FeaturesSecurity ComplianceStrategy

The costs of cyber threats have grown enormously recently. According to a 2009 study by IT security company McAfee, the estimated cost of cyber-crime was US$1 trillion per year. And US-based Ponemon Institute estimated the cost of cyber-crime to large companies was US$5.9 million a year, which increased by 56% between 2010 and 2011.

The surge in the costs of cyber threats coincides with the rising occurrence of cyber-attacks in recent years. According to Symantec, another IT security company, 5.5 billion cyber-attacks occurred in between 2010 and 2011, which represented a 100% growth within the year.

The skyrocketing business lost caused by cyber-attack is raising attention among many enterprises, but very few local enterprises have taken actions to protect the lost.

"Hong Kong businesses are significantly unprepared for cyber risk," said Ian Pollard, vice president APAC of Chartis, a US-based general insurance provider. The company last month launched CyberEdge, an insurance policy that aims to provide a comprehensive coverage from cyber-attacks. "A corporate risk management framework needs to address cyber exposures, yet many risk managers in Hong Kong rarely evaluate cyber risk," he added.

Such observation is echoed by Stella Tse, Asia leader for the financial and professional risks practice at insurance broking firm Marsh Hong Kong, an insurance brokerage firm that has been selling cyber-related insurance coverage since 2000. 

She said a number of insurance companies have been offering insurance in Hong Kong to protect enterprises from lost due to failure in computers or infrastructure.  But the coverage may not be as comprehensive as cyber insurance, which covers also business lost due to security breach.

 

"Many banks and financial institutions are protected from data lost due to computer failure through the professional liability and computer crime coverage," said Tse. "There could be overlaps with such existing insurance coverage, but the cyber insurance would bring additional coverage from the existing policies." 

One major difference between cyber insurance and existing professional liability and computer crime is the business interruption caused by security breach. But there are also the fine prints in the policy that enterprises should also be aware.

For example when business is interrupted at a securities trading house due to a network outage caused by security breach, Tse said it could claim from the cyber insurance coverage for business lost from the interruption. But the policy may not cover business lost from accounts cancellation or customers lost caused by the damage of reputation from the security breach.

"If the firm had US$1 million monthly revenue from its online trading platform, the claim would be based on the lost revenue in transactions and volume [directly] caused by the network outage," Tse said. 

In addition to banks and financial sectors, Tse also suggested healthcare organizations should consider cyber insurance. She noted if a clinic lost its patient’s data due to security breach and one of its patients is a director of a list company. Such information is sensitive data that may cause share prices to fluctuate. 

"When business is lost due to the leakage of such data, should the clinic be liable?" she said.  "There are still a lot of uncertainties, therefore I’d suggest organizations to consider having a policy," she said.

She noted most existing insurance policies cover outage caused by property-based or physical damage, creating a grey area for the coverage of data lost due to network breach. The changing regulations and privacy laws are also adding to the complexity and evolving process in cyber insurance coverage.

 

"This is still an education process for all parties and one size does not fit all," said Tse. Enterprises are encouraged to work with their broker, study and understand the policy coverage available in the market and apply that to its organizations’ process, "then they can find a policy that fit their needs."