Most days the news media report on computer crime, whether it’s the latest email phishing scam or a major ransomware attack or a data breach. Sometimes the problem is weak security, such as unchanged default or easily guessable passwords. Sometimes humans are persuaded to reveal information allowing access to systems, or they’re tricked into clicking on a harmless-looking link.
Once access is gained to an IT system, there are various kinds of mischief possible, depending on the hacker. Entry-level hackers might be satisfied with uploading malware to display unwanted adverts, leave rude messages or change links to point to embarrassing sites. However, physical damage can be remotely caused by hackers. Systems can be locked and data stolen or held to ransom.
Whilst large organisations may be the most potentially lucrative targets for hackers, small & medium-sized enterprises (SMEs) are often easier to crack. An organisation large enough to support an IT department probably operates reasonable systems of security, with firewalls, enforced regular password changes and control of software installation & upgrades. They will monitor access to their systems and data and maintain multiple remote backups.
Medium-sized organisations may use third party off-site IT specialists to install and maintain their systems. They may not realise they’ve been hacked until something goes wrong and they call in “the IT guys”.
Meanwhile, many small businesses operate on one or more PCs or laptops and a payment card reader. The IT Dept is the owner’s brother-in-law or a friend-of-a-friend who “knows about computers”.
They may be unaware of their obligations under the PCI-DSS (Payment Card Industry Data Security Standard). Although not covered by UK law, compliance is effectively mandatory and enforced contractually by banks and card issuers. Likewise, virtually any company that uses a computer to store or process data is susceptible to claims from data subjects under the GDPR (General Data Protection Regulations), which have been firmly enshrined in UK law since May 2018.
A survey by respected economists Oxera Consulting for the ABI (Association of British Insurers) in November 2020 highlighted the increasing dependence on the digital infrastructure of our economy, our society and in our everyday lives. Computer security firm McAfee and the Centre for Strategic & International Studies estimate that in 2018 cybercrime cost the world almost $600 billion, or about 14% of the internet economy.
The Oxera survey found that about 35% of large UK businesses have cyber insurance, 31% of medium businesses and only 1.2% of small firms. 32% of UK businesses suffered a cybersecurity breach or attack in 2018, according to the same survey.
The cover offered by cyber insurance policies varies widely and is often tailored to the specific business needs and risks. Put simply, it’s a bit like a comprehensive car policy, where there is an element of first-party cover (to pay for loss of or damage to the car), and an element of third party cover (to meet claims made against you by others who have suffered injury or damage due to your negligence on a road).
The first party cover under a cyber policy will repair or replace computer equipment damaged or made unusable by hack, attack, virus or security breach. Some policies offer to upgrade hardware and/or software to prevent future claims. Also covered are losses you suffer from disrupted or denied access to your systems.
An important element of cyber cover is for business interruption losses due to an attack on your IT or the systems of companies you deal with.
The third-party cover will deal with claims made against you for data breaches, breaches of confidentiality or PCI-DSS by data subjects. These could be customers, staff, suppliers, shareholders and the like. Importantly, cover is usually provided for GDPR investigations.
In addition to these covers, the cyber insurer usually meets the cost of forensic investigations to identify or confirm a data breach, and legal costs incurred in managing a data breach. Another potentially valuable cover is the cost of notifying data subjects and complying with any statutory notifications. In 2015, Anthem, the second-largest healthcare provider in the US, suffered a massive data breach in which the records of almost 80 million customers & staff, past & present, were compromised. Due to a state statutory requirement, data subjects had to be notified by mail and it was reported that the costs of stamps alone made a massive hole in the cyber cover limit of $100 million.
In ransomware attacks, the cyber insurer usually covers any ransom negotiated.
Other benefits include the cost of PR specialists to manage reputational damage to your company arising from a cyber incident.
In return for this wide-ranging cover, the insurer will expect to be notified immediately an incident or breach is discovered or suspected. They will usually instruct experienced suppliers to deal with IT forensics, legal & PR aspects, and, if necessary, ransom negotiators. Perhaps not surprisingly, most regular business people don’t know how to access large sums in bitcoin at short notice.
Whilst you may understandably want to use your normal IT supplier, there’s a risk of conflict of interest if a breach arose or resulted from any act or omission of theirs in the course of installation or upgrade work on hardware or software.
In addition – and this applies to your legal and PR teams – the panel of experts maintained by the insurers will have a lot more relevant experience of handling cyber incidents.
These will be policy conditions, and if there’s only one of your insurance policies you’re going to read, (Disclaimer – NOT recommended!) make it your cyber insurance policy, to ensure you know what’s required of you by way of routine cyber security before an event and the incident notification protocol, should the worst happen.
Now, make a start. Change your password to something other than your wife’s name and your date of birth.
Once you’ve done that, reach out to our team and we’ll get you covered.