Marriott breach underlines cyber-risk scale
A major data breach reported by hotel giant Marriott International a week ago, with up to 500 millions customers potentially having their personal information exposed, has underlined the scale of cyber-risks that businesses face.
Against that backdrop, a panel of experts at the International Cyber Risk Management Conference in Bermuda discussed the evolution of cyber insurance products and buyers.
“It's not an emerging market any more. It is here, we've got to deal with it, especially from the perspective of the small to medium buyer. Legislation and the cost of these events is driving this market,” said Grainne Richmond, vice-president of Dyna Management Service Ltd, who was the panel moderator.
Technological changes, including the Internet of Things, artificial intelligence, and blockchain were identified as elements that will drive the sector forward, as was the evolution of cyber-risk threats, in particular unintended consequences and the impact of regulation.
Sarah Spurling, senior vice-president, professional lines, at Sompo International, noted the increasing number of high-profile and high-cost cyberbreach insurance claims, such as those involving US retail chain Target, and Southwest Airlines.
She said the Marriott event, reported on November 30, also showed that claims are edging into other areas of insurance, specifically directors-and-officers insurance.
“Within hours of the Marriot breach being announced, there was a D&O suit filed,” she said.
“It is worth mentioning the NotPetya, a 2017 malware event, a state-sponsored event that was focused on Ukraine. It highlighted the severity of the business interruption risk potential. There were a lot of unattended consequences from that attack. Companies that never thought they were at risk were being thrown under the bus, so to speak. It also highlighted some of the long-term nature of some of these BI (business interruption events).”
Ms Spurling said another aspect of the evolution of cyber insurance was the changing regulatory environment, notable the introduction of the General Data Protection Regulation in Europe in May, which carries potential fines of up to €20 million, or 4 per cent of annual worldwide turnover. She said the fines so far have generally been focused on smaller organisations “that you would not think were at risk”. She said that had opened people's eyes to the fact that it was not just a concern for bigger organisations.
With California set to introduce its own state data protection legislation — the California Consumer Protection Act — in 2020, others are expected to follow.
Ms Spurling said: “We have the CCPA, GDPR, the potential [of other] new state legislations coming out, the resources and cost for companies to be compliant has risen exponentially.
“There is just not the depth of knowledge to price these things appropriately, and that has impacted where the coverage is today. All these things are culminating in getting the attention of the board of directors.”
Giles Harlow, senior vice-president, professional risk solutions, Aon, said there has been a change in attitude by businesses towards cyber insurance. Whereas four or five years ago IT departments within many companies were confident they had the controls and security to safeguard against cyber-risk, that attitude has changed.
Mr Harlow said: “We have seen a lot of people who really had it buttoned up, still have a breach.”
He said the conversation had shifted as it has become clear that no one is invulnerable to the consequences of a cyberbreach.
Ms Spurling noted the increased hiring of chief information security officers. She said: “Before it was just the large organisations; now you are seeing companies hiring CISOs and putting someone responsible for their company's cybersecurity across the board in organisations and industry classes you've never seen [that happen] before, in manufacturing and law firms.”
She also believed that a NotPetya event happening in the West will cause “a huge shift in the mentality” towards cyber insurance.
Mr Harlow likened a NotPetya attack to “having a fire in your warehouse. You had to rebuild it all”.
He said the NotPetya attack showed that a cyberattack did not only affect businesses that held data, but could affect anybody. “No one was thinking you were going to be out for three months from a cyber attack — from a business interruption point of view.”
Also on the panel at the opening session of the ICRMC event was Chris Jansma, senior vice-president, professional liability at Markel, and Darius Delon, president of Rick Management 101.
Mr Delon said the increase in regulations has caused greater recognition by company directors for the need to purchase cyber insurance. He was surprised that Marriott had held on to guests' passport details after they had stayed at hotels within the Starwood chain, which includes St Regis, W, and Le Meridien. Marriott has announced it will pay for new passports for any of the customers whose personal information was exposed in the data breach.
Mr Delon said: “With Marriot, I was surprised to see that they actually hold passport data. My first thought was just destruction of data. You don't need it except for a couple of days during a stay — why are you retaining it?”
He suggested it might be wiser to have further controls of data and “only hold what you need” to better prepare and deal with future breaches.
Ms Richmond, alluding to last year's “Paradise Papers” investigation that involved some confidential information taken from law firm Appleby, said: “It was a huge eye-opener for the smaller independents to ensure that they do have cyber insurance. It was a huge wake-up call.”
The two-day ICRMC event at the Hamilton Princess and Beach Club concludes today.