You don’t buy Fire insurance because you expect a fire or
Theft insurance because you are expecting to be robbed
So why don’t you buy Cyber Insurance when everyone around is
being hacked or infiltrated by viruses and threats of attack?
Buying the cover will not make you immune from attack and it
will not encourage attack or promote the ongoing rise in attacks.
Having your server ‘in the cloud’ will not prevent you from
a virus or protect your data from a unscrupulous unknown wielding a fraudulent
finger ready to pounce on you and hold, you and your website to ransom.
Maybe you do not feel you are vulnerable; maybe you only use
the internet for browsing – if that is the case; try switching it off of an
hour and seeing how well you manage; that means your mobile telephone too and
your photocopier, your heating system and the internet and systems of all of
your customers too. As doubtless they will be attacked if you are. And they may
not look too kindly on you after you have spread a virus which infected their software
system.
Defences (Reasons) not to take out insurance cover are:
We have our own computer chap and he is great; he is always able
to fix anything that goes wrong.
And he only works for
you?
And he is available 100% of the time, day and night and never
takes a holiday.
And he also has access to a PR agency to explain to your
customer why their names and addresses and other details have been leaked.
And he will pay for the consequential loss of income to the company
arising out of the outage.
And he will pay the wages of the people sitting idle whilst
you struggle to source the route of the problem.
If all that doesn’t put a tiny bit of fear in you and you
are not considering taking our some kind of protection; think on the new Statute
requiring you to consider doing something.
You didn’t know about it. Ignorance is not bliss; on 4th
May 2016 the General Data Protection Regulation was published and then entered into force20 days after its publication.
It will be a further two years until member states of the EU must be fully
compliant with the regulations.
What is the catchily named GDPR all about? Many companies
will need to implement a complex privacy management system, risk transfer
finance strategies will need to b e developed and compliance demonstrated
before the end of the implementation period.
Data breaches cost on
average £115 to $165 per day per compromised record
£3.1 million was the
average total organisational cost of a date breach in Europe
51% of breaches were caused
by negligence or IT glitches
In the UK 90% of
large organisations and 74% of small organisations reported they had a security
breach
If you suffer a data protection loss and the Information Commissioner
comes after you, it will be expensive; fines for the most serious breaches have
increased to EUR20 million or 4% of Total Turnover. You cannot insure against a
fine, but prevention is better than cure and taking steps to reduce the
severity of a loss or clear up swiftly
afterwards will be viewed positively.
Industries attacked are not limited in type or size; the cyber
fraudster doesn’t care and they are not all clever; they may attack your server,
website or systems and leave then in a mess way afterwards way beyond what they can fix even if you pay
their ransom. The cleverest hackers may be able to put the system back up and
running again, but leave a present for you to find much later.
Who has been attacked?
Power and Utilities – critical infrastructures have been
interrupted
Financial Services – Financial and litigation losses
estimated at £0.8 billion alone whether it is by fraudulent fund transfers or
system hijacks, viruses and website interruptions
Healthcare- all possess private data and 88% of all US healthcare
providers have been attacked by ransom ware
Manufacturing – increasingly complex supply chains make
manufacturing as vulnerable as everyone else and the increasing use of software
to run machines makes them susceptible to attack. In 2014 hackers attached the
business and production of a German steel mill, accessing the control system
and triggering an unscheduled shutdown of the furnace causing massive damage to
equipment
Retail – Point of sale systems capture your data and the increasingly
interlinking way we all live makes an attack reach across and abroad many
systems.
Education – Identity fraud is rife and the culture of openness
and information- sharing make it highly susceptible to cyber risk
What should you do?
Understand your potential areas of risk
Undertake a risk assessment
Risk transfer and loss funding options
Develop underwriting information
The insurance of things
We all understand the basics of insurance and the need to protect
the loss of assets – the so called Insurance of Things
Today we are experiencing a further industrial revolution
based on the Internet of Things, complicated by the combination of
interconnected machines and people across previously blocked areas.
Then we consider Business interruption following non
physical damage and gaps between physical and non physical losses; gaps in
cover and which insurer is going to pay the loss.
Statistics in the last year show that cyber attacks come in
different forms and sizes and surprisingly perhaps:
52% of security breaches
come from malicious insiders (disgruntled employees, greedy employees and
employees approached by criminals to assist in crime)
43% of attacks were by malicious outsiders
4% were by people with political or other agendas
1% were state sponsored
1% were accidental loss
What to do now?
Let us assume you have understood your potential areas of
risk, have carried out a risk assessment looked at risk transfer and loss
funding options; there are some relatively simple things you can do to manage
the employees who are the strongest and weakest link in your cyber defence:
·
Engage employees to be cyber vigilant:
o
Monitor your company’s bring your own device
program ‘Enforce password protection on all devices and computers throughout
the company – do not share passwords or reveal them others’ ensure they are
changed regularly and scan memory sticks before uploading data
to company software.
o
Put a cyber awareness campaign into place. HR
and IT should work closely together to inform all employees about cyber threats
o
Create policies and procedures around data
security when employees leave the company. Too often departing employees’
credential are not cancelled in a timely manner allowing them to retain access
to sensitive data
o
Manage and Monitor IT systems and networks - control the access of staff, limit the number of
privileged users, monitor activity and log and analyse unusual activity.
o
Educate employees about spear phishing attacks
o
Keep abreast of change. A continuing effort is
needed to educate employees about evolving cyber risks and recognise and report
potential breaches
o
Keep, systems up to date - securing ‘patch’ software to automatically update
programs to fix security vulnerabilities and carry out regular scans
o
Create a Disaster Recovery Plan - produce and test plans to ensure the
business is prepared in the event of an incident.
o
Establish anti-malware
protections - scan for malware
across the business
o
Protect networks-
implement network security
controls to protect networks from internal and external attacks.
At Lycetts, we
continue to monitor the changing environment of risk associated with cyber
attacks and meet underwriters to evolve policies to meet these needs.
For advice on the best way to approach how you should react
and deal with the growing impact of
cyber crime contact one of our Account Executives for more information and
assistance.
What are others doing?
One in three companies in the US takes out Cyber cover -
Premiums spent exceed £2 billion in the last year
Companies are separating their internet use from their core
operations activities to reduce the exposure to outside forces.
SOME INSTITUTIONS ARE NOW USING PEN
AND PAPER TO RECORD CRITICAL DATA!
No comments:
Post a Comment