With General Data Protection Regulation(GDPR) looming, the management of data a legal requirement and Cyber events indiscriminately affecting small businesses and large businesses alike on a daily basis the answer is almost certainly “yes”.
The chance of one experiencing a data breach is greater than ever as the frequency of Cyber-attacks on businesses continues to increase. The cost of these breaches are often significant in terms of time and money: IBM suggests an annual cost of £2.00M for those businesses used in its research. (See Report here). The effect of GDPR may well increase that figure. (See here for information on preparing for GDPR)
This evident, increasing but largely misunderstood threat, is driving businesses to invest in a Cyber insurance policy, enabling them to feel secure in the knowledge that they can claim Business Interruption expenses, Cyber Incident Response expenses, Regulatory Fines (GDPR & others) and Legal Defence costs following data breach or Cyber failing.
We hope that the following information will summarise the principle benefits of Cyber-risk Management and insurance. Perhaps it will also explain why, in this day and age, businesses must add the loss of or damage to data to their Risk Registers and disaster recovery programmes. Data not only has an undoubted (but oft misunderstood!) value but also a very real liability.
What is a Cyber Incident?
System failure, loss of data, loss of access to data, theft of data. The definition of Cyber Incident varies hither and thither but this is a good start.
An incident is any event that threatens the security, confidentiality, integrity, or availability of CABQ*1 information assets (electronic or paper), information systems, and/or the networks that deliver the information. Any violation of computer security policies, acceptable use policies, or standard computer security practices is an incident.
Incidents may include but are not limited to:
- Unauthorised entry
- Security breach or potential security breach
- Unauthorised scan or probe
- Denial of service
- Malicious code or virus
- Other violations of the CABQ IT Policies and Standards
- Networking system failure (widespread)
- Application or database failure (widespread)
Key to a business’s success is the looking after of its assets and liabilities. Those assets and liabilities change in value and importance from time to time. We are now undergoing (having to undergo) a paradigm shift: both through necessity and legal requirement when considering exactly what our assets and liabilities are.
Protecting a warehouse with a sprinkler system will not prevent a fire from occurring – but it may well reduce the value of losses, consequential losses and business interruption losses caused by the fire. Similarly, sensitive and understanding Cyber-risk Management, may not always prevent a Cyber event – but it will have a profoundly beneficial effect on the impact of that Cyber event; as defined above.
Transfer of Risk
Having considered all of the possible ways of reducing exposure to a Cyber event and putting in place strong controls to ensure swift recovery from such an event one is left with the option of retaining the risk or transferring it: typically to an Insurance Company/Carrier.
IBM found in its research (on larger businesses) that the average value of data loss was about £100.00 per record. A business with 10,000 records stands to lose £1.0M
The losses sustained by smaller business are not so well documented. We are aware of comparatively small businesses which have suffered Cyber Issues in the past. They have survived – sometimes only just. With GDPR becoming law in April 2018 survival will be more difficult. With their reliance on electronic data and systems, the chance of a Cyber event happening continues to increase. One small business we know well has 6,000 records on file. Their turnover is just £170,000: their potential loss from a Cyber event (just from their records being compromised) is £600,000!
So, having identified the risk one can either:
- set aside funds to carry the risk internally – or
- Transfer the risk to a specialist insurer
Insurance does not and cannot provide a total solution to Cyber Risk. It is the support given after one has taken all reasonable Risk Management precautions to avoid or minimise the value of an incident. However, buying Cyber insurance (like any other insurance) both frees up resources and removes the uncertainty that would otherwise prevail.
These days, more-so than ever, data, (electronic information) is critical to the success of practically every business. (Even our window cleaner has a substantial client list on his phone: the information includes addresses and often their alarm codes, door-lock codes and notes as to where the spare keys are hidden!)
It would seem that many businesses do not yet realise the value of data they hold – nor the liability that attaches to them should they lose that data for any reason.
To ensure that any business can survive a Cyber Incident (as for any other incident) it is critical that the business has in place a business continuity plan: a well-rehearsed plan to respond to any incident swiftly and professionally whilst minimising the impact on the ability of the business to trade.
If the business does not have the in-house resources to create a business continuity plan they should seek external assistance – and work with their broker/insurer.
Trust and relationships remain a prime factor in helping sustain the long term viability of a business. Cyber insurance underwriters will only insure businesses that can openly demonstrate the effectiveness of their Cyber-risk Management proposals. As with any contractual relationship, to be successful, both parties must be honest and truthful with the other.
A Cyber event will affect different businesses in different ways. It is important that both parties, the insured and the insurer, are in full agreement with the nature of the risks to be insured.
People, Policies & Procedures
There have been many articles written which promote the thought that “the staff of a business are the weakest link in any business Cyber situation”.
We think this is disingenuous and misses an opportunity to work inclusively with all staff. With the fundamentally right policies in place and the ongoing development of inclusive procedures the staff of any business can be critical to the ongoing stability of a business generally and particularly from a Cyber event perspective.
The Insurance Act 2015, Disclosure & Transparency
The Insurance Act was designed to protect the insured from the use of unfair (unreasonable) contract conditions and warranties by Insurers. However, the Act clearly places the matter of “disclosure” on the insured.
That is to say, what one tells an Insurance broker or Underwriter must be true and complete. It is important that all businesses have in place a mechanism that enables full disclosure. On the matter of Cyber insurance, this may well necessitate engaging the IT department (or the person responsible for IT) at board level.
In assessing “The Risk” and determining the premium, underwriters will need to have knowledge of and fully understand
- the nature of potential exposure of the business
- the levels of exposure of the business,
- the governance and control systems in place for the business
- the training and education provided to employees of the business
- the governance and control systems in place for suppliers to the business
- if the business is or will be compliant with GDPR
- Cyber events in the past that would be covered under the proposed Cyber Policy.
Full disclosure and transparency of all material information by the insured is critical if the insurance underwriter is to be able to assess the risk and apply the correct and appropriate premium.
Without full information, the broker will not be able to assess the Cyber covers that the business requires and the underwriter will be unable to assess the risk and calculate an annual cost for insurance.
Cyber insurance*2 in the UK is still in its infancy. Some insurers will provide a bespoke policy wording (usually accommodating “large Businesses”) whilst others will only consider a “cover all” policy wording suitable for smaller organisations. However, many small businesses and SMEs require a hybrid solution.
From LinkedIn – Generally, businesses run risk assessments against a wide range of functions and closely monitor operational risk, yet often the implications of information security aren’t considered. We have all seen the media coverage of high, negative impact breaches – so why aren’t Cyber risks reflected on the corporate risk register?
Whilst many Insurers now provide Management and Risk Management tools with a plethora of differing insurance contracts, the Cyber policy, as a necessity, come equipped with a team of experts who are able to assist with the policyholder’s response, to a Cyber event. For example, the policy coverage can and does include assistance from forensic experts, IT specialists and a PR team to protect the business’s ongoing reputation. Insurers will assist identify risks and help reduce the impact of a Cyber event, help secure systems and identify solutions to overcome the Cyber event in the most appropriate and expedient manner.
However, before buying insurance every business should look internally at
- their systems and procedures.
- their staff training and Cyber education
- the value of their data (to them and the ne’er-do-wells who might take or damage it)
- the fines that the business might have to meet if data is compromised
- the effect of a systems failure (caused internally or externally)
- the consequences of back-up systems failure
- the consequences of failing to properly secure and/or encrypt data
BGi.uk – Cyber works with a number of IT specialist service providers – including staff Cyber awareness training, Secure back-up, Secure data transfer, Secure e-mail, Cyber Essentials accreditation.
We very much believe that Risk Management should always be considered in detail before any business considers buying Insurance. This is particularly true in the world of Cyber Insurance.
Who innocently uploaded a contaminated File?
Who is the hacker?
Who accessed the system via an insecure Wi-Fi?
Who picks up the pieces when it all goes wrong?
*1 CABQ – City of Albuquerque (CABQ) Information Technology Services
*2 Insurance does not and cannot provide a total solution to Cyber Risk. It is the support given after one has taken all reasonable Risk Management precautions to avoid or minimise the value of an incident. However, buying Cyber insurance (like any other insurance) both frees up resources and removes the uncertainty that would otherwise prevail. Without the security of insurance in the background a business would have to keep substantial reserves – just in case.