The Cyber threat

You don’t buy Fire insurance because you expect a fire or Theft insurance because you are expecting to be robbed

So why don’t you buy Cyber Insurance when everyone around is being hacked or infiltrated by viruses and threats of attack?

Buying the cover will not make you immune from attack and it will not encourage attack or promote the ongoing rise in attacks.

Having your server ‘in the cloud’ will not prevent you from a virus or protect your data from an unscrupulous unknown wielding a fraudulent finger ready to pounce on you and hold you and your website to ransom.

Maybe you do not feel you are vulnerable; maybe you only use the internet for browsing – if that is the case; try switching it off of an hour and seeing how well you manage; that means your mobile telephone too and your photocopier, your heating system and the internet and systems of all of your customers too.  As doubtless they will be attacked if you are.  And they may not look too kindly on you after you have spread a virus which infected their software and systems.

Defences (Reasons) not to take out insurance cover are:

We have our own computer chap and he is great; he is always able to fix anything that goes wrong.

 And he only works for you?

And he is available 100% of the time, day and night and never takes a holiday.

And he also has access to a PR agency to explain to your customer why their names and addresses and other details have been leaked.

And he will pay for the consequential loss of income to the company arising out of the outage.

And he will pay the wages of the people sitting idle whilst you struggle to source the route of the problem.

If all that doesn’t put a tiny bit of fear in you and you are not considering taking our some kind of protection; think on the new Statute requiring you to consider doing something.

You didn’t know about it. Ignorance is not bliss; on 4^th May 2016 the General Data Protection Regulation was      published and then entered into force20 days after its publication. It will be a further two years until member states of the EU must be fully compliant with the regulations.

What is the catchily named GDPR all about? Many companies will need to implement a complex privacy management system, risk transfer finance strategies will need to b e developed and compliance demonstrated before the end of the implementation period.

OK. Let us move on. Now, not everyone likes or believes statistics, but these are interesting and relate to 2015 when:

Data breaches cost on average £115 to £165 per day per compromised record

£3.1 million was the average total organisational cost of a date breach in Europe

51% of breaches were caused by negligence or IT glitches

In the UK 90% of large organisations and 74% of small organisations reported they had a security breach

If you suffer a data protection loss and the Information Commissioner comes after you, it will be expensive; fines for the most serious breaches have increased to EUR20 million or 4% of Total Turnover. You cannot insure against a fine, but prevention is better than cure and taking steps to reduce the severity of a loss  or clear up swiftly afterwards will be viewed positively.

Industries attacked are not limited in type or size; the cyber fraudster doesn’t care and they are not all clever; they may attack your server, website or systems and leave then in a mess way afterwards  way beyond what they can fix even if you pay their ransom. The cleverest hackers may be able to put the system back up and running again, but leave a present for you to find much later.

Who has been attacked?

Power and Utilities – critical infrastructures have been interrupted

Financial Services – Financial and litigation losses estimated at £0.8 billion alone whether it is by fraudulent fund transfers or system hijacks, viruses and website interruptions

Healthcare- all possess private data and 88% of all US healthcare providers have been attacked by ransom ware

Manufacturing – increasingly complex supply chains make manufacturing as vulnerable as everyone else and the increasing use of software to run machines makes them susceptible to attack. In 2014 hackers attached the business and production of a German steel mill, accessing the control system and triggering an unscheduled shutdown of the furnace causing massive damage to equipment

Retail – Point of sale systems capture your data and the increasingly interlinking way we all live makes an attack reach across and abroad many systems.

Education – Identity fraud is rife and the culture of openness and information- sharing make it highly susceptible to cyber risk

What should you do?

Understand your potential areas of risk

Undertake a risk assessment

Risk transfer and loss funding options

Develop underwriting information

The insurance of things

We all understand the basics of insurance and the need to protect the loss of assets – the so called Insurance of Things

Today we are experiencing a further industrial revolution based on the Internet of Things, complicated by the combination of interconnected machines and people across previously blocked areas.

Then we consider Business interruption following non physical damage and gaps between physical and non physical losses; gaps in cover and which insurer is going to pay the loss.

Statistics in the last year show that cyber attacks come in different forms and sizes and surprisingly perhaps:

 52% of security breaches come from malicious insiders (disgruntled employees, greedy employees and employees approached by criminals to assist in crime)

43% of attacks were by malicious outsiders

4% were by people with political or other agendas

1% were state sponsored

1% were accidental loss

What to do now?

Let us assume you have understood your potential areas of risk, have carried out a risk assessment looked at risk transfer and loss funding options; there are some relatively simple things you can do to manage the employees who are the strongest and weakest link in your cyber defence:

• Engage employees to  be cyber vigilant:

  • Monitor your company’s bring your own device program ‘Enforce password protection on all devices and computers throughout the company – do not share passwords or reveal them others’ ensure they are changed regularly  and scan memory sticks before uploading data to company software.

  • Put a cyber awareness campaign into place. HR and IT should work closely together to inform all employees about cyber threats

  • Create policies and procedures around data security when employees leave the company. Too often departing employees’ credential are not cancelled in a timely manner allowing them to retain access to sensitive data

  • Manage and Monitor IT systems and networks - control the access of staff, limit the number of privileged users, monitor activity and log and analyse unusual activity.

  • Educate employees about spear phishing attacks

  • Keep abreast of change. A continuing effort is needed to educate employees about evolving cyber risks and recognise and report potential breaches

  • Keep, systems up to date - securing ‘patch’ software to automatically update programs to fix security vulnerabilities and carry out regular scans

  • Create a Disaster Recovery Plan - produce and test plans to ensure the business is prepared in the event of an incident.

  • Establish anti-malware protections - scan for malware across the business

  • Protect networks- implement network security controls to protect networks from internal and external attacks.

---------------------------------------------------------------------------------------------------------------------

At  Lycetts, we continue to monitor the changing environment of risk associated with cyber attacks and meet underwriters to evolve policies to meet these needs.

For advice on the best way to approach how you should react and deal with the  growing impact of cyber crime contact one of our Account Executives for more information and assistance.

What are others doing?

One in three companies in the US takes out Cyber cover - Premiums spent exceed £2 billion in the last year

Companies are separating their internet use from their core operations activities to reduce the exposure to outside forces.

SOME INSTITUTIONS ARE NOW USING PEN AND PAPER TO RECORD CRITICAL DATA!