Europe: Cyber liability: the hardest threat to manage

The intense media interest in recent cyber assaults will only serve to fuel growing public alarm and sharpen the attention of lawmakers around the world. In the US, the law already requires companies to report data breaches to consumers and in Europe, the European Community Data Protection Directive is under active review.

Amendments to the legislation already require telecom and internet service providers to notify the authorities of a data breach, and in Germany, Norway and Austria, national legislation has been tightened to increase reporting requirements. It seems only a question of time before reporting of data breaches becomes mandatory across the European Union, ushering in a new raft of risks, and costs, for global businesses.

"It seems only a question of time before reporting of data breaches becomes mandatory."

 

The cost of leaks
According to the Ponemon Institute, the price of an average security leakage in the US is $7.2m per event - or $214 per compromised record. Although negligence, lost devices and human error, in particular, are the most common causes of data breach, criminal breaches cause the biggest financial hit because of the investment required to detect and remediate the threat. In the short term normal trading may be disrupted, but loss of customer trust and corporate reputation are the more significant long-term threats.

As exposures like these crystallise, there is a pressing need for companies to review their risk management, cyber and data security policies, taking into account both internal and external risks. As more elements of the value chain - from marketing to manufacturing, sales to logistics - are shifted overseas or online, and data storage is handled via virtual ‘cloud' technology in order to maximise efficiency, so exposures to such threats will inevitably increase. Businesses in every industry sector need to make a step change in the way they manage risk in order to respond to these new geographic and technological exposures.

"There is a pressing need for companies to review their risk management, cyber and data security policies."

 

Innovation needed
Insurers likewise need to innovate to create the covers that will protect against these risks. The insurance market in London and Europe is now taking an active interest in the full spectrum of data breach-related risks, from business interruption, to civil liability to defend actions by customers, financial institutions or partner organisations. Cover is also available to defend regulatory actions, including notification, and to cover crisis management costs such as communication, credit monitoring and public relations services.

We are living in extraordinary times, with change happening at unprecedented speed. Companies with networked international and virtual operations are at particular risk. Insurers need to put together a global risk management response and encourage active dialogue with global businesses if they are to partner effectively to manage this threat.

Jan Auerbach is senior vice president for the European risk management division of Chubb Europe