The recent hacking of the Ashley Madison website has made the controversial affair-inciting website a ‘poster child’ for cyber liability, according to a NZ-based cyber risk expert.
The company that owns Ashley Madison, Avid Life Media, faces ‘absolutely catastrophic’ consequences, according to Delta
Insurance general manager Craig Kirk, who was speaking on the subject of cyber risks at the New Zealand Insurance Law Association (NZI
LA) conference this month.
With 100,000 subscribers to the site in New Zealand, to illustrate the attack’s far-reaching effect, Kirk estimated there could even be 10 members of the website in the audience.
“There are consequences for the subscribers, not just a frosty situation on the home front, and the consequences for the company are absolutely catastrophic,” he said.
“They’re already facing class actions in the USA and Canada, hundreds of millions of dollars in damages claims, by these members who’ve lost reputation, suffered financially, losing relationships and bringing claims primarily based on a breach of privacy law breached across jurisdictions.”
He added that regulators are also getting on the bandwagon, with even the New Zealand privacy commissioner making public statements about it.
“The interesting thing about this case is obviously it’s pretty colourful and controversial but I think it’s going to be groundbreaking in many ways based on its size and the international scope of it. It’s one to watch quite closely.”
Kirk went on to explain why such things are happening, which he said was down to the proliferation of the internet, the amount of data and the number of devices in use.
In 1992 there were one million computers connected to the internet. In 2013 that had grown to five million and Kirk quoted research that estimated there would be 50 billion devices by 2020.
He said the amount of data would grow 10 times from 4.4 trillion gigabytes in 2013 to 44 trillion by 2020.
With the growth of the Internet of Things, where anything from home products to power stations and traffic light systems are connected to the internet, Kirk admitted it ‘scared the pants off him as an underwriter’.
“It’s a whole world of risk that we’ve barely seen the start of.”
He said the four cyber insurance offerings in the New Zealand market were untested as yet.
He added that the regulatory framework in New Zealand was behind many international counterparts and while the government was being proactive by setting up the National Cyber Security Centre and initiating Connect Smart
, the legislation was outdated and didn’t support what was needed for these modern times.
As part of the presentation, Minter Ellison’s Leah Mooney outlined some of the happenings in Australia as a comparison.
She said Australia had had a ‘softly softly approach’ so far regarding penalties under the Privacy Act since its introduction 18 months ago.
She said boards are expected to take cyber resilience very seriously and failing to do so could be a breach of the Corporations Act in Australia.
“There’s an opinion in Australia that a failure to ensure cyber resilience or even take out cyber risk insurance would ultimately become an exclusion under D&O policies,” she said.
She said Australia did not have mandatory notification of data breach yet, but she expected there would be a significant uptake of cyber policies in Australia when it did.
“An increase [in the uptake of cyber policies] began from the Privacy Act introduction and I would expect the same in New Zealand.”
Mooney said that like in New Zealand, the majority of claims paid to date had been in relation to first party costs and that now was a good time to buy cyber insurance, before claims start rolling through.
“Policies are excellent value at the moment. There are a number of insurers who are offering targeted SME cover and receiving a lot of claims and paying out those first party expenses, so I don’t think it’s going to get cheaper, now’s the time to jump on board.”
Mooney also outlined the five basic pillars of cyber resilience planning which she would run through with clients:
- Conducting contractual review – what the allocations of risks are contractually;
- Identifying and protecting critical data;
- Employee investment – ensuring they are invested in the success of organisation;
- Software – ensuring directors understand, not just the IT department;
- Cyber risk insurance – get the right policy then the breach process is done for you.