Published on: 2 December 2015 by Michael Lamb
CCW Global has been a strong supporter of comprehensive business insurance solutions since we opened for business in 2012. As part of this we work to offer extensive advice on insurance products which may not be completely understood by companies in Hong Kong and around the greater APAC region – including coverages such as Professional Indemnity Protection, Directors and Officers Insurance, and Trade Credit Risks.
One of the core products we have been working to highlight over the last 12 months is Cyber Risks Insurance. With Hong Kong’s recent renaissance for Tech, FinTech, and IT startups, the city’s businesses are increasingly becoming an attractive target for sophisticated criminal syndicates which may have previously targeted major foreign corporations over fairly youthful (and small) startup companies – there was simply more to gain from attacking a Sony, VISA, or JPMorgan than there was from targeting some relatively unknown Tech business in Asia.
However, this is starting to change. More and more Hong Kong (and Asian) businesses are emerging on the global stage. Despite these companies’ fairly humble beginnings many are now doing business around the world and are proving to be attractive targets for cyber criminals. The prime example of this can be seen with the recent hacking announcement from Hong Kong based Tech manufacturer VTech.
VTech is the maker of child-focused tech products including InnoTab tablets and the company’s Kidizoom Smartwatch, which it markets as “The Smartest Watch for Kids,” and announced last week that it was the victim of a massive data breach on November 14th. According to the company names, birthdates, and genders of its child users were compromised. Also compromised were the names, emails, passwords, IP addresses, and mailing addresses of adult users who had accounts created on the company’s Learning Lodge platform.
With many of VTech’s products seen as must-have gifts for this Christmas season, the revelation that the company has been the victim of a digital attack may leave the business with substantial reductions in sales – resulting in a significant financial impact as consumers reconsider the purchase of goods from a manufacturer with a history of data breaches.
The cost to a company to repair a reputation damaged through a cyber-attack can be substantial. In many countries companies are required to provide information about any breaches of personal data that is held on their servers to local law enforcement, which is in turn required to warn the public about the crime. As a result of this, corporations will normally hire the services of a Public Relations Agency to help protect their image in the wake of a hacking announcement – the cost of which can easily reach more than US$ 100,000 for some of the world’s best agencies.
But it is important to realize that it’s not just a PR issue the company at the receiving end of a hack has to worry about – there is a very real issue in the form of network security and personal data privacy. While Hong Kong does not have a Data Regulator, the city does have a comprehensive Personal Data Ordinance which all local businesses are expected to adhere to; following a hack of the type experienced by VTech, a company will normally be asked to conduct a thorough audit of its Data policy, produce a forensic analysis of its systems, and in order to gain back consumer trust will typically have to display a significant investment in continuing protection of both internal and external IT systems.
None of this is exactly cost-effective, especially when the victim organization holds a large amount of sensitive personal data and is relying on positive consumer sentiment to fuel purchases of its products. A forensic network analysis, for example, which will be conducted to identify the cause of a hack can take hundreds of hours to complete for companies with large global networks, large workforces, and significant numbers of penetration points – at a conservative US$ 250 per hour to conduct such an investigation, 100 hours of work will result in a bill of US$ 250,000! According to recent studies it is estimated that cybercrime cost large enterprises an estimated US$ 11.56 million per year in 2013 – identifying and fixing digital exposure after a cyber-attack is not normally quick or cheap, especially if the company in question is active in a large number of countries worldwide.
Unfortunately Cyber Insurance is not going to prevent a company from being the victim of a digital attack – smart businesses in the modern world need to think about comprehensive risk-management systems, network monitoring, and even employee access as preventative measures to avoid a cyber incursion on their systems.
However, if a criminal element thinks that an organization presents an attractive target – the company may hold a large amount of enticing consumer data, including personal information and credit card details – the business will likely encounter a hacking event at some point during its lifetime. This is especially true for younger companies who may be perceived to be an easier target by various cyber-criminal syndicates globally.
Cyber Insurance products are not at the top of many organizations’ risk management concerns – Employee Compensation, Professional Liability, and Employee Benefits (including health and life insurance) normally get taken care of as a matter of due course. However, Cyber risks tend to be ignored.
This is possibly due to the fact that cyber and digital insurance products are a relatively new invention, and is partly because digital risks are not tangible concerns – despite the fact that customer data (including credit card and personal information) can often be a company’s most valuable asset, whether stored digitally or otherwise.
Offices will usually have some form of Office Contents Insurance to protect against liability resulting from thefts of their hard assets and paperwork, and while the Contents cover will not actively prevent a theft (real world security systems, which may also have their flaws, are normally put in place here) the insurance will help to indemnify the business against the aftermath of a break in. Cyber Insurance is, essentially, contents insurance for the digital age; providing coverage to ensure IT systems and Corporate networks are further secured after a penetration attempt, and offering indemnity against the costs of damage control following an act.
In this sense, Cyber Insurance can be viewed as a traditional insurance product updated for the information age. While there are no “real” objects to be protected against, with data provisions becoming more stringent in every country worldwide companies have an obligation to ensure that their customer information (in every format) is protected. Although it might be extremely difficult to guarantee protection of internal and external networks, computer systems, and digital assets against a persistent and dedicated attacker – the White House and IRS, afterall, were victims of hacks in 2015 – ensuring that there is a comprehensive policy in place to deal with the aftermath of this type of crime should be a priority in the modern world.
As such, CCW Global recommends that all our business clients consider looking at some form of cyber insurance when it comes to a holistic risk management system. If a business has Employee Compensation Insurance, Professional Indemnity Insurance, Office Contents Insurance, or even Health Insurance, Insurance is already a part of the company’s risk management structure. Not looking at Cyber Risks can mean hefty expenditures if a cyber-attack targets a company, and although it is not a certainty that an attack will happen, it is important to be prepared.
To learn more about the cyber and digital insurance products offered by CCW Global, or to schedule a free consultation to discuss how cyber insurance solutions may be applicable to your business, simply complete the short form at the top of this page or Contact CCW Global Today.