The vast majority of businesses currently use some sort of computer system or device linked to a network which gives creative individuals with malicious intent the opportunity to harm the business. Many firms are finding that even after adopting a best practice approach to IT policies and procedures, incidents continue to occur.
Cyber & Data Insurance policies are primarily designed to reduce the impact on a company’s balance sheet through restoration and containment services. These services include restoring the functionality of a company’s systems, mitigating reputational damage through the deployment of a public relations strategy, and covering the cost of contacting both customers and suppliers to communicate the breach (and offer credit monitoring services where applicable).
The term ‘cyber risk’ is typically used to define any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
There are many different types of risk associated with a cyber attack. Examples include denial of service attacks which can shut down entire IT systems and websites, loss of critical data, loss of client data, loss of proprietary information, or a threat of extortion or adverse media coverage following an attack. It was reported in a survey conducted by Edelman that 71% of customers would leave an organisation after a data breach where their personal information had been stolen.
Cyber & Data policies will typically have coverage for:
Most policies will provide cover for the following:
Any business using computer systems to store data that may include financial information of clients, employee information or confidential files has a risk exposure to a cyber attack.According to the Government Security Breaches poll, nearly three quarters of small organisations reported a security breach in 2015.
It is no longer only larger businesses that are being attacked due to the potential financial rewards, cyber attacks are happening with a much greater frequency on smaller and medium-sized businesses, possibly due to the perception that they are easier targets.
Employees are also putting their organisations at risk due to a general lack of understanding of IT security, one example being USB security. A recent report stated that 73% of employees are using USB drives without having permission to do so, 72% have lost USB drives without notifying appropriate authority, and 55% of employees use generic or free USB drives which could contain malware or other software that could harm computer systems.
Another example would be the emergence of Bring Your Own Device (BYOD) policies, which creates yet another route for hackers to gain access to a company’s systems.
Prevention is better than cure, so the implementation of high levels of data security and stringent system controls are advisable, as well as providing your staff with the relevant training and education. It is important that organisations take responsibility for their employees and help fill any knowledge gaps specifically in relation to computer security. Any new employee should receive training in computer security and regular reminders to remain vigilant of any suspicious emails.
In addition to regulatory fines and defence costs, there could also be the compensation to third par ties to be considered which can be substantial.
If the valuation of the company is significantly impacted it can cause disputes in the Boardroom between the directors and shareholders which can prove to be extremely disruptive.
Cyber insurance policies are available from £1,000 per annum at the lower end of the scale depending on the data held and size of the company.
There are multiple factors used by underwriters, one of the key criteria is the number personal identifiable information records held by a company.
Businesses that rely heavily on technology to generate revenue or process transactions are potentially at a higher risk of significant impact. Underwriters may review how quickly a company is able to resume operations following a network security failure, or outage, along with the back-up plans in place.
The factors that can make retail companies higher risk include:
A good star ting point to assessing the limits required is to conduct an exposure analysis, including a review of the size and nature of data you hold. A micro company may only need a £50,000 limit depending on whether they are holding sensitive data and trading over the internet, whilst a SME company might purchase between £100,000 and £5,000,000.
An excess will typically apply to monetary values and a time excess will be applied to business interruption elements of the coverage (usually 12 or 24 hours).
There will almost always be exclusions and limitations in an insurance policy. Whilst some policies would not cover unencrypted data on portable devices, there are also those that limit or eliminate coverage for information held by a third party (such as data held in the cloud unless there is a written contract between the policyholder and the third party). Cyber and Data policies are also unlikely to cover risks that are insurable elsewhere, typically those covered under a general liability policy for example.
Navigating the exclusions and limitations in Cyber & Data policies can prove challenging for the inexperienced. A broker with expertise in this field will be able to advise on which products are most suited to your sector and company and help you decide on appropriate insurance limits. They should also be able to negotiate with insurers over exclusions and policy language, where required.
Cyber & Data Insurance first became available in the 1980s but did not flourish and remained a niche product to address unusual exposures. However, the uptake of Cyber & Data Insurance has grown rapidly over the last decade as insurers have responded to the heightened risks and increasing levels of criminal activity in this area.
Cyber risk policies can define the geographic scope of the covered risks to certain locations, such as the UK only or ‘worldwide excluding the United States’. Companies need to review whether their coverage matches their business relationships and risks to ensure that they are purchasing effective insurance. Certain jurisdictions can attract higher premium charges.
The GDPR is the General Data Protection Regulation, an EU regulatory body set up April 2016. Their mandate is to strengthen and unify data protection for individuals within the European Union.
The biggest change is that the companies which experience a breach will have to notify all of its clients and suppliers.Whilst this is only for breaches determined as ‘higher risk’ (where there has been a risk of fraud or identity theft) it does actually set a relatively low bar as this information is of the type regularly collected and widely held by companies.
The EU General Data Protection Regulation (GDPR) is due to be enforced from 25th May 2018.
Yes, if you hold or transfer data of users from the EU.
The current cap of £500,000 will be increased to €20m or up to 4% of a company’s annual global turnover, whichever is greater.
The GDPR will make the companies that are processing the data accountable for their data protection and therefore they will be the ones who will receive the fines.
When an entity demands a ransom to restore or release IT systems or files which have been hacked.
Cover for lost revenue as a result of a ‘hacking event’ and includes the restoration expenses that are incurred whilst remediating the breach.
Liability cover for damage and claim expenses that come from an actual or alleged breach, error or omission which leads to the:
Liability cover for if an insured fails to keep securely any electronic or non-electronic private or confidential information in their care, custody or control.
Cover for legal defence expenses, as well as penalties or fines that may arise from a regulatory proceeding from a breach of a privacy law caused by a covered security breach.
They cover crisis management, which includes the cost of credit monitoring services and public relations expenses that will arise from a security or a privacy breach. This will also cover the cost of notifying clients as required by various international laws or regulations, particularly in the US with state and federal laws.
This covers the insured for intellectual property such as copyright infringement and personal injury such as defamation that result from an error or omission in the content of their website.
A service which is typically provided by a public relations firm which can advise on the communication strategy after the event of a data breach to help minimise the damage to a company’s reputation.
Reimbursement for costs of repair, restoration or replacement if a hacker causes damage to your websites, programmes or electronic data.
The darknet is an area of the internet that is encrypted and requires special software and configurations to access it. There has been significant rise in the trading of computer viruses that have been developed by hackers on the darknet. Other examples of illegal activities that occur are the purchasing of illegally obtained credit card numbers, false identities, weapons and even uranium.
This is a general term for different types of malicious software, such as computer viruses and spyware. In 2014 it was reported that there were nearly one million new malware threats released online every day, according to reports by Symantec.
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by an entity disguising itself as trustworthy in a Facebook message or Tweet for example.
Like-jacking occurs when criminals post fake Facebook ‘like’ buttons to webpages. Users who click the button don’t ‘like’ the page, but instead download malware.
Link-jacking is a practice used to redirect one website’s links to another which hackers use to redirect users away from trusted websites to malware-infected sites that hide drive-by downloads or other types of infections.
A malicious insider, although less frequent, has the potential to cause significant damage due to their level of access. Administrators with privileged access are especially higher risk. According to the Ponemon Institute ‘data breaches that result from malicious insider attacks are most costly’.
These are individuals who have been mis-led by external par ties into providing data or passwords to access systems, databases or bank accounts.
Careless insiders are those that may simply press the wrong key which accidentally deletes, modifies or sends critical information to the incorrect party.