possibility that incidents may have occurred in the past which may give rise to potential claims in the future, you should consider obtaining a policy with unlimited retroactivity, or at the very least, specify a retroactive date that predates the inception of your policy. Otherwise, losses arising from incidents pre-dating your policy’s specified retroactive date cannot be claimed under the policy and would be unrecoverable.
The relevance of the retroactive date is particularly pertinent since many cybersecurity breaches are only discovered weeks or even months or years after the initial security compromise occurred. Such is the case for Advanced Persistent Threat (APT) attacks – an increasingly popular and sophisticated form of cyberattack where an attacker gains unauthorised access to a computer network and stays dormant for a prolonged period of time before eventually striking. As a case in point, an APT was responsible for causing the massive data breaches in the recent SingHealth data breach episode[10], where the APT actor took many calculated steps to remain undetected by the detection mechanisms SingHealth and Integrated Health Information Systems (IHiS) had put in place until it had managed to infiltrate the SCM database, which contained the personal data of over 5.01 million unique individuals, whereupon the personal data of almost 1.5 million unique individuals were exfiltrated[11]. While the Personal Data Protection Commission (PDPC) accepted that the fact that the APT actor had employed “sophisticated and novel tactics, techniques and procedures” in the cyberattack[12], it nevertheless found that the security steps and arrangements in place were “insufficient”[13]. Accordingly, SingHealth and IHiS were fined S$250,000 and S$750,000 respectively for the breach of their data obligations under the Personal Data Protection Act 2012 (Cap. 26).
Fines may not be claimable
Many business owners are under the misconception that reimbursement for fines comprises the bulk of cyber insurance payouts. In practice, however, insurers may not process claims from insured parties in respect of fines imposed by regulatory authorities.
As a matter of public policy, fines imposed as a result of intentional wrongdoing by an insured party will generally be unrecoverable as they would be tainted by illegality[14]. The rationale behind this exclusion is that allowing an insured party to insure and recover the cost of regulatory fines under an insurance policy would remove the deterrent and/or punitive effect of such fines. Further, as a matter of insurance law, an insured party would not generally be allowed to recover losses stemming from its intentional acts or omissions. Otherwise, it would be open to abuse by unethical businesses seeking to defraud insurers.
There is some uncertainty at law as to whether under certain circumstances, data protection or cybersecurity breaches that are less ‘morally culpable’ can be classified as ‘strict or no-fault liability’, and therefore be insurable. Until the position at law is clarified, however, businesses should note that if any fines are imposed by the authorities in respect of data breaches, it is unlikely to be able to look to its insurance policy for reimbursement.
You have a duty of disclosure
A duty of disclosure is owed by the insured party to its insurer at the time of entering into the insurance policy. Generally, an insurance policy would be rendered void ab initio upon an insurer’s discovery of any material non-disclosure. Cyber insurance is no different, and the extent of disclosure provided by the insured party helps insurers to assess the scope of risks intended to be insured against and decide on the appropriate exclusions if necessary.
It should be noted that questions asked of the insured in standard insurance application forms cannot be relied on to elicit all material information that an insured party is expected to disclose. The onus, therefore, lies on insured parties to be forthright and to disclose to their insurers all material information which they know or ought to know could affect the insurer’s assessment of risk under the contemplated policy, in order to prevent the insurer from voiding the policy at a later time as a result of the insured party’s non-disclosure of a material fact.
CONCLUSION
In this digital age, cybersecurity and data protection have become forefront issues that businesses must address. Without proper measures in place, businesses face losing consumer confidence and can even suffer significant financial losses and penalties should customer information and confidentiality be compromised. Further, given the extensive ‘clean up costs’ associated with cyber incidents, continued business survival may be challenging for smaller businesses after a cyber incident.
It is therefore crucial that businesses adopt a holistic and comprehensive approach to mitigating cyber risks. Business owners need to ensure that they have the necessary legal safeguards, compliance procedures and documentation in place to ensure the compliance by all relevant parties to their obligations relating to cybersecurity and the handling of confidential or personal data. Such parties could be internal parties such as employees, agents or contractors, or external parties such as service providers. Businesses must account for every person whose contact with their data or IT systems could expose them to a cyber incident. Where possible, minimum standards must be imposed on third parties, and risks of breaches allocated to them on a fault basis by way of contractual disclaimers and indemnities, for example.
At the same time, cyber insurance also has an important role to play in mitigating the risks and impact of a cyber incident. The right cyber insurance policy, properly customised for a business, can act as a safety net for businesses affected by a cyber incident by helping to mitigate the losses arising out of non-compliance with regulatory laws and also where, despite a business’ best efforts, a cyber incident has occurred.
While this article highlights some key points to consider when selecting a cyber insurance policy, these should not be taken as exhaustive. Due to the variety of cyber insurance policies available on the market, as well as the fact that cyber insurance is a relatively new product, substantial variation in the scope of coverage offered by different policies can be expected. Businesses would do well to scrutinise the finer terms and conditions of each policy in consultation with independent legal and insurance professionals before committing to one.
References
[1] See definition by the Geneva Association in “Ten Key Questions on Cyber Risk and Cyber Insurance” (November 2016) which defines cyber risk accordingly.
[2] https://www.straitstimes.com/singapore/singapores-privacy-watchdog-fines-ihis-750000-singhealth-250000-for-data-breach
[3] https://www.straitstimes.com/singapore/health/800000-blood-donors-personal-data-accessed-illegally-and-possibly-stolen-police
[4] https://www.straitstimes.com/singapore/compromised-log-ins-passwords-from-several-govt-agencies-on-sale-online-says-russian-cyber
[5] https://www.channelnewsasia.com/news/technology/facebook-security-breach-hacking-user-accounts-10770458
[6] https://www.businesstimes.com.sg/sme/over-half-of-smes-in-singapore-have-experienced-a-cyber-error-or-attack-last-year-poll
[7] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
[8] https://www.pdpc.gov.sg/Commissions-Decisions/Data-Protection-Enforcement-Cases
[9] https://www.straitstimes.com/singapore/ikea-says-sorry-for-customer-data-breach
[10] See generally Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3.
[11] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [139].
[12] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [100].
[13] Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3 at [134].
[14] By application of the ex turpi causa doctrine.
Have a question on data protection laws or cyber insurance?
If you have any questions regarding Data Protection or require legal advice, you may contact Wan Li or lawyers with similar expertise. With Quick Consult, a lawyer will call you back within 1-2 days and answer all your questions from a transparent, flat fee from $49.”
This article is written by Wan Li Seow, Head of IP and Technology at Xavier & Associates LLC and edited by Yun Wen Soh from Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practising lawyer in your jurisdiction. Any constituent part of Interstellar Group Pte. Ltd., Xavier & Associates LLC and their respective members, partners, shareholders and consultants do not accept or assume responsibility, and shall not have any liability, to any person in respect of this article.