Prepare. Prevent. Protect.
On the day the European Parliament finally approved the General Data Protection Regulation (GDPR), the Professional Indemnity division of Howden hosted a cyber liability discussion panel, Chaired by Radio 4 Moneybox presenter, Paul Lewis.
Following a brief introduction to the topic by Paul, who highlighted the well-publicised case of the lawyer Karen Mackie who was defrauded out of £750,000 of client money, Philip Tansley, Legal Director for Technology and Cyber Risk at RPC LLP lead off with the first of five presentations.
He explained that the new legislation which becomes law in July 2018 seeks, principally, to give citizens greater rights over their personal data. He advised that the legislation will add extra layers of compliance and an increased regulatory burden but for professional services firms that are already acting responsibly most of the legislated procedures should already be in place.
Businesses cannot, however, afford to be complacent. The Regulation will impose fines of up to 4% of annual global revenue or €20 million, whichever is the greater, to businesses impacted by a data breach. The Information Commissioners Office (ICO) which will be responsible for levying gines in the UK has historically imposed fines of between £50,000 and £250,000 for a serious breach, considerably less than those that could be applied under GDPR. Whilst the ICO has repeatedly stated that their behaviour in relation to fines will not change significantly, it remains to be seen whether they continue to adhere to a regime that is based on supporting business and not imposing onerous requirements once they become self-financing, under the new regulation. If we look at other self-funded regulators, for example the Spanish regulator, we find that over time fining behaviour becomes increasingly aggressive.
To see Philip's full presentation, please click here.
For those firms who need to take a closer look at their exposure to cyber-crime, Matthew Martindale, Director of Cyber Defence Services at KPMG, described the different types of 'attackers' companies should be aware of. These include:
- organised crime groups who capitalise on weaknesses in organisations' processes, with often devastating consequences;
- people from within the organisation who have access to data and are either financially motivated or have a vendetta against their employer;
- Hacktivists who are usually anonymous, often politically motivated and set out to cause damage to brands.
To see Matthew's full presentation, please click here.
Matthew compared today’s cyber criminals to 1920s bank robbers, strolling through the front door in broad daylight, spending an average of 250 days undetected within an organisation and walking out with the organisations ‘crown jewels’, which is usually customer data or intellectual property.
So, how do organisations protect themselves against the tens of thousands of skilled attackers whose methods are getting more sophisticated by the day?
Stay ahead of your competitors to avoid being the easiest target, get smarter with passwords and protect your first party liability was the advice of Ken Munro, Ethical Hacker and Senior Partner at PenTest.
In explaining the importance of the ‘password’ Ken summarised the changing nature of hack attacks over the last 20 years summarising the move from maliciously motivated attacks on company websites through to the current trend for password theft and phishing schemes.
Ken cited the example of an attack on Adobe in 2013 when 150 million customer passwords were stolen. If you use different passwords for each service you are registered with, the theft of one password should not pose a significant problem. However, Ken’s question of who reuses passwords was met with a rather sheepish raise of hands from over half our audience. He explained how this exposes you and your company to a cyber-attack citing the example of the Tesco clubcard customers whose accounts were hacked not because of Tesco’s negligence but because customers had reused passwords from elsewhere. Alarmingly, Ken forecast that a ‘Duty of Care’ may be placed on the ‘customer’ to manage their passwords effectively meaning that in case of the Tesco attack, for example, the organisation would be under no responsibility to issue refunds to those affected. Ken suggested the use of a password manager app to avoid the need to have to remember lots of different passwords and suggested using local language characters for your master password, as they are unlikely to be on the keyboard of overseas hackers.
Moving onto First Party Liability, Ken gave the example of a recent phishing attack that resulted in the theft of £200,000 from a business. What appeared to be an invoice was sent to accounts payable as a password protected zip file. Importantly, in this case, anti-virus software can’t scan password protected zip files. A member of the accounts payable team opened the zip file and installed what purported to be the invoice. This gave the hackers direct access to the company’s accounts system and later that afternoon £200,000 was stolen. The company had no first party cyber liability insurance and as a result the loss was not covered.
Whilst cyber security is evolving, so are the hackers’ techniques so if they want to find a way into your business, chances are that they will. It is not therefore surprising that, according to Graeme Newman, recent government estimates place the cost of cyber-crime to the UK economy at £27bn per year. Whilst physical crime in the UK has fallen by around 50% since 1999, adding cyber-crime statistics to the total figures results in an increase on 1999 figures. Given the scale of the risk, it is crucial that cyber security is constantly on the senior management’s agenda.
To see Ken's full presentation, please click here.
Lyn Grobler, Chief Information Officer at Hyperion, explained that the key to “getting the Board on board” is a focus on three ‘R’s: responsibility, readiness and risk management. Find out who is responsible for cyber security and ensure everyone knows who to turn to in the event of an incident; be ready to respond to an incident by role playing different scenarios; and manage your risk by knowing where your data is, what your data is, and by protecting the data that you cannot afford to lose. Lyn told us that it is not enough for senior management to address this issue as a one off box-ticking exercise, it must remain at the top of the agenda, especially in times of significant change; organisations cannot afford to be complacent as this leads to vulnerability.
To see Lyn's full presentation, please click here.
Part of every organisation’s cyber risk management strategy should be to ensure that you have the right crisis management and insurance cover in place should you be subject to any form of cyber incident. Graeme Newman, Chief Innovation Officer at CFC Underwriting asked why he can’t pick up a newspaper without having to read about Cyber risk and yet it’s still one of the largest uninsured risks? In answering his question he suggested that insurance buyers spend too long dwelling on the overlaps between insurance policies because the objective is always to reduce spend, highlighting that firms often wrongly believe that their cyber liability exposures are covered by existing insurance policies, for example Professional Indemnity (PI). However, this is rarely the case and even where a PI policy does respond to a claim, it will not provide first party cover and it will not provide the critical support needed to help you mitigate against the impact of the attack.
To see Graeme's full presentation, please click here.
Most businesses will never question the importance of protecting their physical property but many are still failing to protect their less tangible assets data; reputation and brand. By failing to protect your business against cyber risk you are leaving the door to your data wide open and, without adequate cyber liability insurance, the consequences could be devastating.
To find out about how we can help protect again cyber risks, please speak to our team today.