Category

Blog

European Union Flag

EU, GDPR and Brexit

By | Blog

Introduction

The EU General Data Protection Regulation (GDPR) will become legislation in May 2018 which will be a significant change for UK businesses. GDPR will introduce new laws such as substantial fines for processing data with the consent of data subjects. This regulation will update various elements of the Data Protection Act 1998 (DPA98) bringing in new requirements for UK companies to adhere to. Regardless of BREXIT, European law will continue to be in effect for 2 years after Article 50 is triggered, and the ICO have stated EU GDPR will be embedded into revised data protection laws in the UK from 25th May 2018.

Details

This new legislation is designed to allow individuals to manage their personal data as well as allow businesses to better access a digital single market with a unity of regulations throughout. The GDPR was ratified and became law in the EU in 2016. Member states in the EU have a two-year implementation period and enforcement of the regulation should commence by May 2018.

Implementation of GDPR will allow regulators to have the authority to issue fines and penalties equal to 2% of a business global revenue for any violation against security, record-keeping and privacy impact assessment obligations. In addition, violations related to data subject rights and cross-border data could result in fines of 4% of the businesses global turnover.

Data Protection Officers (DPO’s) will also need to be appointed for larger firms. Responsibilities of the role include advising employees of their obligations to comply with the GDPR and monitoring compliance. Like the DPA98 the GDPR will require data controllers to have a proper reason for processing personal data. In addition, the GDPR has a “right to be forgotten” law which requires data subjects to erase personal data if requested to do so. Data Processors who are not subject to the current DPA98 must follow certain new requirements of the GDPR and there will be great obligations when outsourcing processing of data to third parties which could lead to compensation in the event of non-compliance. A guide to GDPR can be found: here.

Conclusion

GDPR is one of the most significant changes to European legislation in a generation. Regardless of BREXIT the EU is one of the UK’s largest trading partners and as such anything less than a mirror image of the regulations will only be a hindrance for the UK when negotiating its exit from the EU. UK businesses therefore have a matter of months to get up to speed and comply with a range of new onerous data protection regulations. It is recommended as a first step a cyber risk team should be created internally to bring together the different stakeholders of the business and plan how the regulation will impact the business, its customers and what needs to be done as a priority to comply.

The Cyber Risk Team

By | Blog | No Comments

Introduction

Forming a cyber-risk team is becoming increasingly important as the rate of cyber-attacks on UK businesses continues to rise. It is an essential way to help mitigate the risk of cyber-attacks. Only 13% of CEO’s in the UK are responsible for the cyber risks in their business, meanwhile 90% of CEO’s still neglect it. Having a team will allow businesses to have wider insight as to how to effectively manage their cyber-protocols.

Details

Cyber-risk teams are groups within a business that normally comprises of the CEO and board directors as well as cyber-experts such as CTO’s and CIO’s. They analyse the performance of their cyber-security and the data of the business. The team should discuss recovery plans such as how to restore normal business functionality if an attack was to occur. In addition, the team should analyse if staff are trained and experienced enough to understand and mitigate cyber-risks themselves. Other topics of discussion may include how vulnerabilities are identified, monitoring software being used and how regulatory requirements are being met.

A survey by ComRes showed that only 13% of 200 businesses stated that the managing director is responsible for the team, 9% named the financial director. 52% of businesses delegated responsibility to the CTO’s and CIO’s. These figures show that while businesses do understand the importance of having a cyber-risk committee, CEO’s are not taking enough responsibility to personally evaluate and analyse the potential risks. Furthermore, a government cyber report of FTSE 350 companies stated that only 33% of businesses had a clear understanding of their key information whereas 67% only had an acceptable understanding. This is alarming when considering the increasing rate of being attacked.

The Cyber Security Breaches report showed that the percentages of board members responsible for cyber security differed from the size of each firm:

• 21% for Micro firms
• 37% for Small firms
• 39% for Medium firms
• 49% for Large firms

Overall 51% of UK businesses have tried to identify cyber security risks in various ways such as:

• Internal audit
• Risk assessment covering cyber security risk
• Invested in threat intelligence
• Regular Health checks

Out of all types of businesses, SME’S have taken slightly longer to recover from a cyber-breach. 24% against 14% stated it took a week to recover from their worst breach. Most SME’s are not concerned or taking enough action against cyber-threats, therefore having a cyber-risk team may allow them to identify their vulnerabilities and have better protection for their firm.

Conclusion

Although many businesses have not yet formed a cyber-risk team, the awareness of cyber-risks has largely increased in recent years and it is predicted that most businesses will create an internal group of some nature to maximise their cyber protection. “Boards fully discuss, report and become an expert on accounting policies, health & safety, CSR and executive remuneration, however, this is not the case with a company’s most valuable assets: its data and information. It’s time to take control and be proactive” – Rob Cotton, CEO of NCC Group

Microphone

Cyber Security Incident Response Plan

By | Blog | No Comments

Secure your Defence

Cyber-attacks are so frequently reported there is a danger business leaders become accustomed to the risk without implementing sufficient controls. It is vital that as a minimum, corporations put in place a cyber security incident response plan to ensure they are on the front foot should disaster strike. There is a plethora of threats that vary in size and risk and corporations should consider this an important factor to mitigate their own risks. If an adequate cyber risk mitigation policy is not put into action, the consequences of cyber-attack can be significantly enhanced. A cyber security incident response plan is something that acts as a contingency in event of a cyber-attack. It highlights the steps that need to be taken for a corporation to restore normal business functionality.

Cyber Security Incident Response

Many SME’s believe that they won’t be prone to a cyber-attack and therefore this stance is proven to increase their risk of not recovering from an attack. 66% of companies are not confident in their business’s ability to effectively recover from a cyber-attack. Cyber-attacks on SME’s have been increasing over the recent years. Although they do not have as much revenue compared to larger corporations they are normally easier to be hacked by cyber-criminals. Statistics in 2016 show that 75% of businesses do not have a satisfactory cyber security incident response plan.

The CREST Cyber Security Incident Response Guide indicates 5 main areas of consideration when a corporation is managing its Incident Response Plan:

1. Identifying the Incident:

Your business must assess a possible cyber security incident and determine what if any impact there has been to the networks, systems and database. In addition, you must understand what the type of incident is e.g. malware, DDoS, code exploit etc. Some cyber incidents are harder to detect then others and often they impact customers before the organisation it-self.

2. Investigating the Situation:

After a cyber incident has been identified, it must be investigated to understand how the attack occurred, who perpetrated the attack, when the attack happened and what was impacted.

3. Acting:

A major priority should be making sure that the cyber incident has been contained. This helps your business reduce the impact of the incident. This can be done by blocking unauthorised access and stopping it from spreading to other networks. It is always best to get advice from an expert before disconnecting everything from the internet and power as this can be potentially even more damaging!

4. Recovery:

After acting against the threat, your business should restore all systems back to normal operation and mitigate any vulnerabilities to try to prevent the same type of attack reoccurring. The recovery plan must be updated and tested so that it works in the future. Furthermore, important data should be backed up in case of another cyber-attack.

5. Training:

There should be nominated ‘champions’ in your business that will have knowledge about everything cyber for the general good of the business. They should be able to identify the risks that may occur and maintain good security standards. Individuals within the business should be able to handle incidents and make decisions to handle any incidents that occur. It’s important that the contact details of personnel are available to use in the event of an incident.

Conclusion

Cyber security incident response plans are essential for businesses as the world continues to grow into a larger digital landscape. Cyber-Attacks on SME’s are likely to increase in 2017 and therefore it is vital that UK businesses and SME’s have a good cyber security incident response plan to be prepared to mitigate the risk of being attacked.

How Online Expansion is Increasing the Risk of Cyber Attack

By | Blog | No Comments

Introduction

Businesses across the globe from large multi-nationals to small enterprises are embracing the opportunities an ‘online’ presence can offer. On-line businesses tend to regularly out-perform the average speed of the economy. Consumers now not only expect instant and continuous access to a company’s products and services at any given point or place but customers will purchase in many cases with the lowest point of resistance. Those businesses proactively embedding security smoothly and seamlessly in to the customer transaction process are receiving the greatest rewards.

Online Expansion

Online Expansion is the process of a business moving to offer its products and services through digital channels. Businesses are expanding online due to the huge market that is available through the internet and the potential to generate larger and faster revenues. Capital Economics reported that 48% of SME’S are expected to generate their revenue through e-commerce over the coming years meanwhile 45% of all SME’S use e-commerce. It is estimated that revenue growth expectations for SME’s that use e-commerce will grow by 1.8% in 2017. In addition, SME’s that use e-commerce have a customer confidence index score of +7.

There are many different threat actors a business with an on-line presence must consider depending on the industry it operates and territories its customers are based. From state sponsored cyber terrorism for critical infrastructure, to corporate espionage for firms reliant on sensitive intellectual property, to recognised community names for hackers who attack for fun or credibility, to business with perceived valuable financial/health data by criminal gangs the scale and range of threat actors is wide. As a business develops out its on-line presence from offering simple documents and brochures to be downloaded, feedback forms, portals and full e-commerce transaction sites where an exchange of goods or services is made for financial benefit the risk of cyber-attack is present.

Cyber-Attacks on larger businesses such as Tesco Bank have not been enough warning to SME’s to protect themselves properly. RSA’s report states that businesses will only buy the cover required when a cyber-risk/threat becomes a personal issue for them. 53% of businesses with some type of insurance cover said they have been attacked before or know businesses that have been attacked.

A report by “Careers in Audit” in 2016 stated not understanding the risk and technical knowledge of the correct protection against cyber-attacks is allowing this problem to continue. Simon Wright, operations director at CareersinAudit.com, said, “It is clear from our latest research that many businesses are leaving themselves hugely exposed by having weak risk management systems and in some cases, none in place at all”.

Conclusion

Online expansion is a very important step for most businesses to take for growth, however it is important that SME’s understand the cyber risks that can harm a business. If businesses fail to take the right actions, the consequences may cause serious harm to future customer online transactions.

What Should be Covered by Cyber Insurance?

By | Blog | No Comments

Introduction

It is no question that Cyber Insurance has been growing in popularity since its introduction to the corporate world in the late 1990’s. For those who are new to this concept, Cyber Insurance is a policy that covers cost, expenses and losses that may arise from a cyber-attack. Having Cyber Insurance will not stop an attack however it will help businesses respond and manage costs of an attack should it happen.

Details

Cyber insurance can be split into three distinct areas of cover: Event Management, Financial Loss and Liability.

Event Management involves the internal and external expenses of managing the response to a cyber event. Cyber insurers vary in the extent of cover provided in Event Management, but in general they recognize that providing access to third party cyber security experts can mitigate the consequences of a catastrophic event.

This is sometimes spearheaded by a cyber response coach, an industry expert responsible for advising a business on how to handle and manage a cyber event. Typically, this will start with an investigation by third parties to establish the extent of the issue. If card data is compromised, then insurers can indemnify the costs arising from a specialist PCI Forensic Investigator (PFI) investigation. Consultation on how to manage legal and regulatory issues will also be covered as well as a crisis communication strategy. Establishing a Call Centre to field queries and providing credit monitoring are the last elements of cover.

Financial Loss considers the increased operational costs and reduction in profits because of the attack. This is known as non-physical damage business interruption, and is typically excluded from property insurance. Should any fines and penalties be issued by regulators (Information Commissioner’s Office) and industry associations (for the loss of sensitive card payment data), then cyber insurers will cover this with the proviso that these are insurable by law. Costs in managing a cyber-extortion situation — and the ransom itself — can also be covered.

Liability tends to impact some months later. Affected individuals or businesses may bring claims or written demands for failing to protect their information. They may seek compensation for financial losses from hacking, or damages from identity theft. In cases where customers are claiming from multiple jurisdictions, cyber insurers can contribute towards defense costs and any resulting damages from multi-jurisdictional claims.

SUMMARY OF A CYBER INSURANCE POLICY:

Source – Financial Lines Department, Elmore Insurance Brokers Limited

Conclusion

Choosing the correct policy for your business needs careful consideration. Working with a broker to help guide what events need to be covered is an essential part of the onboarding process.

Hacker World

Cyber Breaches and Where They Come From

By | Blog | No Comments

The Facts Behind the Attacks

Dependency on technology and network connectivity is expected to remain one of the most likely risks to businesses in 2017. Cyber-attacks are time consuming to manage, costly to remediate and can be catastrophic to a firm’s reputation. It is a looming dilemma for businesses and must be brought further into the corporate limelight. Currently, only a few companies can quantify how great their risk exposure is, which severely limits how they can protect themselves.

Details

SME’s should be aware that they will face growing cyber threats in 2017. Statistics by the RSA group show only 9% of UK SME’s have insurance to protect themselves against cyber threat. This clearly indicates that an alarming percentage of SME’s are not taking the necessary steps to manage a cyber-attack. The digital climate is constantly rising and SME’s are becoming victims of cyber-attacks as they may not have the suitable cyber security protocols in place. Three Quarters of SME’s that were questioned stated that they believe their business doesn’t need cover and are not aware how it would protect their business.

The cyber world has seen a 29% increase in the total cost of a data breach and a 15% increase in per capita cost since 2013. The threats of cyber-attacks are becoming more apparent and it is estimated that there is a 26% probability of a material data breach involving 10’000 lost or stolen records. This could be detrimental to firms and can lead to the biggest financial consequence to organisations… lost customers. This long-term impacting consequence of a data breach can take years to regain the lost customers’ trust.

49% of UK businesses use external host services to host websites or email and to transfer or store data. Many firms are under the illusion that by outsourcing an activity it transfers the risk management process and liability to the third party. This is not the case, if it is your customer information then you are responsible for safely housing that information with the right hosting company. This is further resonated by the upcoming EU General Data Protection Regulation which is shortly to be implemented in UK Law to replace the Data Protection Act of 1998 which currently falls under the remit of the UK’s Information Commissioners Office (ICO). Some facts behind the attacks:

The average total organisational cost of a data breach over the past 3 years is increasing – 2013 – £2.04m, 2014 – £2.21m, 2015 – £2.37m.
The mean time to identify a cyber breach is 201 days and the mean time to contain the cyber breach is 70 days.
Root causes of data breaches – 51% are a malicious or criminal attack, 24% are system glitches and 24% are human errors.

Conclusion

Organisations are still not adequately prepared for cyber-attacks and not even the most highly resourced institutions have the means to eliminate cyber risks fully. Only 57% of businesses have been found to have sought information, advice or guidance in the past 12 months on cyber threats faced by their organisation. With threats of cyber-attack ever more present it is time that companies start the cyber security journey as soon as possible.

• Ponemon Institute – 2016 Cost of Data Breach Study: Global Analysis

Run for Cover! Common Cyber Gaps in Professional Indemnity Policies

By | Blog

It’s a normal day, then out of the blue, you receive a sheepish call from your IT Director announcing the company databases have been hacked and some 30,000 customer details could have been compromised. Immediately a meeting is called with all available Directors, and it is clear that help from outside experts to advise on correct protocols and investigations is required. Prior to appointing any external consultants, a quick look at your Professional Indemnity Insurance (PII) policy is made to see what notification requirements the contract requires and what cover there is to help get you out of this emerging crisis. After double checking with your broker, reality dawns that the PII policy you have may not provide the cover you need.

Details

There are two types of PII policy, the first being called ‘Negligence, Errors and Omissions’, which provides protection where a client may make a claim against you for a negligent breach of professional duty. Not necessarily the case in this scenario.

The other type of PII wording is titled ‘Civil Liability’, and is much broader in the scope of coverage. This gives protection for any claims from clients against you for civil wrong or wrongdoing, actionable at Law including breach of trust or a breach of fiduciary duty.

Importantly the trigger in most PII policies is a claim brought against the company by a client. The cover traditionally is limited to defence costs and damages if the action is successful. Therefore, businesses are covered for an element of data privacy liability risk under the PII policy (subject to the terms, conditions and basis of the wording); however, it would not normally pay for the costs and expenses in managing a cyber-attack, nor the resulting interruption to the business, loss of income, fines and penalties or extortion demands. The insurance industry calls these types of losses ‘1st party costs’, as it is the costs you incur as a business unrelated to your customers.

Cyber Insurance is a policy designed to help you in the event of a data breach or cyber-attack. The breadth of cover can vary widely and there is little uniformity across different insurers, which is why it pays to enlist the services of a cyber insurance expert when choosing your policy.

Some key considerations when considering Cyber Insurance:

Difference in Conditions Clause: Essentially this endorsement should be included in order to specify which policy reacts first in the event of a claim. If properly worded, it will allow the insurance protection you have in each policy to be at its most effective.

A comprehensive Cyber Insurance policy which includes:

• Access to a breach response team who will co-ordinate your rescue plan (IT, Legal, PR)
• Business Interruption protection
• Fines and Penalties including PCI awards
• Cyber Extortion negotiation and digital currency pay-out

If you possessed an adequate Cyber Insurance policy the dreaded IT Director phone call scenario could have been under control and in the hands of experts as soon as you called the helpline provided by insurers.

This type of claim scenario is not uncommon. It is a sobering thought that in 2016 over 50% of UK firms fell victim to ransomware attacks according to Information Week. In addition a third lost revenue and 20% had to halt trading.

Conclusion

It is important for corporations to have a clear and comprehensive cyber insurance policy to mitigate the risks of doing business digitally. Fears of cyber attack is making cyber insurance one of the fast growing areas of insurance. It is estimated that the total written premium globally is £2bn with double digit growth each year. Although this number seems quite high, it still represents a very small proportion of protected business. Many businesses are currently uninsured for the significant risk of cyber-attack.