The data breach at the consumer credit reporting agency Equifax a week ago was shocking not just for its scale – 143 million personal records were snatched – but because as a top tier financial services company, it could be reasonably be assumed to have superior security systems in place.
The personal data that was looted through the breach was primo quality. It included social security numbers, home addresses and the most sensitive financial information of millions of American consumers.
As if anyone needed to be reminded, the Equifax breach underlined the increasingly obvious reality that any company is at risk of a security breach.
FTI Consulting senior managing director Dawna Wright says top tier companies in the financial services sector take cyber security seriously indeed. “What this tells us is that even companies that believe they are secure, are still at risk.”
“This is one of the top companies in its sector in the US, and even it has been the subject of – by any measure – a very substantial breach.”
Ms Wright is a specialist in quantification of losses in such cyber breach situations. And there are two very sobering parts to this calculation: The first tallies the damage done to a company, and second tallies which parts of this damage is insured.
Cyber insurance is a fast moving and little understood part of the insurance sector. Anecdotally, cyber insurance is fast growing – because boards and senior management are being told by everyone that they should be investigating cover.
But it is not well understood. FTI Consulting’s Ms Wright will deliver a keynote address at InnovationAus.com’s inaugural Cyber Insurance forum in Sydney on September 21. You can find more details here.
Ms Wright will be joined by Australian and Investment Commissioner John Price, NSW government Chief Information Officer Maria Milosavljevic, and Lloyds of London general representative in Australia Chris Mackinnon in discussing the key challenges in seeking to insure against damage and loss that result from nefarious cyber activity.
And the challenges are substantial. At its worst, the cyber insurance market is populated in Australia by insurance companies that don’t know what they’re selling – and are finding it hard to price – and cyber insurance buyer who don’t know what they’re buying.
This is a complex area heavily predicted on a rapidly changing technology environment, and one where there is not much historical data on which to price premiums.
“There are a lot of people out there telling everyone that they should be getting [cyber] insurance. So it is not surprising that the market might be booming,” Ms Wright said.
“The thing that makes it is difficult is that there is not a lot of historical data,” she said.
“If you’re buying life insurance, you might have 100 years of statistical data that you can look at so that insurers know how to price [the risk].” There is also a common language in contracts for these established insurance policies: “You know what’s covered and what’s not.”
“But cyber is on the other end of that spectrum, where there is very little historical data – and what data there is, is not well tracked or reported,” Ms Wright said. The embryonic nature of the market means that the language of policies is not as well defined as other areas.
“And that goes to both sides [of the policy]. It goes to the pricing and to the recovery for the company.”
The Equifax breach is interesting for illustrating other complexities of breaches, and the sometimes difficult task of quantifying damages.
While the sensitive details of 143 million Americans might have been exposed by the breach, the hack did not actually disrupt the company’s service. The breach did not expose data of Equifax customers, or employees or shareholders.
The records that were looted belonged to third-party individuals. The people on whose credit rating Equifax reported.
So measuring the damage is not a simple matter of measuring how much business was lost during a downtime. Instead, it involves things like the share price shock – at one stage the company had 18 per cent wiped from its value – and the flow-on effects of that (maybe this leads to class-action lawsuits, or makes future capital-raisings more expensive.)
“The advice for companies is that they firstly make sure they know exactly what it is they are trying to cover.”
“You have to realistically assess what would be the impact of a cyberattack, and that really depends on what kind of company you are.”
There are big questions for government and regulators in relation to cyber insurance right now. The regulations tend to be about the protection of the privacy rights of the individuals. Mandatory data breach notifications are about protecting the records of individuals.
But the really big potential exposures for insurers – and for society, frankly – is where a cyberattack hits a computer system that controls an operation that can cause physical damage.
If you think of a computer system that controls a large mining site, or an electricity power station, or an aluminium smelter, or a port cargo system. “In those situations it’s not about the data, but about the control system.”
“Those are the things that are going to cause the biggest losses – but it’s not where the regulator is focused,” Ms Wright said.
Dawna Wright is senior managing director at FTI Consulting. FTI Consulting has partnered with InnovationAus.com to deliver the Cyber Insurance forum in Sydney on September 21. You can secure your tickets here.