If your company were hit with a cyber attack today, how much would it cost? The entire bill -- including costs from regulatory fines, potential lawsuits, damage to your organization's brand, and hardware/software repair, recovery and protection?
It's a question you can't ignore, as the costs of online attacks are skyrocketing. According to a 2011 study by the Ponemon Institute, the cost of cybercrime in the US could range from US$1.5 million to US$36.5 million annually. A 2009 study by IT security company McAfee also estimated the cost of cyber crime reaches US$1 trillion per year.
"Cyber attacks, often in the form of data breaches and network intrusions, can impact operations, frequently result in lost productivity, legal expenses, third party liabilities, exposed intellectual property, and damage to a firm's reputation," said Marc Breuil, Hong Kong president and CEO for US-based Chartis Insurance.
The ripple-effect in cyber attacks
"Hong Kong businesses are significantly unprepared for cyber risk," added Ian Pollard, Chartis vice president, Asia Pacific. "A corporate risk management framework needs to address exposure of data to attack, yet many risk managers in Hong Kong rarely evaluate cyber-risk."
In August 2011, Hong Kong Exchanges & Clearing, operator of the Hong Kong stock exchange, halted trading for eight companies -- including HSBC, Cathay Pacific, Dah Sing Bank, China Power, and HKEx --after its Web site suffered a malicious attack.
"We know from our research that cyber attacks can cause serious reputational damage," said Breuil. "A recent report suggested that over three-quarters of people would cease working with an organization in the event of a security breach, and the average share price drop in response to notifying the market of a network security breach is 5%."
Gigi Cheah, partner and Asia lead for Technology and Data Privacy, Norton Rose, said "There's an increasing awareness of the need to protect data, whether of individuals or companies, with corresponding strengthening of privacy and security legislation worldwide."
"The penalties imposed by these laws, for failure to adequately safeguard data, are also increasing," said Cheah. "Proposed changes to the EU data protection framework include a maximum penalty of 2% of an offending corporation's global annual turnover."
Coverage and claims
The increased business risk caused by cyber attacks is raising attention among many enterprises. Many insurers -- including Chubb, Zurich and Chartis -- are providing cyber insurance coverage for Hong Kong enterprises.
Last month Chartis launched CyberEdge, a cyber-insurance policy targeted at multinational enterprises in Australia, New Zealand, Singapore and Hong Kong with a minimum annual turnover of US$100,000.
To calculate premiums, Chartis conducts an individual risk assessment comprising: the relevant industry, company size, annual revenue, existing risk management practices, and the liability limits sought by the insured.
Liability limits for Chartis'sCyberEdge are currently capped at US$10,000,000, subject to individual risk assessment. Pollard said that the average claim at Chartis in the US over the last four years was US$5.2 million.
"That [average represented] small to large businesses in different sectors," he said. "We paid for defense costs, claims for third party liabilities related to a fine penalty, notification costs or forensic expenses."
Are you already covered?
Many insurance companies in Hong Kong offer professional liability products, which may protect enterprises from some forms of data loss due to failure in computers or infrastructure, according to Stella Tse, Asia Leader for the Financial and Professional Risks Practice at insurance firm Marsh Hong Kong -- an insurance brokerage firm that has provided cyber insurance coverage since 2000.
"Many banks and financial institutions are protected from data losses due to computer failure through the professional liability and computer crime coverage," said Tse. "Although it may overlap existing insurance coverage, cyber insurance can sometimes provide additional coverage over-and-above the existing policies."
She added most existing insurance policies cover outages caused by property-based or physical damage, meaning that damages due to data loss remain a grey area.
Read the fine print
One major difference between cyber insurance and existing professional liability policies is business interruptions caused by security breaches. But enterprises must also be aware of the fine print in their policies.
For example, if business is interrupted at a securities trading house due to a network outage caused by a security breach, Tse said a claim could be made against the cyber insurance coverage for business lost from the interruption. But the policy may not cover business lost from account-cancellations caused by reputational damage from the security breach.
"If the firm had $1 million monthly revenue from its online trading platform, the claim would be based on the lost revenue in transactions and volume [directly] caused by the network outage," she said.
In addition to banks and financial sectors, Tse also suggested healthcare organizations consider cyber insurance. She posited a scenario where a clinic loses patient data in a security breach and one of those patients is a director of a listed company. Such information is sensitive data that may cause share prices to fluctuate.
"When business is lost due to the leakage of such data, should the clinic be liable?" she said. "There are still a lot of uncertainties, therefore I suggest organizations consider having a [cyber insurance] policy," she said.
The role of IT
IT's input is crucial when it comes to deciding whether to buy cyber insurance and determining what coverage to buy, security experts say.
"Information professionals, especially information security leaders, need to step up. They need to understand that they're in charge of more than just security. They need to understand and articulate the vulnerabilities that they face in terms of risk. That's the language of the board," said Don Fergus, a US-based IT risk consultant.
An organization's risk management and legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an organization's information security system than the people who run it.
"The CIO is on the front lines in dealing with information systems and should know about actual and potential problems," said Eric Sinrod, a partner at San Francisco-based law firm Duane Morris.
IT managers can also assist with facilitating an accurate cost-benefit analysis. "It might cost the company less to recreate the data than it would be to pay for the insurance premium," he added.
An evolving process
Changing regulations and privacy laws also add to the complexity of cyber insurance coverage, which continues to evolve.
"This is still an education process for all parties and one size does not fit all," said Tse. Enterprises are encouraged to work with their brokers, study and understand the policies available in the market and apply it to their processes--"then they can find a policy that fits their needs."
IDG staff contributed to this article.