Every business relies on technology in some way or another, meaning the risk of a cyber breach is real and with any business risk, it needs to be assessed and mitigated.
What is the real threat?
As a business, you provide a service based on professionalism, trust and reputation.
So what if that vital reputation was to be damaged because your systems were compromised and you lost the trust of your clients?
What if clients stopped using your services because your name was in the media due to a data breach, and they then went on to find a new, more secure provider?
What if you were unable to access your systems at all, due to ransomware or malware that had destroyed your hardware in its entirety?
What if you weren’t compliant with the GDPR requirements and suffered an ICO fine and investigation?
What if your finance department were tricked into paying an invoice that was fraudulent?
What if your employee clicked on a link in a phishing email and gave a hacker full access to your systems and data?
These scenarios are becoming increasingly frequent in the UK, and as hackers become more advanced, large and small companies alike are being targeted.
Assessing and managing the risk
One of the most important places to start is to understand the information and processes that you have that need to be protected.
Not every business has a six-figure Cyber-security budget, but the basics need not cost much. A good starting point is with the National Cyber Security Centre’s (NCSC) government-backed Cyber Essential certification, which will help ensure that your primary defences are in place and will demonstrate your commitment to cyber-security.
You can create awareness throughout your business by educating your employees and senior executives to the social engineering risks. Something as little as highlighting the importance of password security and creating a culture where human error is not a blame game should free individuals to report incidences, allowing them to be dealt with quickly. Quickly responding to a cyber-breach may make all the difference.
Never underestimate insider threat in your business. Firewalls will protect your network boundaries but have no effect against threats inside the business. It is therefore important to have policies and procedures in place to restrict and monitor user access and make sure that leaver’s access is removed promptly.
Why transfer the risk via Cyber Insurance?
We know that UK businesses are being targeted by cyber-criminals. In October 2018, specialist global insurer Hiscox examined the frequency of cyber attacks on small businesses in the UK and estimated 65,000 attempts every day (CRIF, 2019). Cyber is now considered the modern crime and due to GDPR requirements, the average cost of claims has increased due to the notification requirements and issues of class action. First party losses such as business interruption and reputational harm are key causes of financial loss and in many cases can be critical to the survival of a business.
Benefits of Cyber Insurance
- Critical incident response access to specialists such as IT forensics, legal advice and crisis management to identify, mitigate and remove any suspected or known threat.
- Cover for business interruption to assist in returning your income to pre-breach levels.
- Cover for network security and privacy liability against third party claims.
- Sub-limits in most cases for Cyber-crime and the transfer of your own funds and extortion.
- Specialist knowledge required to deal with ransomware and the capacity to reduce the impact of distributed denial of service attacks.
- Above all, peace of mind
If you have or are considering Cyber Insurance:
Always make sure that your limit of indemnity is adequate by considering the potential financial loss on your business and your clients. Consider the implication of multiple cyber incidents in one year and the limits and sub-limits of cover in your policy.
Ensure that the financial lines you have covered, such as Professional Indemnity, Directors & Officers, Cyber and/or Crime policies, all work alongside (and not against) each other in the event of a claim. If you suspect or become aware of an incident, do not delay contacting the incident response line as soon as possible. This can mitigate loss and get you back up and running as soon as possible.
Make sure that your business continuity plan covers Cyber risk and make sure that this plan is available offline too – should the worst happen.
In summary, it is clear that proactive protection and management of Cyber risk in today’s society is a must. No matter the size of your company, the technological revolution has changed the way in which we operate. Current employees, former employees, competitors, collaborators, IT service providers, activists, Nation States and criminal organisations all present a threat to businesses globally and as the scale and sophistication of cyber risk advance, we can’t ignore it any longer.