Sat | Jun 19, 2021
ADVISORY COLUMN: RISKS & INSURANCE

Cedric Stephens | Cyber insurance can help

Published:Sunday | May 30, 2021 | 12:09 AM

Tanker trucks are parked near the entrance of Colonial Pipeline Company on Wednesday, May 12, 2021, in Charlotte, North Carolina. The American company reportedly paid a US$5 million ransom to hackers, who had taken control of its computer systems.
Tanker trucks are parked near the entrance of Colonial Pipeline Company on Wednesday, May 12, 2021, in Charlotte, North Carolina. The American company reportedly paid a US$5 million ransom to hackers, who had taken control of its computer systems.

Today’s article, even though it was conceived last November, is the by-product of a piece that I wrote in this newspaper 11 years ago titled ‘Many Dangers Lurking in Cyberspace – Managing the Threats’.

As one of 28 people worldwide to hold the four-suite advanced information security certifications, Joseph Steinberg said in his book Cybersecurity for Dummies, published in 2020, hardly a day goes by without a news item about a data breach, cyberattack or the like. According to estimates from Cybersecurity Ventures, companies around the globe fell victim to such attacks every 14 seconds on average in 2019. Jamaica and the rest of the Caribbean are no exceptions.

David Noel, former president of both the Jamaica Bankers Association and Scotia Group Jamaica, said in May 2019 that hackers were “siphoning off J$4 million monthly” from local banks. A year later, regional telecom provider Digicel shared the findings of its survey of 320 customers in Barbados, Jamaica, and Trinidad & Tobago. Hacking – the unauthorised access to or control of computer network security systems for some illicit purpose – spiked during COVID-19. Banks were the main targets. The Jamaica National Group said on March 14 last year that it was the subject of a ransomware attack. Three months later, The Gleaner reported that hackers disrupted the operations of the Montego Bay entity, Build Expo & Conference. The reputations of the organisers were threatened unless a ransom of US$3,000 was paid.

The 2019-2020 cyber incidents were foretold by legislative and other changes. A new law, designed to facilitate the electronic sale of goods and services, The Electronic Transactions Act, was passed on April 2, 2007.

In 2009, police reported “an average of 10-15 cyber-related incidents per month”. There were also more reports about computer systems being “compromised through network intrusion, data interception, data and identity theft”. In 2009, a 26-year-old student hacked into a telecom provider’s computer system and stole J$10 million in call credit.

In March 2010, Parliament passed The Cybercrimes Act.

On June 12, 2020, the Senate passed The Data Protection Act. The law will impose a series of measures to safeguard the privacy and personal information of citizens. In February 2021, the Ministry of National Security’s Cyber Incident Response Team raised the island’s cybersecurity threat level of government computer systems to ‘high’. The new threat level occurred on the discovery of weaknesses in the JamCOVID app and website. They were being used to store critical data about travellers and COVID-19 patients.

Columnist David Jessop, writing in this newspaper on May 9, 2021, argued that cybersecurity is an unavoidable regional priority. “That the threat in a Caribbean context is real, should by now be beyond doubt.” That article is a reprise of one he wrote in August 2015. In it, he listed several cases where Caribbean governments and companies were subjected to cyberattacks and cybercrimes. He also cited evidence suggesting that the region was increasingly subject to these attacks.

On May 7, 2021, cybercriminals used ransomware – malicious software designed to block access to a computer system until a sum of money is paid – to breach the computer network of Colonial Pipeline, which operates a 5,500-mile pipeline that provides the US East Coast with 45 per cent of its fuel. The pipeline, which carries gasoline, diesel, and jet fuel from Texas to New York, was closed as a result of the attack. Gas prices in states near Texas rose eight to 10 cents per gallon as a result of the pipeline closure.

Colonial Pipeline Company paid almost US$5 million to regain access to its computer system.

Is insurance available to protect against the ‘enormous’ cyber risks that Steinberg referred to in his book? Which companies offer this kind of coverage? What is the scope of protection that is being provided? What are things that are not covered? What are the costs involved?

When the Jamaican Insurance Act 2001 was being drafted, cyber risks were never contemplated. Because of its novelty and the complexities involved in this still-evolving class of risks, that issue will be dealt with in part two to this article. I shall also review the CyberPro 2.8 Insurance Policy that British Caribbean Insurance Company is offering to regional consumers in association with specialist underwriting syndicates of the 335-year-old global insurance institution in London, Lloyds.

I aim to give readers an understanding of the protection which is being offered. BCIC, to my knowledge, is only one of a handful of locally registered insurers that have recognised the enormity of the threats that are posed to all segments of the community – government and private sectors, big and small – and have taken concrete actions to find a solution.

I have often criticised insurers and intermediaries for ignoring the Financial Services Commission’s 2019 Market Conduct Guidelines. The CyberPro 2.8 Insurance Contract shows what compliance with Section 6.0 of the rules looks like.

Managing the risk

Ted Ginnis, content specialist at the Global Association of Risk Professionals in New Jersey, wrote in February 2021, that while “there is no silver bullet for eradicating cyber risk, cybersecurity insurance can help protect against the financial fallout from cyber incidents – including data breaches, network damage, business interruption, legal fees, and even ransom payments. When a covered event occurs, the insurer assesses the damage and either pays out or arranges for vendors to assist the policyholder in restoring its business. Like any form of insurance, the language of the policy dictates whether an event is covered and, if it is covered, the required compensation.”

Developing an understanding of cyber insurance begins with becoming familiar with certain words and concepts. For example:

• Cybersecurity is a subset of information security that addresses information and information systems that store and process data in electronic form. Information security covers the security of all forms of data (for example, securing a paper file and a filing cabinet;

• Cybersecurity is dynamic;

• The Internet is a major conduit for cyberattacks;

• Remote access to computer networks has substantially increased the probability that malign persons and states will gain access using a variety of methods and carry out their nefarious activities;

• From the examples cited above, no computer system is immune from cyberattacks.

Many experts, including Sean Thorpe, head of University of Technology Jamaica’s School of Computing & Information Technology, say that to help prevent attacks, businesses need to make cybersecurity a top priority. Working with cybersecurity experts to conduct a risk assessment, holding consistent training for employees, and conducting quarterly testing of internal and external networks can help make organisations less vulnerable to attacks. For smaller companies that may not have the resources to retain the services of an expert, Mr Steinberg’s book is an excellent place to start. It helps readers to understand the basics of cybersecurity and insurance to protect themselves.

Cedric E. Stephens provides independent information and advice about the management of risks and insurance. For free information or counsel, write to: aegis@flowja.com