Viruses affecting human body have been the hot topic of most conversations for over two years. However, the digital world is not spared from “viruses” which affect other aspects of human lives. Multiple malwares used for cyber-attacks are created to damage, disrupt, hack, or block a device and encrypt or lock data and can cause enormous damage both in the private and public sector.
Such attacks target operational technology (OT) or information technology (IT). One of the most famous malwares aimed at operational technology was unquestionably the infamous Stuxnet, detected in 2010. Its goal was physical impact, which was successfully done, reportedly damaging one-fifth of the nuclear centrifuges in the Iranian Bushehr nuclear power plant.
A recent IT attack that gained global attention was definitely the pro-Russian motivated attempt to disrupt voting for the Eurovision Song Contest, as reported by the Italian police.
Unlike physical destruction, malwares aimed at IT target business financial data, customer databases (including personally identifiable information), customer financial data, intellectual property (like trade secrets or product designs), IT infrastructure access, etc.
Hackers are very imaginative in the creation of ever new sophisticated malwares and diverse methods of extortion; one such being so called double extortion. With this method, the initial encryption of data is followed by form of extortion and attempts to delete backups making it more difficult for businesses to recover data.
Another aspect in data safety to be considered is remote work. Even before the lock-down, an increasing number of people had realized they could work from home or from different parts of the world. As convenient as this might be for personal life and doing business while traveling, the danger of data loss has consequently increased. People can lose devices or data could be stolen due to unsecure network. However, it is not just remote work that poses an increased risk. The risk of cyber-attack is everywhere where devices containing information are used, with the risk being even higher when the information is especially interesting to the cyber-attacker.
As damaging as cyber-attacks can be to businesses, losses from such events are often excluded from a general liability policy. However, the insurance market is increasingly recognizing the necessity to insure events caused by cyber-attacks. Multiple losses arising from such events can cause immense damage to a company as well as to third parties, especially when data is involved. Cyber insurance policies often provide following coverage options: business interruption, notifying customers about a data breach, IT forensics, cyber extortion, litigation expenses, regulatory defense expenses/fines, reputation losses, restoring personal identities of affected customers, and recovering compromised data.
It is also important to examine territorial scope of the cyber insurance policies – not only because employees holding important information can be located in different parts of the world, but also because businesses themselves can store data in different places around the globe.
In the EU, the General Data Protection Regulation imposes additional obligations in order to improve data protection systems which contain data on natural persons, including informing competent authority in the event of a breach. Cyber insurance policies differ significantly in the coverage of penalties imposed by the authority in the event of cyber-attack and some demand that authorities initiate a formal procedure for the insurer to pay the damage.
Finally, in the light of the ongoing political situation, it remains to be seen how cyber insurance will be further developed regarding events of cyber-attacks by organizations or other countries and legal interpretation of the exclusion of war risks.
By Janica Rakoci, Associate, Ostermann & Partners