Cyber insurance

Buying cyber insurance cover will not make you immune from attack and it will not encourage attack or promote the ongoing rise in attacks.

Having your server ‘in the cloud’ will not protect you from a virus or your data from an unscrupulous unknown wielding a fraudulent finger ready to pounce and hold you, and your website, to ransom.

Maybe you do not feel you are vulnerable; maybe you only use the internet for browsing – if that is the case, try switching it off for an hour and see how well you manage; indeed switch off your mobile telephone, your photocopier, your heating system plus the internet and systems of all of your customers too.  The threats are all pervasive.  They may not look too kindly on you after you have spread a virus which infected their software and systems.

Defences (Reasons) not to take out cyber insurance cover include:

• We have our own computer chap and he is great; he can fix anything that goes wrong;
• He only works for you;
• He is available 100% of the time, day and night and never takes a holiday;
• He also has access to a PR agency to explain to your customer why their names and addresses and other details have been leaked;
• He will pay for the consequential loss of income to the company arising out of the outage; and/or
• He will pay the wages of staff sitting idle while you struggle to source the route of the problem.

The General Data Protection Regulation (GPDR) was published on 4^th May 2016. It will be a further two years until member states of the EU must be fully compliant with the regulations.

The GDPR will require companies to implement a complex privacy management system, for which risk transfer finance strategies will need to be developed and compliance demonstrated before the end of the implementation period.

Some statistics from 2015:

• Data breaches cost on average £115 to £165 per day per compromised record;
• £3.1 million was the average total organisational cost of a date breach in Europe;
• 51% of breaches were caused by negligence or IT glitches; and
• In the UK 90% of large organisations and 74% of small organisations reported they had a security breach.

A data protection loss can prove to be expensive; fines for the most serious breaches have increased to EUR20 million or 4% of total turnover. You cannot insure against a fine, but prevention is better than cure and taking steps to reduce the severity of a loss or clear up swiftly afterwards will be viewed positively.

Industries attacked are not limited in type or size; the cyber fraudster doesn’t care and they are not all clever; they may attack your server, website or systems and leave then in a mess way afterwards  way beyond what they can fix even if you pay their ransom. The cleverest hackers may be able to put the system back up and running again, but leave a present for you to find much later.

Who has been attacked?

• Power and Utilities – critical infrastructures have been interrupted;
• Financial Services – Financial and litigation losses estimated at £0.8 billion alone whether it is by fraudulent fund transfers or system hijacks, viruses and website interruptions;
• Healthcare – all possess private data and 88% of all US healthcare providers have been attacked by ransom ware;
• Manufacturing – increasingly complex supply chains make manufacturing as vulnerable as everyone else and the increasing use of software to run machines makes them susceptible to attack. In 2014 hackers attached the business and production of a German steel mill, accessing the control system and triggering an unscheduled shutdown of the furnace causing massive damage to equipment;
• Retail – Point of sale systems capture your data and the increasingly interlinking way we all live makes an attack reach across and abroad many systems; and
• Education – Identity fraud is rife and the culture of openness and information- sharing make it highly susceptible to cyber risk.

What should you do?

• Understand your potential areas of risk;
• Undertake a risk assessment;
• Assess Risk transfer and loss funding options;
• Develop underwriting information; and
• The insurance of things.

We all understand the basics of cyber insurance and the need to protect the loss of assets – the so called Insurance of Things.

Today we are experiencing a further industrial revolution based on the Internet of Things, complicated by the combination of interconnected machines and people across previously blocked areas.

Then we consider Business interruption following non physical damage and gaps between physical and non physical losses, gaps in cover and which insurer is going to pay the loss.

Statistics in the last year show that cyber attacks come in different forms and sizes:

• 52% of security breaches come from malicious insiders (disgruntled employees, greedy employees and employees approached by criminals to assist in crime);
• 43% of attacks were by malicious outsiders;
• 4% were by people with political or other agendas;
• 1% were state sponsored; and
• 1% were accidental loss.

What to do now?

Let us assume you have understood your potential areas of risk, carried out a risk assessment, and looked at risk transfer and loss funding options; there are some relatively simple things you can do to manage the employees who are the strongest and weakest link in your cyber defence:

Engage employees to be cyber vigilant:

• Monitor your company’s bring your own device programme, enforce password protection on all devices and computers throughout the company (do not share passwords or reveal them to others), ensure they are changed regularly and scan memory sticks before uploading data to company software;
• Put a cyber awareness campaign into place. HR and IT should work closely together to inform all employees about cyber threats;
• Create policies and procedures around data security when employees leave the company. Too often departing employees’ credential are not cancelled in a timely manner allowing them to retain access to sensitive data;
• Manage and Monitor IT systems and networks – control the access of staff, limit the number of privileged users, monitor activity and log and analyse unusual activity;
• Educate employees about spear phishing attacks;
• Keep abreast of change. A continuing effort is needed to educate employees about evolving cyber risks and recognise and report potential breaches;
• Keep systems up to date – secure and apply ‘patch’ software to automatically update programmes to fix security vulnerabilities and carry out regular scans;
• Create a Disaster Recovery Plan – produce and test plans to ensure the business is prepared in the event of an incident;
• Establish anti-malware protections – scan for malware across the business; and
• Protect networks – implement network security controls to protect networks from internal and external attacks.

What are others doing?

• One in three companies in the US takes out Cyber cover – Premiums spent exceed £2 billion in the last year.
• Companies are separating their internet use from their core operations activities to reduce the exposure to outside forces.
• Some institutions are now using pen and paper to record critical data!

At  Lycetts, we continue to monitor the changing environment of risk associated with cyber attacks and meet underwriters to evolve policies to meet these needs.

For advice on the best way to approach how you should react and deal with the  growing impact of cyber crime contact one of our Account Executives for more information on cyber insurance and assistance.