The Singapore Law Gazette

Insuring Against the Invisible Threat in this Digital Age: Understanding Cyber Insurance

This article provides insights into the evolution of cyber insurance in response to the growing threat of cyberattacks globally amidst increasing reliance on digital technology, and discusses recent trends and developments in cyber incident response and the legal and regulatory landscape, and their corresponding impact on cyber insurers and organisations.

Introduction

1. The rapid digitalisation of the business landscape, further fuelled by the COVID-19 pandemic, has ushered in a new era of priority for businesses, with an increased focus on digital transformation. Such transformation has allowed businesses of all sizes to expand their market outreach, optimise operations, and improve customer experiences.
2. This digital revolution has also led to the proliferation of data generation, which has emerged as a valuable currency in today’s business ecosystem. While this data can be harnessed to enhance products and services, create personalised user experiences, and enable targeted advertising to specific audiences, its unchecked usage can also result in the risk of such data being exploited for malicious purposes by criminals, potentially jeopardising individuals’ privacy and safety.
3. This escalating reliance on technology and the increasing value associated with the data collected has introduced new vulnerabilities and risks for businesses. Cyberattacks including but not limited to data breaches have emerged as a serious threat to businesses, capable of causing catastrophic financial and reputational damage. This is demonstrated in the case of CNA Financial Corporation, a financial corporation based in Chicago, which reportedly paid USD 40 million in ransom to the threat actor group to regain control of its network following a ransomware attack.¹Will Feuer, “Insurance giant CNA Financial reportedly paid hackers $40m in ransom”, New York Post, < https://nypost.com/2021/05/21/cna-financial-reportedly-paid-hackers-40m-in-ransom/>, (accessed on 17 April 2023).
4. Cybercrime has become a lucrative industry for criminals. McKinsey & Company estimates that the costs relating to cybercrime will reach a whopping $10.5 trillion a year in 2025 and estimates an eyewatering $101.5 billion in projected spending on service providers by 2025.²Jim Boehm et al, “Cybersecurity trends: Looking over the horizon”, McKinsey, <https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon> (accessed on 14 April 2023). This growing trend of cyberattacks have unfortunately not eluded Singapore and the Cyber Security Agency of Singapore has reported a significant 54% increase in reported ransomware cases in 2021.³Cyber Security Agency of Singapore, “Singapore Cyber Landscape 2021”, <https://www.csa.gov.sg/Tips-Resource/publications/2022/singapore-cyber-landscape-2021> (accessed on 14 April 2023). These figures are only expected to continually increase given Singapore’s high level of digital connectivity.
5. As cyberattacks grow in sophistication and numbers, there has been a corresponding increase in demand for cyber insurance amongst businesses as part of their risk management strategy. In this article, we chart the evolution of cyber insurance, recent trends and developments in the cyber risk landscape, the corresponding impact to both insurers and insureds, and the future that lies ahead for cyber insurance.

Origins and Evolution of Cyber Insurance

6. The concept of cyber insurance is relatively new in the world of insurance. The first known standalone cyber insurance policy was said to have been issued in 1997 in the US by AIG and was called Internet Security Liability Policy.⁴https://www.insurancejournal.com/news/national/2018/03/01/481886.htm During this time, policies were typically for third-party coverage for claims arising from breaches originating from outside the insured company, and first-party coverage was excluded. These policies were geared at the time towards the Information Technology companies responsible for managing networks and systems used by other businesses and consumers. The Internet was in its infancy then and the uptake of cyber insurance was slow in those early days.
7. In the early 2000s, the cyber threat landscape began to evolve and network extortion events began to emerge (where criminals extorted money by using stolen data to threaten the company’s reputation or by corrupting data on the company’s network), and cyber risk policies began to expand to cover a wider range of risks.⁵https://www.insurancejournal.com/magazines/mag-features/2014/09/22/340633.htm#:~:text=The%20first%20cyber%20policy%20was,basically%20a%20%E2%80%9Chacker%20policy.%E2%80%9D These policies, however, remained not widely adopted, as businesses struggled to assess and quantify the risks associated with cyber threats.
8. During the 2010s, the world witnessed a series of notable cyberattacks that captured global attention. Cyberattacks began to take many different forms, from malware attacks, business e-mail compromise attacks, to distributed denial-of-service attacks. Cyber criminals continuously devised innovative methods to infiltrate and compromise businesses’ systems, specifically targeting large companies with significant market reputations to extort substantial ransom payments. Additionally, the enforcement of the General Data Protection Regulation (GDPR) in 2018 expanded the regulatory obligations and risks faced by organisations in the event of a data breach. Consequently, the demand for cyber insurance surged among businesses with demand for coverage for business interruption losses and ransom payments, propelling rapid growth in the cyber insurance industry.
9. The COVID-19 pandemic however proved to be a pivotal moment for the cyber insurance industry. The pandemic compelled organisations to swiftly transition to remote work setups, leading to an unprecedented utilisation of unsecured networks, mobile devices, and remote access to critical business systems. Cyber criminals capitalised on this situation, exploiting the vulnerabilities of insecure devices/networks, which resulted in an exponential increase in cyberattacks globally. Asia accounted for more than 20 per cent of global cyberattacks during this period.⁶https://in.newsroom.ibm.com/2023-02-22-IBM-Report-Asia-Pacific-Felt-the-Brunt-of-2022-Cyberattacks#:~:text=BENGALURU%2C%20INDIA%2C%20Feb%2022%2C,of%20all%20incidents%20remediated%20worldwide. This brought significant attention to the perils of cyberattacks and drove the importance of cyber insurance for organisations as part of risk management.
10. Today, what sets cyber insurance apart is its distinctive feature of providing coverage for both first-party and third-party losses. This dual coverage encompasses two essential aspects of cyber incidents. First-party coverage includes indemnity for the insured organisation itself for the costs and expenses it may incur due to the cyber incident, such as incident response management and digital forensic investigation costs, ransom payment, business interruption losses and data restoration costs. On the other hand, third-party coverage extends to liabilities arising from the impact of cyber incidents on third parties, which can include legal costs, regulatory fines, and third-party claims from affected individuals or businesses. This comprehensive cover ensures that cyber insurance addresses the multifaceted risks and potential consequences of cyberattacks, offering a valuable safeguard for organisations in today’s increasingly digital world.

Recent Trends and Developments

11. As evident from the aforementioned, the cyber risk landscape has undergone substantial changes within a relatively short timeframe. Cyber criminals have become more organised, well-funded, and technologically adept, leveraging cutting-edge tools and techniques to exploit vulnerabilities, and launch highly targeted and complex attacks, often with devastating consequences. This rise in the frequency and magnitude of cyberattacks has had a ripple effect on cyber incident response, as well as on the legal and regulatory landscape, especially concerning data privacy. Below, we will delve into some of the key trends and developments and the corresponding impact on cyber insurers and organisations.

Increase in Third Party Litigation

12. With the increased frequency of cyber incidents which often result in theft, disclosure and exploitation of personal data of individuals, there has been an increase in third party litigation globally by impacted individuals for compensation for damages suffered due to the data breaches. Australia for instance recently saw its first data breach class action filed by 100,000 impacted individuals following the high-profile cyberattack involving Singtel-owned Optus.⁷https://www.sbs.com.au/news/article/wake-up-call-for-corporate-australia-100-000-people-join-optus-data-breach-class-action/0gaqx48zp
13. In Singapore, the Court of Appeal heard the first private action under the Personal Data Protection Act 2012 (PDPA), Reed, Michael v Bellingham, Alex (AG, intervener) [2022] 2 SLR 1156 (Reed v Bellingham). Under the PDPA, individuals have the right to bring a private legal action against an organisation for any contravention of the PDPA provisions if they suffered any loss or damage as a result of the said contravention(s). Individuals can claim relief by way of an injunction or declaration, or compensation for any damages suffered. The Court of Appeal in Reed v Bellingham has clarified inter alia that the pre-requisite of “loss or damage” can include emotional distress. The Court of Appeal considered that this “wide interpretation” of the phrase “loss and damage” to be appropriate as it gives effect to Parliament’s intention of “[enabling] victims to obtain effective remedies for misuse of their personal data”⁸Ibid, at (96)..
14. Aside from litigation by impacted individuals, there has also been an increase in litigation by impacted businesses, partly brought upon due to an increase in supply chain attacks where threat actors infiltrate a company’s system through its external vendor/service provider who has access to the company’s systems and data.
15. Given the increasing costs of responding to a cyberattack, businesses are increasingly turning to legal recourse to recover such costs and expenses from the parties responsible for the cyberattack. One example of this is the recent case of Razer (Asia-Pacific) Pte Ltd v Capgemini Singapore Pte Ltd [2022] SGHC 310 (Razer v Capgemini). Razer (Asia-Pacific) Pte Ltd’s (Razer), a local gaming gear company, discovered a data leak of its customers’ information including but not limited to email addresses and order information, between June to September 2020. This caused Razer alleged suffering substantial damages which include but are not limited to forensics investigation expenses, legal costs, and reputational damage by reason of negative press coverage of the data breach, resulting in loss of profits and loss of chance to secure potential business opportunities. Razer subsequently brought a High Court action against their information technology consultant, Capgemini Singapore Pte Ltd (Capgemini) for these damages alleging breach of contract and negligence.
16. On the facts, the High Court found that Capgemini was in breach of their consulting services agreement for failing to take the appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of Razer’s systems. In addition to a breach of an express term of the contract, the High Court also found that there was a breach of an implied term of the contract to exercise reasonable care. On this basis, Razer succeeded in its claim for a breach of contract. Additionally, Razer’s claim in negligence was also held to be successfully made out. Razer was awarded a judgment sum of USD 6,518,738.81.
17. This rise in third party litigation underscores the multifarious legal risks that organisations may face following a cyberattack. Such risks inevitably result in an increase in third party litigation expenses incurred by organisations and consequently by cyber insurers where there is coverage. Given such risks, organisations are increasingly having to take a more comprehensive and proactive approach to mitigate the potential legal fallout of cyberattacks.

Increase in Regulatory Scrutiny

18. Data privacy has emerged a top concern for regulators within the Asia region, sparking a wave of new or updated data privacy laws in over 20 countries within this region in recent years. This wave of regulatory reform shows no signs of slowing down with several countries currently reviewing their data privacy laws such as Malaysia, Vietnam and India.
19. Many countries in Asia have implemented data privacy laws modelled after the GDPR, often considered the gold standard for data protection laws. Countries such as Japan, South Korea, and Singapore have introduced or enhanced their data protection laws to align with GDPR principles, data breach notification requirements, and increased penalties for non-compliance.
20. For instance, Japan revised its Act on the Protection of Personal Information in 2020, adopting several GDPR-inspired provisions, including stricter consent requirements, expanded individual rights, and increased penalties for violations.⁹https://iapp.org/news/a/japan-enacts-the-act-on-the-protection-of-personal-information/ Similarly, South Korea passed a major overhaul of its Personal Information Protection Act in February 2023, which incorporates many GDPR principles and strengthens the rights of data subjects by introducing the right to data portability and the right to object to automated decision-making.¹⁰https://iuslaboris.com/insights/south-korea-passes-major-overhaul-of-data-protection-law/ Singapore has further strengthened its data privacy laws with significant amendments to the PDPA introduced in February 2021.¹¹https://www.pdpc.gov.sg/news-and-events/announcements/2021/01/amendments-to-the-personal-data-protection-act-take-effect-from-1-february-2021 These amendments introduced a mandatory data breach notification regime, enhanced enforcement powers for the PDPC, and increased financial penalties for non-compliance.
21. While this increase in data protection regulations in Asia reflects the growing recognition of the importance of data privacy and security, this has also amplified the regulatory risk and exposure for organisations in the event of a cyberattack. Organisations are now often required to report the breach to regulatory authorities within specified (and often, short) timeframes. This includes providing detailed information about the incident, the scope of the breach, and the measures taken to mitigate its impact. Companies are now expected to swiftly respond and investigate into cyberattacks to ensure compliance with such regulations. Non-compliance with these regulations can lead to substantial financial penalties. These fines can be a significant financial burden, particularly for small and medium-sized companies. There is also an increased risk of reputational damage in the event of non-compliance. Companies that experience data breaches may face negative publicity, loss of customer trust, and potential customer churn. Rebuilding a damaged reputation can be challenging and will require significant investment in communication, transparency, and remedial actions. Give such regulatory risks, cyber insurers are now facing claims for increasing privacy response costs from insured organisations.

Complex Sanctions Landscape

22. Ransomware attacks are widely reported as the most common form of cyberattack.¹²https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/#1.%20Malware Ransomware is malware that employs encryption to hold a victim organisation’s information at ransom. An organisation’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access and organisations are typically given a short window, between 24 to 48 hours to pay ransom to gain access.¹³https://www.trellix.com/en-sg/security-awareness/ransomware/what-is-ransomware.html
23. Sanctions compliance regarding ransom payments in a ransomware attack has become a critical concern for organisations. Many countries have imposed sanctions on certain individuals, organisations, or countries, restricting financial transactions and prohibiting dealings with sanctioned entities. This poses a challenge when it comes to deciding whether to pay a ransom to the cybercriminals.
24. Organisations must navigate an increasingly complex sanctions landscape, balancing their desire to regain access to their encrypted data/critical operation systems with the need to comply with sanctions regulations. The complexity of the sanctions landscape arises from several factors. First, there is a proliferation of sanctions regimes imposed by different countries and organisations, each with its own set of rules, regulations, and targets. This creates a patchwork of sanctions regimes that can be challenging to navigate, especially for multinational companies operating in multiple jurisdictions.
25. Second, there is always a risk of breaching sanctions law in the context of ransom payments as it is typically difficult to identify the cyber criminals behind the attack, and to ensure that the payment is not being made to an entity subject to financial sanctions, and that such payments are not used to fund activities adverse to national security of the country in which the organisation operates in.
26. Third, the extraterritorial reach of certain sanctions adds further complexity. Certain countries, such as the United States, have implemented laws that allow them to impose sanctions on non-U.S. entities if they engage in prohibited activities involving sanctioned countries or individuals. This means that businesses need to be aware of not only the sanctions imposed by their own country but also those imposed by other jurisdictions with potential impacts on their operations.
27. Violating sanctions can result in severe legal and financial consequences for organisations. Non-compliance can result in severe penalties, including fines, criminal prosecution, loss of business opportunities, and damage to reputation. Therefore, organisations must carefully assess the potential risks, consult legal advisors, and consider alternative options, such as restoring from backups or engaging law enforcement agencies, before making any ransom payment. This is equally applicable to cyber insurers who offer indemnity for ransom payments.

Emergence of State-sponsored Cyberattacks and War Exclusion Language

28. Rising geopolitical tension, such as the Russian invasion of Ukraine, has shone a spotlight on state-sponsored cyberattacks. One such instance is the widely publicised NotPetya cyberattacks in 2017. NotPetya, a ransomware variant, targeted organisations worldwide, affecting critical infrastructure, multinational corporations, government agencies, and financial institutions. The attack originated in Ukraine but quickly spread globally, causing significant disruptions and financial losses. Unlike traditional ransomware, NotPetya was primarily designed to cause disruption and damages rather than generate ransom payments, rendering affected systems inoperable.
29. Following the NotPetya cyberattacks, litigation ensued by victim organisations against insurers for indemnity for damages suffered due to these attacks. One such case was the recent decision by the Superior Court of New Jersey in Merck & Co and I.I. Ltd v Ace et al [2021].¹⁴https://www.law360.com/articles/1602731/nj-appeals-panel-upholds-merck-s-1-4b-cyber-coverage-win The German pharmaceutical giant, Merck, a victim of the NotPetya attack, suffered USD 1.4 billion in losses from the attack. Merck sought to recover such losses from its all-risks property insurer. Its insurer sought to exclude cover relying on the policy’s war exclusion clause. The Court found that Merck had a reasonable expectation that the war exclusion clause was only confined to traditional warfare and held that the policy was engaged. The Court, however, did not squarely address the issue of attribution, namely, how to attribute the cyber-attacks to the nation state.¹⁵Julian Miller and Tom Evans, “War Exclusions in Cyber Policies: An Overview”, <https://www.dacbeachcroft.com/en/articles/2023/march/war-exclusions-in-cyber-policies-an-overview/>, (accessed on 17 April 2023). It was noted that the ruling at first instance has been appealed, however, the judgment on appeal is yet to be published.
30. This case has since driven cyber insurers to actively review cyber-specific war exclusions that would apply in the case of catastrophic losses caused by cyberattacks. The Lloyd’s Market Association recently released in January 2023 model war exclusion clauses to exclude state-led cyber operations, offering various levels of coverage, so long as they are properly attributed to a state.¹⁶https://www.lmalloyds.com/LMA/News/LMA_bulletins/LMA_Bulletins/LMA23-002-PD.aspx Proving attribution is however a tricky issue as such evidence is typically not accessible by the public. The Lloyd’s Market Association sought to limit attribution to such “objectively reasonable evidence that is available”.¹⁷Vincent J. Vitkowsky, “Viewpoint: Whither War and Cyber Operation Exclusions?”, <https://www.insurancejournal.com/news/national/2023/04/04/715079.htm?utm_content=how-insurers-can-harness-the-power-of-ai&utm_campaign=insuring-cyber&utm_source=insurancejournal&utm_medium=newsletter>, (accessed on 17 April 2023). This reportedly took two years of wording and rewording, demonstrating the complexity posed by this ever-changing risk landscape. Further discussions on this topic are to be expected in the future with insured organisations likely to be demanding for more certainty of coverage from cyber insurers.

Conclusion

31. The cyber risk landscape is dynamic, continually evolving with emerging technologies, evolving attack vectors, and developing regulatory landscapes. As organisations continue to face increasingly sophisticated and persistent cyberattacks, the role of cyber insurance has become crucial in managing potential financial losses and mitigating the impact of cyber incidents for organisations.
32. Cyber insurers are however facing the challenge of accurately assessing and quantifying cyber risks, which are as demonstrated above, often complex and rapidly changing. Additionally, the interconnected nature of the digital business world poses systemic risks that could affect multiple insured entities simultaneously. Cyber insurers will have to constantly adapt their underwriting practices, policy terms, and pricing models to keep up with this evolving risk landscape.
33. To effectively address future challenges, cyber insurers must collaborate closely with cybersecurity experts and legal advisors, stay updated on emerging threats, and foster innovation in risk assessment and coverage offerings. By doing so, they can help organisations navigate the evolving cyber risk landscape and build resilience in the face of ever-changing cyber threats.