Snowden case puts spotlight on cyber risks

Revelations by former Booz Allen Hamilton (BAH) employee, Edward Snowden, that the US National Security Agency (NSA) has been running secret surveillance programmes is creating disquiet across the business world.

While Snowden, who is wanted in the US on espionage charges, waits in Moscow Airport while his application for temporary asylum in Russia is considered, risk professionals are coming to terms with the implications of such covert surveillance.

Ali Chaudhry, managing director of Professional & Executive Risks Asia at Jardine Lloyd Thompson (JLT), says the Snowden case highlights the risks arising from industrial espionage and will prompt businesses outside the consulting and service sectors to think more about their exposures in this area.

Legal liability

Chaudhry, who is based in Hong Kong, says that the various new cyber- or privacy-breach policies would typically provide coverage for companies in respect to both their own costs arising from the breach and the potential legal liability claims and associated defence costs from their client.

“However, limits and market capacity typically provided by these policies are reasonably low, and in most cases I would expect a large specialist technology consulting and outsourcing firm to have in place significant limits and tailored tech/consulting professional indemnity insurance that would potentially be in the firing line to respond if the NSA decided to pursue BAH for damages,” Chaudhry says.

“Leading on from this, there could in theory be fairly significant Directors’ and Officers’ Liability exposures arising from alleged mismanagement and unhappy shareholders if, for example, the BAH share price collapsed.”

Cyber-security

A report released recently by insurance broking and risk-management firm Marsh observes that while many companies across Asia feel more informed about cybercrimes, they are less confident than ever in their existing cyber-security measures,” financial and professional risks practice leader at Marsh, Stella Tse, writes.

“Directors and officers must now make it their business to understand what information their company holds, where it is located and how it is protected,” she adds.

“Boards need to analyse the potential impact a breach could have on the organisation and its likelihood of occurring, and be part of the effort to design and implement a far-reaching programme to both prevent breaches and prepare the organisation to respond properly if one occurs. They must be able to answer to shareholders, customers, suppliers, business partners and authorities.”

The report – Cyber Risk In Asia: Is Your Data Safe? – points out that there are now five jurisdictions in Asia that have enacted data-privacy laws – Hong Kong, Japan, Malaysia, South Korea and Taiwan – while others are in the process of forming or enacting laws.

“While businesses must be mindful of the relevant laws in their own jurisdictions, when it comes to global connectivity and cyber crimes, borders can become meaningless,” Tse writes. “If the personal details of a customer who lives outside your jurisdiction are compromised, your business could be subject to the laws of the customer’s country.”