As I listened to the accounts of Yahoo’s 500m users being hacked (purportedly by a foreign government), four questions came to mind
- Why hasn’t the Yahoo share price fallen more than a couple of percent?
- Did Verizen, it’s prospective purchaser know (and care) about this?
- Why has this taken two years to come out?
- With the reported cost of restitution reckoned at $100 per user, is cyber insurance in place to pick up the $50 bn dollar bill?
I run a cyber service called http://www.pensionplaypen.com. We are insured using Lloyds syndicates against hacking (inter alia). If we were not insured (and insurable), I would not be able to contract with the large organisations such as Sage for whom our capacity to meet claims of this type is critical.
If there is reasonable insurance, or capital reserving against the problems that may ensue from this hack, then the market may consider it of little consequence to Yahoo’s share price, Verizen will simply consider their value being purchased via the insurance (or reserves) and consumers can feel confident that any detriment will be met from the claim.
Similarly, customer of http://www.pensionplaypen.com can feel confident that we are insured against the identifiable risks pertaining to running an online advisory business aiming to help customers make wise choices over workplace pensions.
BTW, they can- from this morning – benefit from our new web-optimised site. Check out http://www.pensionplaypen.com and see the difference!
My memories of due diligence carried out on us is of relentless enquiries of us, those who host our servers and of the various organisations we contract with. Primary due diligence needs to be carried out by the third party (in our case our partners- in Yahoo’s case its purchaser). The scale is different, the controls the same.
A breakthrough moment for each provider doing business with Pension PlayPen is the conversation with our insurers (or at least our excellent brokers – Lockton UK). Insurers are our advocates, their readiness to insure us (at a discounted premium) is testament of their confidence in us. Their due diligence acts as the second line of defence for our partners.
For we are in unchartered waters. Our ship sails into the new found lands of Fintech and Robo-Advice and we cannot predict the outcomes, only pay for the protection we are not capitalised to provide from our own resources.
Were we not insured (or insurable) then our business model would be untested. I know that only a tiny minority of our businesses have taken out the cover we have and I am quite sure that few of the users of their services have stopped to ask the “what if?” questions that our major partners have.
I doubt that we ask those questions when using Google, Facebook or Yahoo.
I do not know if Yahoo is insured, but I am one of the 500m customers who has had an account with them over the past five years and I am quite sure that certain of my details are in the hands of people who could do me damage.
Whether Yahoo or Talk Talk or any other cyber provider can be fully insured or would want to disclose the extent of their insurance, is a moot point. It is arguably a greater risk to the insurer to publish you have the means to pay restitution since the new trend in cyber hacking is the holding of companies to ransom over the safe return of data.
But I suspect that in our day to day dealings with cyber-providers we would like the assurance of knowing that were a prang to occur, the provider (like any motorist) had the means to meet the claim.
Perhaps we should start thinking of the necessity, not the desirability of cyber insurance. Perhaps the numerous offices of Government considering themselves a part of our digital revolution, could initiate a review of the insurances and assurances in place for internet customers and think about developing a common means to insure us against the calamities ahead.
Let us hope that Yahoo is not one such calamity!