Partner Hermès Marangos discusses this summer’s cyber-attacks on Singapore’s health provider SingHealth, and examines the impact of such attacks on insurance policies for commercial entities.
Hermès’ article was published in Compliance Monitor, 27 November 2018, and can be found here.
Singapore is frequently lauded as a beacon of international success. In education, quality of life and competitiveness, it invariably tops the global rankings produced by the OECD, the Economist, and the World Economic Forum (WEF). Last year, it beat London and New York to take number one spot in The Global Smart City Performance Index in the integration of technologies and connected services across four key areas: mobility, healthcare, public safety and productivity.
Enjoying a reputation as an open and successful economy, Singapore combines one of the highest levels of average income with one of the lowest levels of crime and corruption. That reputation is assiduously managed, both by the Singapore government and by local media. So recent news that SingHealth had been subject to island’s largest ever cyber-attack came as a most unwelcome surprise, and a blow to its reputation management: SingHealth is the country’s largest group of healthcare institutions, including four public hospitals.
In July, Singapore government authorities announced that the cyber-attack resulted in about 1.5 million patients having their personal data stolen. The figure is comprised of all patients who visited SingHealth’s specialist outpatient clinics and polyclinics between 1st May 2015 and 4th July 2018. The data itself was stolen over a one-week period from 27th June to 4th July. Beyond their medical records, the breach included each patient’s name, NRIC number, address, gender, race and date of birth. About 160,000 of these patients also had their outpatient prescription details stolen.
A notable figure among the patients was the Prime Minister, Lee Hsien Loong. The breach included records about what had been prescribed to him. According to the authorities, it was a “deliberate, targeted and well-planned cyber attack”, in which the attackers specifically and repeatedly targeted the PM’s personal particulars and information on medicine that had been dispensed to him.
The culprits were most likely acting on the orders of another nation state, according to a prominent cybersecurity expert. In response, PM Lee announced on Facebook “I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”
Administrators of the Integrated Health Information System (IHIS), the government agency in charge of the IT systems of Singapore’s public healthcare institutions, initially noticed suspicious activity on one of SingHealth’s databases. After deploying additional cyber-security precautions, it took another week before it was confirmed as a cyber-attack, although no further data was stolen. According to crowdstrike.com, the average “dwell time” for a cyber-attack is 229 days. SingHealth therefore did well to detect the breach so quickly.
Because of the highly sophisticated nature of the attack, the authorities believe that it was a form of espionage. The way in which data was stolen over time further suggests that it was a form of Advanced Persistent Threat (ATP). Investigators from Singapore’s Cyber Security Agency (CSA) uncovered a malware infection on one of SingHealth’s computers, which was used by hackers to access the patient database.
SingHealth is not Singapore’s first large scale cyber-attack. In September 2017, the personal data of 5,400 AXA Insurance customers was compromised in a breach. Three months later, Uber announced that the personal information of its 380,000 Singapore users had been compromised in a 2016 breach. But SingHealth is by far the largest local breach to date, making international headlines as a result. And the fact that there are numerous attacks has been predicted by commentators, including those who highlight that most organisations, private and public are ill-equipped or failing in taking necessary decisions and proper steps to combat cyber-attacks. This is because, although instigated by outsiders, such cyber-attacks may also be a symptom of inadequate internal structures to protect information that is stored electronically. Cyber-security specialists would, no doubt, point to the need for much better discovery, classification, and auditing of sensitive data, as well as keeping up-to-date with the latest tools and technologies. But once a cyber-attack has happened, often the important issue to consider what regulatory, contractual and other obligations are impacted. And of course, whether such events are adequately covered by guarantees and insurance policies.
Cyber-attacks can impact on all kinds of contracts, obligations to protect data, Directors and managers duties etc. Cyber security insurance has been around for more than twenty years to provide cover for most of these activities, but has only recently been more widely adopted. The steep rise in cyber-attacks, and the ensuing publicity given to them, has been the catalyst in driving more companies to purchase policies. The growth is not confined to companies. Hiscox and AIG are targeting their personal cyber insurance at wealthy individuals, who may have much to lose if their systems are attacked.
As a result of the constant media attention, cyber cover has become one of the most dynamic growth insurance areas in recent years – increasing by around a third last year. Insurers have been competing hard in offering policies that protect their customers against the worst affects of cyber criminal activity.
Following the SingHealth attack, there are likely to be claims against the four hospitals involved and potential group actions brought by some of the 1.5m patients. In addition, there may also be issues of recoverability depending on the extent of policy covers, including potentially against those insurers who have provided performance guarantees for business interruption due either to the attack or because of the resulting loss of data.
Whatever the limitations afforded by insurance policies on liability to customers, a major cyber-breach on the scale of SingHealth cannot exonerate those responsible if there has been a fundamental breach of obligations to put in place and maintain the integrity of cyber and back-up systems relating to individual patients’ data. The British IoD as well as other similar bodies around the world have constantly been highlighting that the business community is simply failing to take all the steps necessary. Some of the failures are as if one has left highly valuable goods unattended and in full view in an area frequented by thieves and burglars; it may be that as a society we have not as yet readied ourselves to adopt the necessary behaviour required and obliged by the contractual and other obligations one has to counterparties to protect one’s data.
Should the SingHealth attack be confirmed as a state-sponsored or originated act, then it may well come within policies with specific exclusions or specialty covers. These need to be checked, as policies in different parts of the world have extensive definitions of cyber-terrorism that relates to state activity and can be contentious. Policy wording can exclude losses: “however remote” the connection between those losses and “terrorism”, which normally is a reference to terrorism in the traditional sense relating to some form of political violence, but potentially “varied” in some specific policies. These terms should be subject to specific legal definitions and interpretations.
To trigger a terrorist exclusion, the usual guiding principle applied in conventional covers is that the relevant clause requires a “terrorist act” to have been committed, with violence as a key component, so the exclusion in question has to be one of the specially drafted ones dealing with cyber-attacks, criminal or other such activity etc. So, both cover and exclusions will be policy specific.
Understandably, policy exclusions can be widely drafted. One has to be careful in the cyber-attack context; such cyber policies are designed to cover all cyber events unless excluded for the cover to make sense. Typical policies would follow the philosophy of regular policies and tie any exclusion of relating to terrorism to relate to a cyber-attack that contain any element of violence, which at present does not appear to be the case with SingHealth. In terms of over-restrictive covers and over-extensive exclusions, political extremist links can be relevant. The same applies with any identifiable remote connection with investigations or actions by the international intelligence communities.
There is an interconnection between cyber-terrorism exclusions, encompassing losses not involving violence, and the relatively narrow scope of some cyber cover, which envisages that some losses should come under other more specific or specialist covers.
Increasingly, insurance cover incorporates the practical aspects of compliance undertaken by organisations. IT security is a primary consideration, although many businesses still fall short of acceptable standards. Inadequate protection or failing to maintain sufficient protection by regularly updating systems and security can become evident when there is a cyber-attack. Turn to your insurance policy to compensate you and there may be a problem.
Where it can be demonstrated that a company or organisation has failed to meet its contractual obligations by failing to keep systems up to date, or by having inadequate security, then you might have an even bigger problem. It is not yet clear if this applies to SingHealth. Should the insurance company not pay, and you decide to take your claim to a tribunal, then you could be in for a nasty surprise. Most tribunals are unforgiving of compliance failures: no firewalls, weak passwords or inadequate software protection. Similarly, those failures may be the grounds for law suits as between different companies and entities that suffered losses due to the breaches.
In business terms, such behaviour may be regarded as the contemporary equivalent of leaving your house with the doors unlocked and the window open. It can also create liability problems for directors, in-house lawyers, officers and consultants who are responsible for compliance: potential legal ramifications exist in each category.
At every stage, compliance professionals have critical responsibilities: to ensure that appropriate cyber resilient systems and processes are in place, and that they are regularly updated. In addition, they must make sure that all relevant members of staff are trained to follow protocols and procedures.
In terms of compliance and risk management, multiple issues require careful examination of the legal language that is used in supply and commercial contracts as well as insurance policies, which directly or indirectly deal with losses arising from cyber incidents. In insurance policies, where there is a remote connection with terrorism or counter-terrorism activities (in the traditional sense of terrorist acts, that is those that involve acts of violence), the proper application of wordings dealing with cyber-attacks need particularly careful attention. One may see arguments that any activity by groups that have terrorist connections may trigger exclusions, particularly if the overall language of the cover is restrictive.
More than anything, the SingHealth attack is a pointed reminder to professionals as to what can happen. They need to be alert to the possibility that serious legal repercussions can follow if proper protections are not put in place or adequately maintained. Although the legal outcome of the latest prominent cyber-attack is not yet clear, questions will inevitably linger around the language used to exclude cyber-attacks within insurance policies, particularly if the attacks are remotely connected with terrorism.