Category

Blog

Insurers’ Supply Chain Under Attack

By | Blog

Even cyber security experts get caught out. A recent cyber-attack on multinational technology provider DXC Technology, which among other services provides incident response for clients, has shown that even experts are vulnerable to attack. This demonstrates the systemic risk of an industry being reliant on one major supplier.

Lessons from the Xchanging cyber-attack

DXC’s managed services subsidiary, Xchanging, experienced a significant ransomware attack which lasted almost four weeks. The firm worked hard to restore access to its operating environment and kept insurers and brokers up to date with progress, but good comms alone doesn’t keep clients happy. The significant delays in processing claims and premiums will live long in the memories of all involved in the related insurance transactions. A poorly handled cyber event can be an easy way of destroying trust that a firm has spent years building. Transparency is key.

Not all firms adopt a transparent approach. After all, finding out a business is subject to possible regulatory or governmental investigation can be disconcerting. Plus, it’s expensive to manage a cyber event publicly and in challenging times a firm may have other spending priorities.

This means that cover-ups happen, but the cost of a cover-up is likely to be higher than the cost of managing an attack well. For example, Uber tried to cover up a breach and was fined USD148m. While the urge to ignore, deny or even remove potentially incriminating evidence is understandable, it must be resisted.

Supply chain risk

It is often said that the weakest link in a business’s cyber security is its supply chain as a firm’s vulnerability increases with its dependence on a critical supplier. This point is illustrated by the DXC cyber event, which has raised questions about the reliability of one supplier responsible for settling USD100bn of premiums and claims for the insurance industry.

Scrutinise risk registers

Cyber risk isn’t just down to a company’s anti-virus or firewall malfunctioning. It comes down to the core operational controls required to monitor and maintain good working practices. A firm should explore every risk, including business interruption, reputation harm and supply chain failure. After all, the likelihood of a solar flare from the sun damaging satellites, communication systems and power supplies has the same probability and impact as a global health pandemic.

It’s essential that firms keep an up-to-date and comprehensive risk register, which is accompanied by insurance mapping to define what risks are insured against and which are not. DXC will more than likely be considering its own business interruption for both lost revenues and the cost of handling the ransomware attack, along with its liabilities to the insurance industry for causing major disruption.

About Elmore Insurance Brokers

Elmore Insurance Brokers Limited advises its clients to actively manage risk to optimise insurance.  Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement risk management best practice.

Written by Simon Gilbert, Founder & Managing Director, Elmore Insurance Brokers Limited.

Employers Work From Home Liability

By | Blog

Multitasking

The kitchen table has never been in such demand. Cereal is cleared by 9am for it to become a conference stage, complete with virtual background, for the first meeting of the day. The hours that follow include a series of emails, calls, meetings and frantic deadlines, followed by a surface for jigsaws at 5pm, before dinner is served at 8pm. For some, this is the busiest they have ever been.

That aesthetically pleasing bench that was so elegant for friends and family to gather on may not seem like such a good buy now you’re forced to teeter on it for hours, peering into your dainty screen. Or perhaps you’ve been relegated to the bedroom, trying to type whilst balancing your laptop on your knees as you battle the fully stretched and very comfortable house pet for space.

Physical and mental health

Few were lucky enough to have home offices up and running before the coronavirus crisis unfolded, so these challenges are a daily reality for many of us. Two months into lockdown, and we’re starting to notice contemporaries complain of back and neck pains, stiff shoulders and sore wrists. The physical side-effects of home working are taking their toll as most were woefully under-prepared for spending such a long period away from the office.

Our mental health is under pressure too. We’ve lost most of our normal daily structures and routines, our social lives have been confined to screen time and some of us are under serious financial strain as well. A lot of those who were living with depression or anxiety before the crisis have found their symptoms worsening under lockdown and others are finding themselves developing symptoms for the first time as they struggle with isolation in circumstances they have never faced before. It’s not only those facing lockdown alone that are suffering, with relationships coming under strain as couples and families are now forced to live, work and socialise exclusively together under one roof. No one imagined a 24/7 marriage as they glided down the aisle that happy day.

These physical and mental challenges make the management of work-related stresses and strains much more difficult. Moods are fractious and necks are stiff. As an employer, the work-related physical and mental health of your staff is your responsibility and you can be held liable for any injury incurred by your employees if this arises from a failure in your duty of care to them.

The realities of self-isolation are unlikely to end in the near future. Those living with vulnerable persons cannot return to the daily train commute for fear of returning home with the virus and, if desks and other work-stations need to be at least two metres apart, it is estimated that there will be only be space for a third of us to return to work at any one time. Sadly, at the present time a safe return to the office in ‘back to normal’ mode looks months away.

You’re not moving my sofa

The employer’s duty to minimise the risks to its employees means that there is currently no alternative to staff being required to work in unregulated home-working environments. Undertaking home-workplace assessments becomes a duty of every employer and those employees that do not meet the necessary standards will either have to forego any liability or take action to meet the employers work from home requirements.

At the time of writing, there is almost no direct government guidance on employers’ responsibilities to prevent physical or mental injury to their employees for prolonged periods of home working. The Chartered Institute of Personnel and Development (CIPD) is one of the few bodies providing guidance for employers, with free work-from-home risk assessments and policy updates. Other sources include the Health and Safety Executive (HSE) and ACAS, whose advice can be found via the following links:

Potential Claims

As homeworking looks set to continue, employers may soon be reaching for their Employers Liability, Employment Practices Liability and Directors’ & Officers’ Liability insurance policies and may need assistance from their insurance advisers to deal with claims. Some examples of how claims might arise out of homeworking include:

Employers Liability:

  • An employee suffers repetitive strain injury or back pain because the computer equipment has not been set up in a way that minimises the likelihood of these conditions;
  • Bodily injury if the employee contracts COVID-19 because they were exposed to an unsafe environment, which may include having no alternative but to commute on a crowded train.

Employment Practices Liability:

  • Allegations of discrimination if the company is managing risks differently in relation to different locations, teams or individuals;
  • Constructive dismissal if an employee believes they were retaliated against because they opted out of a work-related event or meeting due to concerns over coronavirus.

Directors’ & Officers’ Liability:

  • An employee directly names a director as responsible for a failure to protect their physical or mental health;
  • Claims for lack of preparedness and poor contingency planning – companies may find themselves facing allegations that they were under-prepared to address virus-related operational risks whilst at the same time ensuring staff well-being.

Cyber Liability:

  • An employee may accdiently or intentionally cause a breach of other employees peronal data that leads to a legal action against employers
  • The Company may misuse details of employees working conditions/requirements which could be deemed a breach of privacy.

For now there are no contagious disease exclusions on these policies but this may change, as a ‘covid-19 exclusion’ is currently under consideration in the insurance market.

About Elmore Insurance Brokers

Elmore Insurance Brokers Limited advises its clients to actively manage risk to optimise insurance.  Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement risk management best practice.

Written by Simon Gilbert, Founder & Managing Director, Elmore Insurance Brokers Limited.

Social Inflation Risk To Directors And Officers

By | Blog

The spread of social inflation

The speed at which the coronavirus has spread around the world illustrates the effectiveness of globalisation. In just a few months, one virus in China has infected 2.2 million people and reached over 180 countries. It isn’t just viruses that travel at this speed. Globalisation and greater global connectivity have allowed social trends to travel from backwater to high-rise within hours, and therein lies one of the major risks facing today’s Directors and Officers.

Trust in corporates and politicians has been undermined by the perfect storm of financial crisis, political scandal and poor corporate practice, among other themes. This social trend may have started small, but globalisation has allowed it to reach every corner of the globe. We’re now seeing an exponential rise in litigation action against corporates and their Directors and Officers, supported by the tailwind of increased third-party litigation funding. The trend is known as social inflation: an increased rise in claims as the same social trends are repeated throughout the world, and it’s something a Director or Officer can insure against.

Repeated failure

The economic instability and anti-corporate sentiment that followed the 2008 global financial crisis gave rise to societal unrest. Those that lost their livelihoods and homes wanted answers and they didn’t trust the mainstream politicians to provide them. Society began to look to the politicians who broke the mould and suddenly support had risen for populist parties across the globe. As society looked for answers in a new political landscape, they also became less enamoured by the corporate machine that powered the wheels that drove the financial crisis in the first place.

This dissatisfaction with corporate culture and the political mainstream has coincided with a rise in social empowerment and third-party litigation funding, giving this anti-corporate sentiment serious financial and crowd backing. Third-party litigation funding is now a significant industry in itself and one which is reshaping litigation around the world.  In 2019, the management of Burford Capital (one of the leading litigation funders) felt the might of the crowd as it was targeted by Muddy Waters, the infamous short seller, resulting in a 50% drop in their share price. There is serious weight to the threat of social inflation, no one is immune.

Implications and actions

This trend has now reached every corner of the corporate landscape and with it, a significant rise in the potential for litigation. In many jurisdictions around the world, if the decisions made by directors and officers of corporations lead to adverse outcomes for the company or its stakeholders, those individuals can now be held personally liable. The personal consequences are more acute if Directors and/or Officers can be shown to have acted in an imprudent or unprofessional manner. As such, Directors and Officers must be more vigilant than ever to follow best practice and ensure good corporate governance is at the heart of their business.  This is a challenge at the best of times, but under remote working and times of crisis this will be even more difficult, with lines of communication and protocol inevitably overlooked or side-stepped in the need to respond. This causes immediate risk.

Directors and Officers that are doing all they can to promote best practice, act with necessary and appropriate due diligence, and operate with corporate social responsibility at the core of their organisations culture will be less likely to fall foul to such forces. Boards can go further to protect Directors and Officers by taking out Directors and Officers insurance to offer indemnity against many of the issues they face.

In light of this rising trend, buyers of Directors and Officers insurance should seriously consider the adequacy of their limits of indemnity and review their wider insurance position.

About Elmore Insurance Brokers

Elmore Insurance Brokers Limited advises its clients to actively manage risk to manage down premiums.  Insurance is a partnership between businesses and insurers. This partnership can be significantly enhanced by focused engagement to understand and implement information security risk management best practice, which includes cyber insurance.

Written by Simon Gilbert, Founder & Managing Director, Elmore Insurance Brokers Limited.

Cyber Insurance In A Health Pandemic

By | Blog

Cyber criminals prey on the vulnerable

Isn’t there enough to worry about at the moment without the additional risk of a cyber-attack? The saying, “it never rains but it pours” is the cruel reality that some individuals and businesses find themselves in, fighting a war on both sides.  This is the environment in which cyber criminals thrive.

As fear and uncertainty grip the world, we are not just fighting the deadliest global pandemic in a century, but also operating under the enhanced threat of cyber-attacks.

The risk to individuals and business is growing as the global shift to remote working gains momentum.  Laptops and pcs are now in short supply and many businesses are scrambling for resources.  One IT Security expert from Blackfoot Cyber Security said, “some workers are reverting to remote working on poorly configured networks, with unsecured devices and inferior security practices”.

With many business continuity plans now activated there is additional risk that these plans are not tested or designed for prolonged exposure.  Standard business security posture is typically reduced significantly with remote working.  Controls, processes, systems and data are exposed.  Even national critical infrastructure such as mobile networks are creaking with the rise in voice calls leading to dropped calls and major outage.

Mitigate the impact

Businesses can take some quick actions to improve their remote working security:

  1. Require VPN to access the Internet, with 2FA to access company resources.
  2. Run AntiVirus on startup – users should not be able to change AV settings.
  3. Make workstation AV logs available to central systems admins.
  4. Train workers on the risks of working remotely.
  5. Follow the work from home guidance from NCSC

The impact of a pandemic on cyber insurance

Cyber insurance has never been tested by a global health pandemic, but generally the policy should respond to most types of cyber-attack.   At the time of writing, there are no specific exclusions in relation to the pandemic but that is likely to change soon.  Insurance regulators have instructed UK insurers to be ‘flexible’ when considering policyholders’ responses and claims in view of the pandemic.

Cyber insurers typically underwrite assuming an incident response plan (IRP) disaster recovery plan (DRP), and most relevant now, a business continuity plan (BCP) is in place to ensure a business can operate should a major disruption occur.  For many businesses that means staff are remote working.

Insurers would expect a policyholder to be following the same processes as if the workforce was operating from their offices.  If insurers discover the controls disclosed were not complied with at the time of a claim, cyber insurers will have to consider the impact of that and whether the business acted in reasonable best efforts to operate as was disclosed to insurers.

Don’t forget the small print

There are exclusions in a cyber insurance policy that might be triggered by a health pandemic:

  • Change in risk profile

Some insurers will expect to be notified if devices being used for work purposes do not have the same level of security as the corporate network.  Similarly, if the security methods used by the workforce to connect to Gsuite/O365 have changed due to remote working.

  • Government-mandated shutdown

Typically, cyber insurers do not cover mandated shutdown of a business’s computer system by order of any governmental authority.  However, it’s unlikely that a government order of ‘stay at home’ or ‘lockdown’ would trigger this restriction in cover.

  • Failure of mobile networks

This is a standard exclusion in most cyber insurance policies and extends to include the failure of any other utility providers (i.e. power, satellite, internet and water) causing a cyber insurance loss.

  • Physical events

Any fire, flood, earthquake, volcanic eruption, explosion, lightning, wind, hail, tidal wave, landslide, act of God or other physical event which has a physical nature to it will typically be excluded by cyber insurance.  There could be grey areas of coverage if sickness were to be the trigger for a physical event that became the cause of a cyber event.

  • Acting as prudent uninsured

There may be restrictions to this due to incapacitation of the workforce.  Typically, insurers would expect a response in a timely and reasonable manner as if the policyholder was acting as a prudent uninsured.  However, at times where the workforce neither has the access or capability to provide a standard response, it could increase the scale and threat of a cyber-attack.  This would need to be reviewed on a case-by-case basis by insurers.

Making a claim during a pandemic

Cyber security incident response is one of the few emergency services that can be provided remotely to investigate and, in some cases, remediate a cyber-attack.  Cyber insurers typically engage best-in-class cyber security incident response experts who have the capability and expertise to handle incidents virtually and not in person.

The first 72 hours after the discovery of a cyber attack are the most critical to managing the consequences and potential fallout.  For a business to manage the simultaneous effects of a major cyber-attack during a pandemic situation, it is essential to establish a successful partnership with cyber insurers’ incident response providers that is both timely and effective.  Cyber insurers’ 24×7 around-the-globe response capability should still apply, with on-the-ground assistance if needed.

Of critical importance in the earliest stages is the need to communicate the situation to all members of the workforce as swiftly as possible, with clear instructions on any action individuals might need to take to support the recovery process or, possibly, to avoid because of the risk of potentially worsening the situation. Clearly, off-line communications channels need to be firmly established in order to ensure that this contact cannot be interrupted or prevented by the cyber event.

Elmore Are Remote Working

By | Blog

In line with best practice and the safety threats of the Coronavirus/Covid-19 global health pandemic, Elmore Insurance Brokers Limited have implemented remote working for it’s employees providing them with the necessary tools and technologies needed to maintain the usual working processes.

Under these exceptional circumstances, we are unable to guarantee the usual level of service and accessibility on all lines of business and insurance.  In some cases insurers may not be available due to incapacitation and there maybe a delay in renewing existing policyholders insurances and onboarding new policyholders coverage.

We therefore request your understanding in these difficult times, but rest assured, we are dedicated in continuing to work through this period where possibilities of meeting in person are limited.

We plan to begin communicating with you earlier than usual to ensure sufficient time is available to complete tasks.

As we have more updates, that are specifically of relevance to you and your Policy, we will share it.

Stay safe, stay well.

European Union Flag

EU, GDPR and Brexit

By | Blog

Introduction

The EU General Data Protection Regulation (GDPR) will become legislation in May 2018 which will be a significant change for UK businesses. GDPR will introduce new laws such as substantial fines for processing data with the consent of data subjects. This regulation will update various elements of the Data Protection Act 1998 (DPA98) bringing in new requirements for UK companies to adhere to. Regardless of BREXIT, European law will continue to be in effect for 2 years after Article 50 is triggered, and the ICO have stated EU GDPR will be embedded into revised data protection laws in the UK from 25th May 2018.

Details

This new legislation is designed to allow individuals to manage their personal data as well as allow businesses to better access a digital single market with a unity of regulations throughout. The GDPR was ratified and became law in the EU in 2016. Member states in the EU have a two-year implementation period and enforcement of the regulation should commence by May 2018.

Implementation of GDPR will allow regulators to have the authority to issue fines and penalties equal to 2% of a business global revenue for any violation against security, record-keeping and privacy impact assessment obligations. In addition, violations related to data subject rights and cross-border data could result in fines of 4% of the businesses global turnover.

Data Protection Officers (DPO’s) will also need to be appointed for larger firms. Responsibilities of the role include advising employees of their obligations to comply with the GDPR and monitoring compliance. Like the DPA98 the GDPR will require data controllers to have a proper reason for processing personal data. In addition, the GDPR has a “right to be forgotten” law which requires data subjects to erase personal data if requested to do so. Data Processors who are not subject to the current DPA98 must follow certain new requirements of the GDPR and there will be great obligations when outsourcing processing of data to third parties which could lead to compensation in the event of non-compliance. A guide to GDPR can be found: here.

Conclusion

GDPR is one of the most significant changes to European legislation in a generation. Regardless of BREXIT the EU is one of the UK’s largest trading partners and as such anything less than a mirror image of the regulations will only be a hindrance for the UK when negotiating its exit from the EU. UK businesses therefore have a matter of months to get up to speed and comply with a range of new onerous data protection regulations. It is recommended as a first step a cyber risk team should be created internally to bring together the different stakeholders of the business and plan how the regulation will impact the business, its customers and what needs to be done as a priority to comply.

The Cyber Risk Team

By | Blog

Introduction

Forming a cyber-risk team is becoming increasingly important as the rate of cyber-attacks on UK businesses continues to rise. It is an essential way to help mitigate the risk of cyber-attacks. Only 13% of CEO’s in the UK are responsible for the cyber risks in their business, meanwhile 90% of CEO’s still neglect it. Having a team will allow businesses to have wider insight as to how to effectively manage their cyber-protocols.

Details

Cyber-risk teams are groups within a business that normally comprises of the CEO and board directors as well as cyber-experts such as CTO’s and CIO’s. They analyse the performance of their cyber-security and the data of the business. The team should discuss recovery plans such as how to restore normal business functionality if an attack was to occur. In addition, the team should analyse if staff are trained and experienced enough to understand and mitigate cyber-risks themselves. Other topics of discussion may include how vulnerabilities are identified, monitoring software being used and how regulatory requirements are being met.

A survey by ComRes showed that only 13% of 200 businesses stated that the managing director is responsible for the team, 9% named the financial director. 52% of businesses delegated responsibility to the CTO’s and CIO’s. These figures show that while businesses do understand the importance of having a cyber-risk committee, CEO’s are not taking enough responsibility to personally evaluate and analyse the potential risks. Furthermore, a government cyber report of FTSE 350 companies stated that only 33% of businesses had a clear understanding of their key information whereas 67% only had an acceptable understanding. This is alarming when considering the increasing rate of being attacked.

The Cyber Security Breaches report showed that the percentages of board members responsible for cyber security differed from the size of each firm:

• 21% for Micro firms
• 37% for Small firms
• 39% for Medium firms
• 49% for Large firms

Overall 51% of UK businesses have tried to identify cyber security risks in various ways such as:

• Internal audit
• Risk assessment covering cyber security risk
• Invested in threat intelligence
• Regular Health checks

Out of all types of businesses, SME’S have taken slightly longer to recover from a cyber-breach. 24% against 14% stated it took a week to recover from their worst breach. Most SME’s are not concerned or taking enough action against cyber-threats, therefore having a cyber-risk team may allow them to identify their vulnerabilities and have better protection for their firm.

Conclusion

Although many businesses have not yet formed a cyber-risk team, the awareness of cyber-risks has largely increased in recent years and it is predicted that most businesses will create an internal group of some nature to maximise their cyber protection. “Boards fully discuss, report and become an expert on accounting policies, health & safety, CSR and executive remuneration, however, this is not the case with a company’s most valuable assets: its data and information. It’s time to take control and be proactive” – Rob Cotton, CEO of NCC Group

Microphone

Cyber Security Incident Response Plan

By | Blog

Secure your Defence

Cyber-attacks are so frequently reported there is a danger business leaders become accustomed to the risk without implementing sufficient controls. It is vital that as a minimum, corporations put in place a cyber security incident response plan to ensure they are on the front foot should disaster strike. There is a plethora of threats that vary in size and risk and corporations should consider this an important factor to mitigate their own risks. If an adequate cyber risk mitigation policy is not put into action, the consequences of cyber-attack can be significantly enhanced. A cyber security incident response plan is something that acts as a contingency in event of a cyber-attack. It highlights the steps that need to be taken for a corporation to restore normal business functionality.

Cyber Security Incident Response

Many SME’s believe that they won’t be prone to a cyber-attack and therefore this stance is proven to increase their risk of not recovering from an attack. 66% of companies are not confident in their business’s ability to effectively recover from a cyber-attack. Cyber-attacks on SME’s have been increasing over the recent years. Although they do not have as much revenue compared to larger corporations they are normally easier to be hacked by cyber-criminals. Statistics in 2016 show that 75% of businesses do not have a satisfactory cyber security incident response plan.

The CREST Cyber Security Incident Response Guide indicates 5 main areas of consideration when a corporation is managing its Incident Response Plan:

1. Identifying the Incident:

Your business must assess a possible cyber security incident and determine what if any impact there has been to the networks, systems and database. In addition, you must understand what the type of incident is e.g. malware, DDoS, code exploit etc. Some cyber incidents are harder to detect then others and often they impact customers before the organisation it-self.

2. Investigating the Situation:

After a cyber incident has been identified, it must be investigated to understand how the attack occurred, who perpetrated the attack, when the attack happened and what was impacted.

3. Acting:

A major priority should be making sure that the cyber incident has been contained. This helps your business reduce the impact of the incident. This can be done by blocking unauthorised access and stopping it from spreading to other networks. It is always best to get advice from an expert before disconnecting everything from the internet and power as this can be potentially even more damaging!

4. Recovery:

After acting against the threat, your business should restore all systems back to normal operation and mitigate any vulnerabilities to try to prevent the same type of attack reoccurring. The recovery plan must be updated and tested so that it works in the future. Furthermore, important data should be backed up in case of another cyber-attack.

5. Training:

There should be nominated ‘champions’ in your business that will have knowledge about everything cyber for the general good of the business. They should be able to identify the risks that may occur and maintain good security standards. Individuals within the business should be able to handle incidents and make decisions to handle any incidents that occur. It’s important that the contact details of personnel are available to use in the event of an incident.

Conclusion

Cyber security incident response plans are essential for businesses as the world continues to grow into a larger digital landscape. Cyber-Attacks on SME’s are likely to increase in 2017 and therefore it is vital that UK businesses and SME’s have a good cyber security incident response plan to be prepared to mitigate the risk of being attacked.

How Online Expansion is Increasing the Risk of Cyber Attack

By | Blog

Introduction

Businesses across the globe from large multi-nationals to small enterprises are embracing the opportunities an ‘online’ presence can offer. On-line businesses tend to regularly out-perform the average speed of the economy. Consumers now not only expect instant and continuous access to a company’s products and services at any given point or place but customers will purchase in many cases with the lowest point of resistance. Those businesses proactively embedding security smoothly and seamlessly in to the customer transaction process are receiving the greatest rewards.

Online Expansion

Online Expansion is the process of a business moving to offer its products and services through digital channels. Businesses are expanding online due to the huge market that is available through the internet and the potential to generate larger and faster revenues. Capital Economics reported that 48% of SME’S are expected to generate their revenue through e-commerce over the coming years meanwhile 45% of all SME’S use e-commerce. It is estimated that revenue growth expectations for SME’s that use e-commerce will grow by 1.8% in 2017. In addition, SME’s that use e-commerce have a customer confidence index score of +7.

There are many different threat actors a business with an on-line presence must consider depending on the industry it operates and territories its customers are based. From state sponsored cyber terrorism for critical infrastructure, to corporate espionage for firms reliant on sensitive intellectual property, to recognised community names for hackers who attack for fun or credibility, to business with perceived valuable financial/health data by criminal gangs the scale and range of threat actors is wide. As a business develops out its on-line presence from offering simple documents and brochures to be downloaded, feedback forms, portals and full e-commerce transaction sites where an exchange of goods or services is made for financial benefit the risk of cyber-attack is present.

Cyber-Attacks on larger businesses such as Tesco Bank have not been enough warning to SME’s to protect themselves properly. RSA’s report states that businesses will only buy the cover required when a cyber-risk/threat becomes a personal issue for them. 53% of businesses with some type of insurance cover said they have been attacked before or know businesses that have been attacked.

A report by “Careers in Audit” in 2016 stated not understanding the risk and technical knowledge of the correct protection against cyber-attacks is allowing this problem to continue. Simon Wright, operations director at CareersinAudit.com, said, “It is clear from our latest research that many businesses are leaving themselves hugely exposed by having weak risk management systems and in some cases, none in place at all”.

Conclusion

Online expansion is a very important step for most businesses to take for growth, however it is important that SME’s understand the cyber risks that can harm a business. If businesses fail to take the right actions, the consequences may cause serious harm to future customer online transactions.

What Should be Covered by Cyber Insurance?

By | Blog

Introduction

It is no question that Cyber Insurance has been growing in popularity since its introduction to the corporate world in the late 1990’s. For those who are new to this concept, Cyber Insurance is a policy that covers cost, expenses and losses that may arise from a cyber-attack. Having Cyber Insurance will not stop an attack however it will help businesses respond and manage costs of an attack should it happen.

Details

Cyber insurance can be split into three distinct areas of cover: Event Management, Financial Loss and Liability.

Event Management involves the internal and external expenses of managing the response to a cyber event. Cyber insurers vary in the extent of cover provided in Event Management, but in general they recognize that providing access to third party cyber security experts can mitigate the consequences of a catastrophic event.

This is sometimes spearheaded by a cyber response coach, an industry expert responsible for advising a business on how to handle and manage a cyber event. Typically, this will start with an investigation by third parties to establish the extent of the issue. If card data is compromised, then insurers can indemnify the costs arising from a specialist PCI Forensic Investigator (PFI) investigation. Consultation on how to manage legal and regulatory issues will also be covered as well as a crisis communication strategy. Establishing a Call Centre to field queries and providing credit monitoring are the last elements of cover.

Financial Loss considers the increased operational costs and reduction in profits because of the attack. This is known as non-physical damage business interruption, and is typically excluded from property insurance. Should any fines and penalties be issued by regulators (Information Commissioner’s Office) and industry associations (for the loss of sensitive card payment data), then cyber insurers will cover this with the proviso that these are insurable by law. Costs in managing a cyber-extortion situation — and the ransom itself — can also be covered.

Liability tends to impact some months later. Affected individuals or businesses may bring claims or written demands for failing to protect their information. They may seek compensation for financial losses from hacking, or damages from identity theft. In cases where customers are claiming from multiple jurisdictions, cyber insurers can contribute towards defense costs and any resulting damages from multi-jurisdictional claims.

SUMMARY OF A CYBER INSURANCE POLICY:

Source – Financial Lines Department, Elmore Insurance Brokers Limited

Conclusion

Choosing the correct policy for your business needs careful consideration. Working with a broker to help guide what events need to be covered is an essential part of the onboarding process.