At a glance
- About ten years ago, you could have been forgiven for not showing a great deal of interest in cyber security, particularly in the context of smaller companies
- Cyber-attacks have also received increased press coverage lately. In May 2017 we saw the carnage on a global level caused by the WannaCry ransomware attack
- Dealing with the fall out of a cyber-attack is clearly not a cheap business, and companies will need to work out if they can afford to take the risk of absorbing these costs themselves
About ten years ago, you could have been forgiven for not showing a great deal of interest in cyber security, particularly in the context of smaller companies.
It’s easy to see why someone would want to hack Sony for example, but what possible interest would a hacker have in a three-partner firm of accountants in a small English town? Things are definitely changing though, particularly with the growing reliance on IT systems for even small companies, together with the increasing amount of valuable personal data they hold, and the expectation of customers to be able to make card payments online. All these things make small companies attractive targets of cyber criminals, even more so given they often don’t have the resources to invest heavily in security.
Worryingly, a report commissioned by the Government in 2017 highlighted that just under half of all businesses had identified at least one cyber security breach or attack in the previous 12 months. It is difficult to see this figure decreasing over the years to come. Amongst the organisations which identified breaches, by far the most common was receiving fraudulent emails or being directed to fraudulent websites. These have come a long way since the days of the benevolent overseas billionaire seeking assistance in transferring large sums of money to an account in the UK in exchange for a large reward. Nowadays these can take the form of authentic looking emails purportedly from well-known companies so it is easy to see how even a slightly distracted person could be duped into clicking on a dodgy link.
Cyber-attacks have also received increased press coverage lately. In May 2017 we saw the carnage on a global level caused by the WannaCry ransomware attack, which was estimated to have affected more than 200,000 computers across 150 countries, but which also had a huge impact on the NHS in this country. Around the same time, credit reporting agency Equifax suffered a significant security breach whereby cybercriminals were able to access the personal data of approximately 148 million consumers in the U.S. Back in the United Kingdom, pay day loan company Wonga was hacked in April 2017, giving access to the personal data of approximately 250,000 customers. These are only a couple of examples and a simple internet search reveals many more examples of organisations around the world that have been affected by cyber-attacks.
Clearly in light of the above, no company can adopt a complacent attitude towards cyber security, particularly with the introduction of the General Data Protection Regulation (GDPR) in May this year, which imposes strict data protection requirements on companies, with the possibility of significant financial penalties being imposed for non-compliance. The level of fine for a significant breach could be up to 4% of global turnover or €20m, whichever sum is larger. So what can you do about it? Other than making sure your IT systems are as robust as they can be, obtaining cyber insurance needs to be seen as being as essential as any other type of insurance you would use to protect your business.
So what does cyber insurance cover?
Typically, it will contain the following covers:
• Lost business income in the event that you cannot operate as a result of a cyber attack.
• The cost of hiring IT professionals, public relations professionals or legal advisers.
• Cyber extortion payments to recover data.
• Civil damages to third parties as a result of a privacy breach and any defence/investigation costs.
• Cost of recovering IT systems/data following a cyber attack.
However, it is likely (subject to the point being tested in the courts) that those potentially hefty fines resulting from the introduction of GDPR will not fall for cover under a cyber policy, in light of the principle that regulatory fines are not legally insurable, albeit there should be cover for costs associated with defending a regulatory investigation. Dealing with the fall out of a cyber-attack is clearly not a cheap business, and companies will need to work out if they can afford to take the risk of absorbing these costs themselves. If the answer to that question is “no” then a two-pronged approach of ensuring IT systems are up to speed, as well as taking out a cyber insurance policy, is vital in the current climate. GDPR will be an additional concern for any companies which process the personal data of EU citizens, no matter how big or small they are, and the deadline of 25 May when the regulation comes into force is now only a matter of weeks away.
This article was published as part of our Spring 2018 Claims Quarterly Journal.
For more information, please speak with your local Zurich contact.