Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Cost of hacking to PayPal shows the importance of insurance against cyber attacks, says expert


The reported £3.5 million costs incurred by PayPal as a result of the actions of a group of computer hackers shows how vital it is that companies insure against cyber attacks, an expert has said.

Prosecutor Sandip Patel told Southwark Crown Court that it took the online payment services company three weeks to resolve issues related to a series of attacks by the 'hacktivist' group Anonymous, according to the BBC. The company, which is owned by auction site eBay, also had to pay for more hardware and software to defend against similar attacks in the future, he said.

Christopher Weatherhead, a 22-year-old student, is accused of being part of a group that carried out distributed denial of service (DDOS) attacks against organisations opposed to internet piracy, including Mastercard, Visa and the British Recorded Music Industry (BPI). PayPal, which Patel said was attacked after it refused to process payments relating to the controversial Wikileaks website, was subjected to a series of attacks which "caused considerable damage to its reputation and loss of trade", the prosecutor said.

DDOS attacks typically involve hackers using malware-affected computers to bombard a website with such large amounts of traffic that it is unable to function. In the UK, individuals can face fines and up to ten years imprisonment under the Computer Misuse Act, which criminalises unauthorised acts with intent to impair the operation of any computer. The Act also criminalises preventing or hindering access to any program or data held in any computer, impairing the operation of any such program or the reliability of any such data, or enabling those acts to be done.

Insurance data risks and cyber liability expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that IT suppliers are often responsible for any service outage or security breach. Businesses with an online presence typically look to recoup any costs and revenue losses from the IT hosting provider under the service contract, he said.

"Customers will generally look to include broad, and sometimes specifically extended, warranties and indemnities from their suppliers in relation to data security, while suppliers will separately try to negotiate limitations or exclusions of liability for incidents of this nature," he said.

Companies should also ensure that they have sufficient insurance cover in place to cover their own costs and revenue losses where their networks, including online sales platforms, are affected because of a data breach, he said. Cyber business interruption insurance policies pay out at a fixed rate during periods of downtime after a 'waiting period', generally between 6 - 12 hours, has passed. Companies should also insure against hard costs such as forensic fees and losses from third party claims, he said.

The Government published new cyber risk management guidance (2-page / 306KB PDF) in September. It called for managers and senior executives to adopt a "risk management" approach to cyber security, and to consider how cyber attacks could impact on business areas such as reputation, share price and ability to do business.

The European Commission began a consultation in July on proposals that could see businesses required to report when their "essential" systems, including the internet, have been disrupted due to "cyber incidents". The Commission said its aim is to "enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.