It is important to note cyber attacks and financial crime are treated differently by insurance companies with separate policies and covers. A business should consider both in order to maximise protection to themselves.
Cyber Liability Insurance
As businesses become ever more reliant on technology, the risks in suffering a loss relating to problems on their computer systems or holding sensitive customer data continues to grow.
From the loss of a laptop, a website being hacked, credit card data being stolen, a denial of service attack or a file of sensitive information left on a train; these can all have an impact on your business from loss of revenue, damage to reputation and legal regulatory costs.
The media continues to report on large companies being affected but they rarely mention small and medium companies being attacked and from recent statistics, a “ransomware” attack is occurring at least once a day.
There is a misconception that small companies will not be affected. Every company that holds sensitive customer information or is reliant on a computer system, has a website and is subject to the Payment Card Industry (PCI) merchant services agreements are vulnerable on a data breach. Though business owners are mindful and wary of risks to the business, a “spam” email may be opened by a junior employee which can lock a computer system and impact the business.
Suffering a cyber-attack is one thing but the time it takes a business to recover can make the difference between long term business success or failure. Learning the lessons from a cyber-attack should be seen as an important part of any business’s cyber strategy but 32% of the small businesses with fewer than 50 employees said nothing has changed in the past 12 months as a result of security incidents. For UK businesses with 99 or fewer employees, the average estimated cost of their largest cyber incident over the last 12 months was £25,736, compared to £62,712 for UK businesses with 1,000 or more employees. Yet these amounts only reflect the immediate direct costs and don’t include the longer term impact on business reputation and consumer confidence
A Cyber Liability Insurance policy provides various covers including:-
Practical Support in the Event of a Data Breach: Including forensic investigations to find out what went wrong and whose data has been at risk, legal advice, notifying the Regulator and customers and offering support to clients who have been affected.
Payments of Costs Associated with Regulatory Investigations: If the Regulator makes a claim against you for failing to keep customers data secure, an insurance policy will assist the policyholder.
Reimbursement for Costs of Repairs following Restoration or Replacement: A hack to your website or network can cause damage and costs to repair / restoration can be significant.
Loss of Income: Damage to your website can result in a loss of revenue which could take weeks if not longer to rectify.
Brand and Reputation: Your company’s reputation is very important and notifying customers their data has been compromised can have an impact so it is important to act quickly and we reassure the public the damage is minimal.
Extortion: Insurers in some cases will look to pay the Ransom in order to minimize long term costs
We understand the cyber risks to your business and can assist your concerns. It is your responsibility as a “data controller” to understand all the risks, including the “Outsource Service Provider” who may hold your data. From experience an OSP’s contract omits any consequential loss should they be hacked resulting in a loss of your data. This is an emerging risk and poses a threat to any business using an Outsourced Service Provider for any part of the business.
Financial Crime and Fidelity
Though a Cyber Liability policy will assist your company should data be stolen, what happens if there is a financial theft?
Recent statistics say that 34% of companies have experienced a financial crime during the last two years from employees stealing to fraudsters impersonating suppliers. One in ten of these companies incurred losses of over £3m and with the ever increasing reliance on technology, it is viewed these statistics will only increase.
A Financial Crime or Fidelity policy provides cover for theft from the insured by anyone whether employed by them or not including cheques and security fraud, telephone hacking fraud and employee dishonesty.
As a business owner or director in the company you should continually monitor the processes of finance and insurers would expect an element of risk management. An insurance policy will also provide peace of mind should a mistake be made resulting in a fraudulent act being committed.
With an ever increasing number of examples of companies being affected by cyber attacks and financial crime and please give us a call if you wish to discuss these or have any queries about either of these covers.
|Scenario 1: Employee Error
|An HR recruiter for a healthcare organisation accidentally attached the wrong file when sending an email to four job applicants. The file included HR demographic data consisting of 43,000 former employee names, addresses, and national ID numbers. The insured telephoned the Chubb Incident Response Hotline for assistance and an incident response manager was assigned. Legal services were brought in to manage regulatory implications.
– Defence expenses arising from regulatory investigation. - £55,000
– Defence and settlement costs for claims employees that had identity stolen - £100,000
Incident Response Expenses
– Incident response manager fees - £5,000
– Notification to affected individuals - £3,000
– Identity theft monitoring services for affected individuals - £13,000
– Legal consultation fees - £10,000
|Takeaways As innocent as it may seem, human error can be very costly, and it occurs more
frequently than expected. It’s important to understand that cyber is not only related to
technological incidents. Many of the claims we see stem from very simple mistakes.
|Scenario 2: Denial of Service Attack
|The data centre which hosted an online retail company’s website became the target of a distributed denial of service attack. The attack, which utilised hacked internet of things devices, flooded the data centre’s network with so much traffic that their network failed. This made the online retail company’s website inaccessible for a period of six hours before backup systems were able to restore 100% functionality. The insured in this scenario is the online retailer. After telephoning the Chubb Incident Response Hotline, an incident response manager was assigned.
– Increased cost of working required to get website functioning properly - £9,000
– Costs to subcontract with external service provider - £12,000
– Lost sales and revenue from website downtime - £100,000
Incident Response Expenses
– IT forensics firm - £12,000
– Legal consultation fees - £10,000
– Incident response manager fees - £6,000
|Takeaways Distributed Denial of Service (DDoS) attacks are becoming more powerful as the use of
easily hacked internet of things devices increases. To minimise impact of a scenario like this one, it
is important to build a business continuity plan that ensures critical business applications, systems,
and activities do not rely on only one critical IT provider. Chubb’s incident response managers and
vendors are experienced in dealing with DDoS attacks and will assist in getting your business back
on track as soon as possible.