On February 5, 2016, some employees of Hollywood Presbyterian Medical Center noticed that they could not access their patient's records, and a little later they could not access the hospital's pharmacy to order the medications needed for the next day's treatments, until they finally lost any access to their network.
It was soon discovered that the hospital was being attacked by hackers who had illegally accessed the hospital network to encrypt all data files where hospital information is stored, thus preventing their activity for ransom.
The result of this attack was: 911 patients redirected to other hospitals, as well as a large number of medical records had to be written down in pencil and paper and then incorporated into the data files once the crisis was resolved. Only after the hospital had paid the $17,000 in bitcoins claimed by the hackers were they given the encryption keys that allowed them to recover all their information and return to normal.
This is not new, since in recent years many cases of cyber attacks with serious consequences have been reported, such as the attacks on the Blue Cross and Anthem insurance companies in 2015, with data exposure of 11 and 78.8 million clients respectively, or the attack on US government files that compromised the data of 22 million active and retired civil servants.
On the other hand, in the case of the Target supermarket company, a cyber attack in 2013 led to the disclosure of the credit card data of millions of customers. This has resulted in a series of 140 lawsuits over 3 years, costing the company $390 million in compensation.
But Europe is not lagging behind either, with large-scale or far-reaching attacks also being reported, such as those on telecommunications giant Talk Talk in the UK in autumn 2015, the French TV station TV5 Monde, Sweden's air traffic control system, several energy companies in Norway and a large steel company in Germany.
The study "Net Losses: Estimating the Global Cost of Cybercrime" published in June 2014 by the McAfee Center for Strategic and International Studies estimates the annual cost of cybercrime to the global economy at $400 billion.
The proliferation of cases such as those described above and the need for protection by companies against exposure to cyber risk has mobilized insurance companies.
Issuing cyber insurance policies is a major challenge for underwriters, as Robert P Hartwig and Claire Wilkinson explain in their report "Cyber Risk: Threat and opportunity" due to the complexity and rapidly changing nature of these types of risks, the scarcity of historical data and the uncertainty regarding the aggregation and accumulation of risks through the spread of incidents between companies.
Despite this, insurance companies have taken up the challenge and created exclusive cyber insurance policies with extensive coverage, among which we can find the following:
- Liability: Legal costs and court rulings after a cyber attack that results in financial damage to a third party.
- Crisis Management: Covers the costs of notifying consumers of a data theft as well as hiring a Public Relations and Communications agency to launch a campaign to restore the company's reputation.
- Directors' and Officers' Responsibility: Covers the responsibility of senior managers when they act in decision-making on behalf of the company.
- Business interruption: Covers loss of revenue due to an attack on the company's network that limits the ability to continue business.
- Cyber extortion: covers the resolution of an extortion threat against a company's network, as well as the cost of hiring a specialized security company to identify extortionists.
- Data loss or deterioration: covers the loss of valuable data assets as a result of the action of malicious viruses or Trojan horses.
- Rewards: covers the cost of offering a reward that encourages the identification of the offender who has attacked a company's computer systems.
- Data Leakage: covers costs and liability resulting from a data leakage
- Identity Theft: provides access to an identity theft call center in case an employee or customer's identity has been impersonated.
Focusing again on the case of Spain, despite having a wide range of cyberinsurance offered by the insurance companies operating in our country, the volume of premiums contracted is small compared to the rest of the most advanced economies in Europe. This is even more so when compared to the USA, which is clearly the leader in terms of cyber insurance policies taken out, with a volume of premiums of 3,250 million dollars in the last year.
Data provided by the Lloyds insurance market in a survey of 350 CEOs in Europe shows that 92% of respondents have already suffered a cyber attack, yet only 42% of them are concerned about further attacks. The survey also reveals that 73% of the executives surveyed have limited knowledge of cyber insurance policies and even 50% of them were completely unaware of their existence.
At present, there is no legal obligation in our country to report cyber security incidents by the companies affected, which could be affecting, according to an association of CISOs consulted, the low volume of cyber insurance contracted as it reduces the visibility of the problem and the risk it represents.
The situation will change as leading members of this association anticipate, with the entry into force in 2018 of the General Data Protection Regulation (GDPR). This new European regulation on data protection includes, among others, the obligation for companies to report to their regulator and to the affected public any cyber attack that results in the loss or leakage of data, and establishes a maximum period of 72 hours for this purpose.
The new regulation also provides for fines of up to 20 million euros or 4% of total turnover for cases of data leaks, in addition to compensation for damage claims due to injured persons or companies. According to the experts consulted, this will have a decisive influence on the increase in cyber insurance policies taken out by companies in our country.
It is necessary that before contracting a cyber-insurance policy in order to have a financial compensation that allows the repair of damages after an attack, that the companies carry out an adequate prevention of the cyber-risk, by means of the actions and investments necessary to provide themselves with the necessary mechanisms and security measures.
Similarly in the field of cyber security there are standards and certifications such as ISO 27001 or COBIT 5, reference and support centers at the national level as the CCN (National Cryptographic Center) with a focus on large companies and the INCIBE (National Institute of Cybersecurity) for SMEs and households, in addition to a wide range of products and technological solutions.
On this last point, our country is well positioned according to the analysts' reports, since in the last year investments in cyber security products have been made to the value of 590 million Euros, which are expected to reach 1 billion in 2019.
If you are among the 67% of Spanish companies that according to the Lloyds study know little or nothing about the GDPR or among the 50% of European companies that are unaware of the existence of cyber insurance, perhaps this beginning of the year is a good time to undertake an analysis of your cyber risk and adopt the necessary protection and prevention measures.
