Cyber Insurance, Privacy and Data Security Newsletter - August 2014
Published 20 August 2014
Cyber-attacks remain a regular feature of news headlines. This month, reports circulated that Russian hackers have allegedly carried out the world's biggest ever data theft, amassing 4.5 billion user credentials. The hack was identified by US security experts Hold Security and, if true, could be the largest publicised breach in history.
The hackers allegedly used a botnet network (a group of virus-infected computers controlled by one criminal system), which used victims' systems to identify weaknesses in websites they visited. The hackers did not have specific targets, rather they targeted every site that the victims' systems visited.
The names of the companies affected have not yet been released, but allegedly 420,000 vulnerable websites were exploited, including some household names. Of the 4.5 billion stolen records, it is estimated that 1.2 billion are unique. Reports from one insurer this week estimated that the attack could cost more than £1.4 billion.
Hacking attacks of this nature could involve multiple network intrusion events over a sustained period of time which each result in separate thefts and data breaches. These in turn could give rise to multiple first party losses and costs, third party claims and regulatory investigations. In light of the potentially huge exposures, cyber insurers would be wise to check their insuring clauses and aggregation wordings.
This incident should prompt insurers to review how their cyber policy limits and deductibles are applied. Are there aggregate limits, or do the limits and deductibles apply on an any one loss basis? Where there is provision for aggregation, does this apply to series of "events", "occurrences" or the same "originating cause". These factors will have a significant impact on insurers' overall exposure. If cover has been placed in layers, the position adopted on aggregation issues can generate tensions between different insurers, who may require independent advice.
Whether or not this Russian hack is genuine, it is yet another reminder that cyber security should remain a top priority for all companies as hackers engage in bigger and more complex tactics in order to harvest massive quantities of user credentials for financial gain. Companies should ensure they have adequate security in place in relation to the amount of data they hold, and, very importantly, should have a plan in place to deal with a breach. Increasingly, companies should be preparing for the situation when, not "if", a breach occurs.