D&O liability in data privacy and cyber security situations in Asia
November 2013 | TALKINGPOINT | RISK MANAGEMENT
FW moderates a discussion on D&O liability in data privacy and cyber security situations in Asia between Ian Pollard at AIG, Murray Wood at Aon Singapore (Broking Centre) Pte and Aruno Rajaratnam at Ince & Co.
FW: In your opinion, what are the key risks to D&Os arising from data and security breaches in Asia? Could you outline any recent ‘cyber liability’ cases of note?
Pollard: A data and security breach can have serious operational, financial, legal and reputational implications for an organisation. Most digital risks fall into the category of operational risk, which is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. The average cost of a network security breach is US$7m. When a breach occurs, organisations may also suffer from financial loss from fraud and theft, or from the inability to operate business processes, such as taking and fulfilling orders or running the manufacturing processes. There may also be costs associated with compensation claims relating to privacy breaches. In addition, if product plans, marketing plans or critical intellectual property to competitors are compromised during a breach, such losses can seriously damage a company’s ability to compete. If an organisation is shown to be incompliant of its regulatory requirements after a breach, it may incur hefty sanctions or fines. In terms of reputational risk, due to the public visibility of a data breach, an organisation encounters what most believe is the greatest risk – damage to the company’s image, brand and reputation.
Wood: The risks associated with data and security breaches for directors and officers are increasing in frequency and severity. In comparison with a security breach, a data breach is a more defined peril, typically involving customer data being compromised. With a raft of new laws across Asia, the consequences of a data breach for a company and its directors and officers are now quite tangible. You need to consider the cause of a data breach, be it accidental, intentional or malicious, before drawing any conclusion on the risk outcome. Potential risk outcomes may include: increased cost of working, mandatory notification requirements, imprisonment, fines and compensation. A security breach on the other hand, typically associated with malicious events, has a far wider set of consequences, exposing a company’s network to unauthorised access risks including loss or theft of corporate information, including customer data, extortion and more. In terms of recent cases, the Korean SK Communications data breach incident resonates most strongly as having a combination of unintentional conduct, hacking, class action equivalent litigation and damage awards per customer consistent with international standards.
Rajaratnam: In my opinion, the key risks for Asian based D&Os from a data breach are not significantly different from the key risks in countries like the US, UK, Europe or Australia. The main areas would be regulation and compliance, business income loss, actual disruption of operations, reputational loss, legal defence costs for data breach suits, and restoration and remedial costs. D&Os of government or statutory bodies seem to be more concerned with data breaches relating to employee information whilst D&Os of private entities are concerned with customer data breaches. As for recent incidents in Asia, two come to mind. First, South Korea was hit on 20 March by a major cyber-attack that paralysed the banking networks of three major Korean banks and the country’s two largest broadcasters. Second, a recent incident involved India, the Middle East and the US with an international gang of cyber criminals successfully breaching the security of National Bank of Ras Al Khaimah PSC (RAKBANK) and Bank of Muscat Oman. This was a US$45m ATM heist which happened when the gang managed access into the computer systems of Pune (India) based ElectraCard Services, which provides credit card payments processing services for the RAKBANK.
FW: What steps can D&Os take to prevent data breaches and cyber intrusion? What are the particular challenges and costs associated with mitigating these risks?
Wood: Given government agencies, with some of the most sophisticated network security systems in the world, have disclosed major hacking incidents, it is easy to develop a sense of helplessness on the subject of prevention. That is not to say that a firm should not invest in network security. On the contrary, Aon strongly advocates best-in-class risk management and mitigation strategies. There is, however, an increasing sense of inevitability to a cyber attack at some time in a firm’s history. Regular testing of data privacy training programs, understanding data collection methods, usage and transmission, compliance with the laws are all integral components of data breach prevention initiatives. These initiatives are internally focused and more effective in mitigating accidental breaches, but intentional and malicious breaches present a greater risk management challenge.
Rajaratnam: D&Os today must understand that cyber incidents are an evolving exposure. D&Os have been warned very often lately that the responsibility for managing cyber risks extends beyond the risk manager and IT department. It is an issue that must be managed throughout the organisation with top management supervision. Just as in the case of the US or UK, the following also apply to Asian D&Os. Most Asian D&Os do not understand their company’s cyber issues. Most insurance risk managers do not work closely with their IT departments. Most do not have clear information about their company’s cyber risks and are therefore unable to appraise their D&Os about management of these cyber risks. They have not been able to quantify the financial impact of potential cyber issues and, hence, fail to propose a cyber liability insurance program. D&Os should demand regular reports from senior management on privacy and security risks. They should recruit directors with IT governance and cyber security risk experience. D&Os should take an interest in their company’s insurance policies to determine whether, and to what extent, they have coverage in the event of a cyber attack or breach and ensure appropriate levels of insurance coverage are maintained.
Pollard: D&Os need to make sure their organisation prioritises and assesses cyber risk alongside other organisational risk. They then need to ensure that their organisation has a holistic risk management program in place to prevent and mitigate a data breach or cyber intrusion. When forming the holistic risk management program, the organisation should look to partner with trusted consultants, vendors and insurance carriers to ensure that from the assessment phase pre-breach to the response services during, and remediation after, their organisation is well protected and serviced. If an organisation does not sufficiently protect itself, an intentional or unintentional cyber threat can have serious operational, financial, legal and reputational implications.
FW: How should firms in Asia respond when they fall victim to cyber-crime? What steps should D&Os in particular take in the early phase following such an occurrence?
Rajaratnam: Attacks must be immediately reported to the police in the country to initiate a proper investigation. Some Asian countries have laws in force for criminal investigation and prosecution. A good example is Singapore’s Computer Misuse Act which was introduced in 1993, which covers the criminal misuse of computers and computer related technology and has extra-territorial effect. A comprehensive post-event assessment will provide an excellent financial basis for the D&Os, providing a catalyst for board attention. This type of assessment and valuation will also support the police investigation and claim preparation. Also, it is inevitable that the cyber crime incident will affect numerous business operations within the group. The havoc that is created will assist in highlighting the interdependencies between business units and IT systems. There is always a better way to react in a post-event situation.
Pollard: Organisations should have in place strong business continuity plans, especially if mission critical systems should fail in the event of a network security failure. Keeping ahead of the curve and buying comprehensive cyber insurance through their insurer or broker is of course a good first step. But organisations – through cyber policies or independent thereof – should have on hand access to a number of key experts in the event the worst should happen. Proactive forensic services can identify whether a breach of data security has occurred and what caused it, and includes advice on how to mitigate or prevent breaches. Data crisis response provides specialist access to, and direct assistance from, specialist expert legal and public relations advisers in the event of a data crisis event, to protect the insured’s reputation.
Wood: A well prepared firm will have already undertaken pre-breach response planning so that all the stakeholders, from the board to the IT team and others are all prepared. When a situation does arise, the firm will need consider containment and remediation strategies. An analysis of the scale of the breach, including the impact on the firm’s business continuity, brand and financial consequences, as well the impact on customers and counterparties, including vendors, will be required. The firm will need to assess the legal implications and notification protocols with relevant legislative requirements and regulatory directives. Ultimately, the communication plans require proper activation and engagement across the firm to have the necessary effect.
FW: What legal and regulatory issues are affecting the ways companies manage data and approach cyber security? How constructive, in your opinion, is government guidance regarding cyber security risks and cyber incidents across Asia?
Pollard: As the digital world continues to grow, the legal and regulatory environment is racing to catch up. In Asia-Pacific, regulators in Korea, Hong Kong, Malaysia, Taiwan, Australia, the Philippines and New Zealand are reviewing current legislation, introducing new legislation or introduced legislation in the last 18 months around cyber security. The United Nations Executive Board (CEB) has given high priority to cyber threats, agreeing to establish a formal framework for harmonising an UN-wide strategy for dealing with cyber security and cyber crime. However, international bodies cannot act in isolation. Private sector participation is needed: experts in large IT companies can provide specialised skills and insight into the security frailties of the industry, academics can provide a thought leadership perspective, and organisations that are dealing with day-to-day problems can provide practical insights into addressing cyber risk.
Wood: Many countries in the region have now adopted data privacy laws with consistent themes on rules and enforcement. There is no one standard, but the concept of a privacy commissioner being introduced is more common. Consequences for data privacy breaches range from criminal, regulatory and civil actions with prescribed fines and penalties, imprisonment and mechanisms for compensation, including legal assistance for individuals. Laws that govern the collection of data are in place, including security standards, wrongful disclosure, subscriptions, direct marketing including ‘do not call’ registers and data usage for financial gain. Government guidance on the issue of cyber security is less consistent across the region, but we are aware for certain highly regulated industries such as the financial services sector that there are compliance obligations with regulatory notices on technology risk management practices.
Rajaratnam: I believe that legal measures are crucial to the prevention and combating of cyber crime. Legal measures help countries to respond to new security challenges like cyber crime and provide the appropriate balance between privacy and crime control. Asia is catching up with the West in this regard, with organisations like the Asia Pacific Economic Cooperation (APEC) Privacy Framework. This Framework is encouraging the development of appropriate data protection policies and laws following the Organisation for Economic Co-operation and Development (OECD) using the European Data Protection Directive. There is also another body, the Asia Pacific Privacy Authorities (APPA), which is the principal forum for privacy in the Asia-Pacific region. It is working to unify local privacy laws. Until a uniform and clear approach is taken on privacy laws, there is bound to be conflicts in laws and legal implementation. This can frustrate both the D&Os and their insurers in Asia.
FW: What insurance solutions exist for D&Os, in connection to cyber security and data breaches?
Wood: When dealing with insurance solutions for directors and officers, the starting point for any discussion is D&O insurance. D&O insurance covers a wide range of civil liability risks associated with the discharge of the duties of a director or officer. In the context of data privacy breaches, the risks associated with litigation may extend beyond the firm and capture directors and officers and other employees with specific statutory responsibilities under relevant laws. There is a regulatory focus with the imposition of fines and penalties. As a consequence, there should be a significant focus on whether fines and penalties are insurable. Aon has a Global Cyber Practice group promoting best in class insurance coverage developments to deliver the widest coverage to our clients. Clearly, there is scope for improvement in risk transfer solutions. The insurance market has responded to the growing cyber threat with the introduction of new risk transfer solutions by an array of product names including network risk, cyber insurance, data privacy protection and more. Notwithstanding the absence of consistent product branding, insurers are focused on the right risks. Aon’s view is that the insurer product offerings need to tick a few boxes including coverage for privacy liability, information dissemination liability, virus transmission liability, network intrusion, service interruption, glitches and extortion.
Rajaratnam: Many of the major Insurers in Asia have introduced insurance policies and coverages can vary greatly with each insurer. Brokers too have devised their own cyber insurance.
Pollard: While traditional Commercial General Liability, Property, Crime, Professional Indemnity and Kidnap & Ransom insurance may provide limited coverage for some losses arising from cyber attacks, the circumstances under which the policy will respond are likely to be narrowly defined, as are the scope of losses covered. There is a need to identify cyber threat as a new risk category, meriting its own bespoke insurance coverage, and not merely an incremental extension of existing risks. Applying an extension to an existing policy may be a short-term fix for a specific peril, but will not provide the array of diverse coverage that new cyber and network security products are beginning to address. Cyber coverage is usually provided in three parts – first-party, third-party and coverage for related issues. First-party is for direct losses experienced by the insured, such as recovering lost or destroyed data, notification, monitoring and forensic investigation expenses, and business interruption losses. Third-party coverage insures policyholders against losses incurred by customers, credit card companies and banks, and any legal damages that is third-party liability for privacy breaches; in addition costs for fines and penalties.
FW: What are your predictions for the cyber security landscape over the next 12-18 months? Do expect any further regulatory or legislative changes, and what will be the impact on D&Os?
Rajaratnam: I believe that Asian governments will watch what is going on in the US, Europe and the UK, and keep pace with legal measures. There will be more cooperation between friendly governments for cross-border implementation and investigations. There will be more amendments made to existing laws, especially development of more stringent breach notification laws similar to the US, including knowledge sharing of information about cyber incidents and industry specific vulnerabilities with friendly allies or economic groupings; and implementing bilateral and multilateral arrangements to improve countrywide and regional cyber security. Asia has been identified in several studies as the hotbed for cyber attacks. D&Os of Asian companies will certainly be impacted and must keep updated on the worldwide happenings and strengthen their internal procedures. With more insurers offering cyber insurance, the competition could benefit the D&Os in terms of cover and cost.
Pollard: My predictions around the security landscape over the next 12-18 months are as follows. First, major financial and infrastructure disruption. We haven’t seen a major global catastrophe, disaster or financial collapse as a result in a cyber security failure. I think this is only a matter of time. Major technology and communication trends like cloud computing, mobile devices, and social networking provide more entry points to digital data, and accordingly, increased risk and will make this type of high profile event inevitable. Second, all industries will continue to be impacted. This includes organisations from government departments to education institutions, research companies, and commercial enterprises big and small – from big banks to cosmetic companies and small retail shops. Businesses need to be prepared for cyber threats and have a defence plan in place to protect against malicious and non malicious attacks. Third, cyber risk insurance will change. Some commentators put the cyber insurance industry at more than USD1bn globally. This will rise to US$3bn as insurance purchase becomes common across Europe and Asia-Pacific. Over the next 18 months this type of insurance will become a common purchase for companies in the Asia-Pacific region with both multinational and SMEs looking to purchase. Insurance solutions will become more proactive providing assistance to companies, directors and officers wanting to stay ahead of the curve with new educational risk tools via applications, risk management portals and risk tools – and greater access to pre-emptive technology hardware, solutions and experts, rather than a base insurance policy or promise.
Wood: In the 2013 Aon Global Risk Management Survey, we observed that amongst all risks facing organisations today, cyber ranked 18th globally and 37th in the Asia-Pacific region. Yet for banks, cyber ranked as the 5th most significant risk in 2013. Whilst banks are a high profile cyber target, cyber risk is pervasive across all industries. Based on current trends, frequency of cyber events impacting Asian firms will increase. This will fuel demand for better insurance solutions and in turn, drive the supply of new and improved insurer product offerings. Whilst a number of countries have introduced privacy laws, there are others pending, so expect more movement on that front. It is quite possible that we will see more legislative and regulatory focus on the network security side of this discussion. Cyber and data privacy risk is getting more air-time with directors and c-suite executives across Asia, which is important for the protection of their firm’s assets and equally so in demonstrating the proper discharge of their duties as directors and officers. The question that lingers is whether that is sufficient.
Ian Pollard is a senior executive with AIG and a member of the Asia Pacific senior leadership team. He has worked for AIG for nearly 14 years and during that time held a range of executive positions that took him from London, to Hong Kong, Singapore, New York, and Auckland. Currently Mr Pollard heads the Professional Liability Insurance business for the Asia Pacific and Far East regions – a role he has held since mid 2011. This position has given Mr Pollard insight into the range of cyber attacks commercial organisations are experiencing and the costs that result. He can be contacted by email: firstname.lastname@example.org.
Murray Wood is the Regional Managing Director for Asia at Aon Risk Solutions and is responsible for the Financial Services & Professions Group for Aon Asia. He has worked in the insurance industry for over 25 years, 20 of which have been with Aon in Sydney, London, Hong Kong and Singapore. Mr Wood has maintained a dedicated focus on the financial lines insurance market since 1986 and has had high level exposure to a full range of client, broking and claims issues for many leading corporations throughout the Asia Pacific. He can be contacted on +65 66 450 116 or by email: email@example.com.
Aruno Rajaratnam joined Ince & Co in May 2012 as the financial lines insurance practice group leader for Asia based in the firm’s Singapore office. Ms Rajaratnam works with the firm’s existing financial lines team within and outside Asia, partnering with both the international and regional markets, as they continue to develop their products across Asia. As a key member of the firm’s expanding global practice, Ms Rajaratnam leads the team in building a high quality practice driven by expertise, in-depth market understanding and client service. She can be contacted on +65 6538 6660 or by email: firstname.lastname@example.org.
© Financier Worldwide
Aon Singapore (Broking Centre) Pte
Ince & Co.