How many of you still use the same password for multiple websites, keep your passwords in a notebook or on a Post-It, or happily make online payments via the Wi-Fi in a coffee shop? My guess is quite a few.
Do businesses take cyber security any more seriously, though? The 2016 Ipsos MORI Cyber Security Breaches Survey suggests not. It reveals that only 29% of surveyed companies have cyber-security policies and just 10% have formal incident management plans.
Most people reading this article will work for or run smaller businesses and it is unlikely that you will be operating as an e-retailer, so how important is cyber security? Aren’t cyber criminals more likely to target large businesses such as Tesco Bank or Yahoo?
The most recent annual Crime Survey for England and Wales revealed that almost one in 10 people has fallen victim to online fraud, making it the most common crime in the UK. It is far more prevalent than domestic burglary and also more complex - with criminals using numerous methods from malware to spyware to ransomware in order to access and exploit data for financial gain. Cyber-crime is also underreported: CSEW figures suggest there were 3.6m cases of fraud in 2016, but police only recorded 622,000 offences.
Leaving doors unlocked
Someone once described to me how cybercriminals operate. Unless they are targeting a specific organisation, which is less common than a random attack, they indiscriminately ‘knock’ on lots of system ‘doors’. When they find an open one – for example a system that is unprotected or easy to access – they enter. They are now only a few steps away from data on your clients and employees. Very few of us leave our house unlocked, and yet many leave the virtual door to their businesses open. Attacks are increasingly frequent, with 65% of firms that responded to the Ipsos MORI poll stating they had detected a cyber-security breach or attack in the past year. Many more breaches go undetected.
A cyber breach is very different to a traditional burglary. The impact of a break-in is immediately obvious and, while distressing, the steps needed to rectify the situation are fairly apparent: assets are replaced, the damage is repaired and credit cards stopped. The impact of a cyber breach, if even detected, is much harder to spot.
I was recently speaking to representatives of a business that had suffered a cyber-attack. Its IT team responded fairly quickly; there was no apparent loss of data or funds and no clear evidence of damage to the firm’s systems. A few weeks after the attack, the firm believed it was all clear. I asked whether anyone had undertaken a forensic investigation of its systems to establish whether they were likely to suffer any longer-term damage due, for example, to the installation of malware, and was told no-one had. This response is not uncommon, but it is of concern.
In an oft-cited example of an attack on a professional services firm, hackers sent a phishing email with a bogus Word document attached to a member of the accounts team in a small accountancy firm. The employee opened the attachment, which installed a piece of key-logging software in the firm’s systems. This, in turn, allowed the hackers to access the firm’s accounting systems and its bank account.
The insured firm was contacted by its bank after the hackers had initiated several wire transfers from the firm’s account to accounts in Nigeria. Having been advised of this, the firm instructed a forensic IT company to establish what had happened and remove the malware from its system. It managed to recall some of the wire transfers but was left with a £164,000 loss and costs of £15,000 for forensics work.
In the case of a traditional burglary, criminals enter and exit a property fairly quickly. Once they are in, there is little you can safely do to reduce the impact of the break-in. Cyber-attacks are very different. The initial break-in may go undetected; its impact may be very difficult to ascertain and what happens immediately after the attack may have a huge influence on the severity of the outcome. An immediate and informed response can make a significant difference to the impact of the breach. This is why cyber-liability insurance policies are so valuable.
Perhaps because of the use of the term insurance and the big numbers often cited in press coverage of cyber-attacks, the value of cyber-liability cover is generally assessed on its ability to cover a financial loss. As a result, the buying decision is heavily influenced by whether or not that financial loss would be covered by another form of insurance such as professional indemnity insurance (PII). Cover for many of the financial losses that could arise as a result of a cyber-attack is currently provided by other forms of insurance, so firms are understandably reluctant to buy a stand-alone cyber policy.
A firm that purchases, for example, a CLC-compliant PII policy should continue to look to its PII for indemnification from third-party civil liability claims arising from the conduct of professional business. This would include, for example, a claim from a client who has lost money as a direct result of a cyber-attack against your business. PII policies are, however, largely untested in terms of their response to cyber-attacks, and this cover may not always be available.
Furthermore, unless your PII policy contains a first-party fidelity extension, it is unlikely to offer any protection for loss of your business’s own funds. This leaves a potential exposure to electronic funds transfer fraud, Ransomware and cyber extortion which are predicted to be the biggest cyber threats of 2017.
A cyber liability policy does offer valuable cover for some financial losses, but it is principally designed to help you mitigate a loss by providing immediate access to the specialist expertise you will need to minimise the impact of a data breach. This has led some underwriters to compare a cyber policy to kidnap and ransom insurance: the worst has happened, but the policy helps to contain the damage and ensure recovery.
At this point, let’s review that Ipsos MORI survey again – only 10% of companies have formal incident management plans in place. This suggests that 90% of companies are unlikely to know what to do if they are attacked.
Cyber-liability insurance provides 24/7 access to an incident response team that will help you manage everything from communication with your clients and employees through to the provision of identity theft mitigation services and assistance with managing your reputation. The team will collectively ensure that your business is fully operational as soon as possible, which is critical in the case of a ransomware attack. Very few firms have access to this expertise in house, and equally few will know which third-party providers to turn to. Furthermore, that expertise, if sourced independently, will be expensive. A cyber-liability policy will not only ensure you know where to turn, it will also cover the cost.
Good-quality cyber cover starts at just a few hundred pounds – less than the typical home insurance policy – whereas the cost of managing a breach can easily run into hundreds of thousands. So why aren’t more firms buying stand-alone cyber cover?