It’s been described as possibly the largest data hack of all time.
On Thursday, technology-giant Yahoo revealed that user information belonging to around 500 million accounts had been stolen by a “state-sponsored” actor.
The breach may come at a hefty cost for Yahoo, which is currently in the midst of a multi-million-dollar acquisition from telecommunications company Verizon, and it also raises a number of questions about how companies can – and must – protect themselves against the risk of cyber-attacks.
“We’re talking about Yahoo – which at one time was the most visited website in the world – which means from a technology perspective you would expect them to be all over anything related to loss of consumer data,” Jamie Bouloux, CEO, EmergIn Risk, told Insurance Business.
Whilst the leak only came to light last week, in its statement Yahoo revealed that the breach happened as far back as 2014.
“For a tech company, that was the largest of its time, how do you not realise that it happened over two years ago?” Bouloux questioned, adding that this gap in realisation has implications for any insurance policy.
“The automatic response is the [issue of] retroactive dates for coverage, and ultimately how do they expose you moving forwards – because this breach happened in 2014,” Bouloux explained.
“We accept that a lot of the time companies don’t realise that they have been hacked or had an event until at a minimum three-six months after, but for it to be a 500 million record breach and for it to come to light two years later – that’s a first, really. And quite shocking.”
So would Yahoo’s breach be covered by a cyber policy, and what can the industry learn from yet another large-scale breach?
If the company has cyber coverage, it will ultimately come down to when they bought the policy, whether they were aware of the event before notification, and when the retro-date starts, Bouloux explained.
Nick Beecroft, director of product innovation and strategy at Sciemus said the hack is “another reminder of the need for businesses and insurers to improve our understanding of cyber risk exposure,” adding that the challenge for insurers is to continue to develop products and underwriting approaches that can match clients’ exposure to sophisticated threats.
With the sheer scale of the Yahoo leak, and the increasingly complex style of hackings, are some companies just too big to insure?
“Some companies are so data-dependent, and hold so much, that it’s an exposure – it’s something they need to be aware of, and that we need to be aware of as we continue to underwrite them,” Bouloux suggested.
Ultimately, whilst Yahoo’s breach is the biggest yet, it’s unlikely to be the last.
Daniel Carr, director of cyber security at Sciemus called the breach a potential “watershed moment in cyber security,” adding that large organisations need to expect more extreme cyber events in the future, and not rely on history as any kind of accurate guide to the future.
“We assume that a company like Yahoo uses the best protocols and technology to protect its information,” Bouloux said. “So if that kind of data breach can occur within their infrastructure, what does that mean for other organisations?”
There’s more to cyber than your clients might think
90% of big firms hit by cyber-attacks – Lloyd’s survey