Ashley Madison hack illustrates why third party cyber- liability is as uninsurable as IPR theft

A couple of weeks ago I blogged on why insurers regard Big Data as the new asbestos: the source of massive claims triggered by the leakage and legacy of a useful but widely misunderstood and mishandled technology. I referred to the importance of the Long Finance study on cyber reinsurance that was about to report.

The report is now available on-line and I strongly recommend that CIOs (let alone CISOs) read it before it is drawn to the attention of their CEOs and main board directors by the company secretary. The Lloyd’s Market Association Cyber Attack Exclusion Clause (CL380) and the Non-marine Association’s Electronic Data Exclusion Clause NMA2914 probably mean that the organisation is no longer covered for cyber-risk. Serious cover for cyber-related property damage, business interruption and third party liability is difficult to obtain at reasonable cost, especially for a financial institution or an on-line retailer. Damages for the theft of intellectual property are also probably uninsurable.

The John Herrman’s blog entry “Welcome to the first day of the rest of your internet“, takes quick look at the consequences of the on-line posting of the data hacked from Ashley Maddison . These can be placed in context by the growing press cover of the leaked details. for analyses. The potential for legal action illustrates why the cyber insurance now on offer (sometimes called “cyber gap insurance“) is commonly now confined to the legal and administrative costs of notifying customer in the event of a breach market and/or the implementation of a pre-agreed incident management plan. The total UK cyber insurance premium income for this market is said to be little more than the $148 million (barely 25% of which was covered by insurance) of provisional costs included in Target’s second quarter results last year for a single data breach.  Those who think insurers will be impressed by “maturity models” should consider the way that Apple’s controls were bypassed in the course of the Celebgate affair. They are more concerned about who might attack the organisation and/or system and why.

Now let us look at the growing scale of the breach of the US Inland Revenue Service systems. The underlying causes of the feuds between the Government Data Service and the rest of Whitehall become to become apparent. The enthusiasm of the GDS greatly impressed the  the digerati but not those concerned over the potential of using services like Verify to aid  serious fraud or their ability to more reliably identify the socially and digitally excluded or semi-literate (i.e. users aged more than about 35, let alone those over 65) than the derivations of the legacy alternatives used by the banks and those handling medium to high value transactions.  

How long will it be until evidence of the growing erosion of confidence in the security of the on-line world , coupled with the inability to insure against third party liability, leads to serious collective attempts to provide users with the protection they want.  Until then the arguments in the Long Finance report for a Cyber-Catastrophe Re-insurance pool (to handle systemic risk) should concentrate the minds of those, like main board directors, who are being expected to take responsibility for the irresponsibility of digital enthusiasts.who have forgotten the need for “user friendly” systems that are secure by design – not by afterthought or accident.