As I listened to the accounts of Yahoo’s 500m users being hacked (purportedly by a foreign government), four questions came to mind
- Why hasn’t the Yahoo share price fallen more than a couple of percent?
- Did Verizen, it’s prospective purchaser know (and care) about this?
- Why has this taken two years to come out?
- With the reported cost of restitution reckoned at $100 per user, is cyber insurance in place to pick up the $50 bn dollar bill?
I run a cyber service called http://www.pensionplaypen.com. We are insured using Lloyds syndicates against hacking (inter alia). If we were not insured (and insurable), I would not be able to contract with the large organisations such as Sage for whom our capacity to meet claims of this type is critical.
If there is reasonable insurance, or capital reserving against the problems that may ensue from this hack, then the market may consider it of little consequence to Yahoo’s share price, Verizen will simply consider their value being purchased via the insurance (or reserves) and consumers can feel confident that any detriment will be met from the claim.
Similarly, customer of http://www.pensionplaypen.com can feel confident that we are insured against the identifiable risks pertaining to running an online advisory business aiming to help customers make wise choices over workplace pensions.
BTW, they can- from this morning – benefit from our new web-optimised site. Check out http://www.pensionplaypen.com and see the difference!
Due Diligence
My memories of due diligence carried out on us is of relentless enquiries of us, those who host our servers and of the various organisations we contract with. Primary due diligence needs to be carried out by the third party (in our case our partners- in Yahoo’s case its purchaser). The scale is different, the controls the same.
A breakthrough moment for each provider doing business with Pension PlayPen is the conversation with our insurers (or at least our excellent brokers – Lockton UK). Insurers are our advocates, their readiness to insure us (at a discounted premium) is testament of their confidence in us. Their due diligence acts as the second line of defence for our partners.
For we are in unchartered waters. Our ship sails into the new found lands of Fintech and Robo-Advice and we cannot predict the outcomes, only pay for the protection we are not capitalised to provide from our own resources.
Insured?
Were we not insured (or insurable) then our business model would be untested. I know that only a tiny minority of our businesses have taken out the cover we have and I am quite sure that few of the users of their services have stopped to ask the “what if?” questions that our major partners have.
I doubt that we ask those questions when using Google, Facebook or Yahoo.
I do not know if Yahoo is insured, but I am one of the 500m customers who has had an account with them over the past five years and I am quite sure that certain of my details are in the hands of people who could do me damage.
Protected?
Whether Yahoo or Talk Talk or any other cyber provider can be fully insured or would want to disclose the extent of their insurance, is a moot point. It is arguably a greater risk to the insurer to publish you have the means to pay restitution since the new trend in cyber hacking is the holding of companies to ransom over the safe return of data.
But I suspect that in our day to day dealings with cyber-providers we would like the assurance of knowing that were a prang to occur, the provider (like any motorist) had the means to meet the claim.
Perhaps we should start thinking of the necessity, not the desirability of cyber insurance. Perhaps the numerous offices of Government considering themselves a part of our digital revolution, could initiate a review of the insurances and assurances in place for internet customers and think about developing a common means to insure us against the calamities ahead.
Let us hope that Yahoo is not one such calamity!
Sage suffered data loss some weeks ago iirc, and I’m sure in a previous comment about Sage (your advert for them), I said they would be just as vulnerable as anyone else… and so it turned out to be true.
As for insurance becoming mandatory, government are just as at risk of data leaks as any private business.
Do we really want to throw more costs at things like the NHS to protect our data, despite all their shinky IT projects going over budget?
We already have heavily regulated systems in place, so adding insurance on top is essentially saying regulations do nothing?
Or are we now saying insurers should dictate regulations because they can assess risk better? That’s probably true, rather than EU and UK government types who haven’t a clue.
I think many systems really don’t need to be so inter-connected. My wife’s maternity notes for example, are still paper based. They work. There is no security risk. It’s accessible from start to finish and my wife is responsible for them. Job done.
But apparently they want to make ‘computers do it’. So it’ll cost more, work less reliably, take the data away from the person who it’s about, make it vulnerable to hacking, add lots more people in a process that doesn’t need one, etc etc.
To give these mothers to be access to their notes, no doubt they’ll be able to log on via the internet. I can’t see any problems with this system and security.
There are things that need computers, things that work better with them, and times when a paper and pen are still better.
Lastly, Google probably know more about you than you do. And you’ve given it all to them for free in return for useful internet searches. I’d as much about how they monetise your data with their partners, as much as a hacker who has your data as one data-set within hundreds of millions. They’re both out to make money out of your data.
Convenience or privacy/security… pick one.