As cybercrime rises and everyday services increasingly rely on technology, public opinions toward cyber security are changing.
We are becoming more careful with who we share our information with and expect them to keep it secure. A recent survey by Atos showed that only 25% of people would still trust an organisation after an attack. The same survey found that 58% of people say cyber security is a deciding factor when choosing an organisation to interact with.
In our previous briefing, we discussed how costly a data breach can be for your business and how a cyber policy can cover these costs as well as manage a breach for you. Below, we share some key covers that can be provided under a cyber insurance policy.
System outages and data breaches can have an adverse effect on the reputation of a business. For example, retail giant Target was the casualty of a data breach in 2013 that resulted in customer card details being stolen. After news of this spread, Target saw its sales fall by some 46% year-on-year.
It’s not always the “headline” companies that have their reputation affected by a breach. Studies have shown that in the finance, retail and healthcare industries, up to a third of consumers will stop doing business with organisations that are breached. Cyber streetwise and KPMG surveyed 1,000 small businesses and 1,000 consumers across the UK and the results were staggering.
If you consider your business, do you rely on one large customer? A data base of repeat customers or do you get funding and rely on donations? If so, a cyber-attack could lose you this larger customer, deplete this database or put a stop to donations and funding.
How the breach is communicated and managed could save your company’s reputation. Cyber insurance covers the cost of instructing expert crisis communication companies to mitigate the impact of a breach. Not only will the insurance company instruct expert communication specialists, it will also provide cover for credit and ID monitoring to those clients whose information has been breached.
According to the Allianz 2018 Risk Barometer, cyber incidents were one of the leading areas of concern for business interruption.
Well publicised attacks such as WannaCry and NotPetya have highlighted this risk to businesses. The WannaCry attack shut down hundreds of thousands of computers around the world with hackers demanding a ransom. It caused the NHS to cancel 19,000 appointments and cost them £20m initially, but the subsequent clean-up of systems and upgrades brought the total cost to £72m.
The Maersk ransomware in 2017 resulted in them having to reinstall and overhaul nearly their complete infrastructure of 4,000 servers and 45,000 PCS. They suffered significant business interruption and they were still feeling the effects a month later. They were crippled for one week, which is estimated to have cost them between $250-$300m. TNT is another company in this sector that has suffered due to ransomware.
Good IT security and being able to trade again quickly is a competitive advantage. Speaking to an insurance broker will help you find the business interruption cover appropriate for your business.
Data breaches are common place. Although they can happen as a result of a hack, the most common cause is human error.
It’s easy for an employee to accidently click on a link or open an attachment on a phishing email. This would allow malware, such as ‘key logging’ software into your system, leading to business interruption and allowing hackers to gather crucial information, such as passwords. Employees could also lose a laptop or mobile phone which holds data.
A cyber insurance policy can help in the following ways:
- Incident response, including a 24-hour helpline that you can call in the event of a data breach or hack for forensic advice and legal advice. It will also include:
- Notification costs (notifying individuals affected and taking the incoming calls).
- Notifying regulators.
- Credit and ID monitoring costs to affected customers.
- IT forensic costs.
- Legal advice and defence costs
- Privacy liability. The insurer will pay sums that you have become legally liable to pay as a result, for example, of disclosure of personally identifiable information or breach of confidentiality on your behalf.
Social engineering, which involves manipulating people in order to gain access to systems, networks or for financial gain, is how criminals take advantage of human error. You can have excellent IT security, but that firewall won’t mean much if your employees are tricked into clicking on a malicious link or disclosing banking information.
Social engineering scams, such as email attacks and phishing scams, accounted for over 25% of cyber-incidents earlier this year, affecting organisations across various industry sectors. These incidents can cause serious damage, compromising sensitive data at the click of a button. Although social engineering schemes can cost organisations over £1 million, they are preventable.
You can help your business avoid social engineering scams by communicating with your staff about phishing attacks and providing them with proper training to identify fraudulent or suspicious emails. Emphasise the importance of checking that the sender’s email address seems valid (this includes reaching out to the user to confirm their identity), that the message doesn’t contain any typos or grammatical errors and that the links don’t have lengthy, suspicious URLs when your mouse hovers over them.
Cybercrime is not covered on a cyber policy as standard, but some insurers will allow you to extend the cover.
What should you do next?
The rise in cybercrime has meant that it is necessary for firms to update their insurance policies to protect them against this new threat as some businesses rely on their digital assets more than their physical assets.
Contact our Cyber expert, Emma Buckley, on 01792 704317 or at firstname.lastname@example.org to discuss your concerns and the insurance available. We can help you find the appropriate cover for your business, to make sure you are protected in the event of a cyber security breach.