Cyber-security: the case for insurance

Alastair Murray explains why insurance matters for countering cyber-security attacks 

Cyber insurance is a hot topic in boardrooms today, with discussions about employee security awareness training programmes closely following. Insurers today offer many innovative cyber related insurance products to protect their policyholders against all manner of cyber-attacks.

The threats cyber-criminals pose through hacking and ransomware are constant. Technology is trying to keep-up with phishing and malware downloads that plague Webservers, but lax security both in the office and homes, exploit weaknesses to highjack computer networks and steal precious data.

Regulators like the Information Commissioners Office (ICO) require firms to report to them if any personal data has been lost in 72 hours. A tall order for any size of firm, whoever they are.  

However, today most cyber insurance policies provide a 24/7 helpline allowing time to decide if they should in fact alert the authorities. Most cyber-risk insurance policies offer these core covers, giving firms a crucial lifeline when they suspect or indeed have had a cyber-attack.

Attacks generally target poorly protected Webservers. However, those that have a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) will examine any incoming emails and Web downloads for suspicious content and block them if necessary. It is a sort of ‘gatekeeper’ of the Webserver that protects the firm from common breaches, such as spyware and virus attacks.

Countering cyber risks

Many firms now have cyber insurance to prevent their Webservers from being hacked. Firms are taking their insurance plans more seriously now and not just for PII or commercial policies, but their cyber risks too. Commentators report that firms known to have taken out cyber insurance appear to have greater loyalty amongst their clients in contrast to their more hesitant rivals.

In some ways, the term ‘cyber’ puts too much emphasis on IT solutions to deal with attacks. While IT is certainly part of the answer, firms can do more to protect themselves.

Having the office or practice manager to oversee security throughout the office is one possible answer. When firm’s stored their records manually, not online, it was simple to lock them up and go home. Today requires a lot more planning with encryption and strong passwords. Most off-the-shelf software systems, like Microsoft 365 offer firms good storage solutions which when combined with multi-factor authentication acts as a double lock.

There are numerous ways to protect your firm from attack, including stressing the importance of cyber security in the office, staff rules, the dos and don'ts when using the office network and at home, testing of back-ups and restored data, updating of operating systems and having a designated ‘go to’ person in the office for reporting potential security issues. Many firms have some if not all these now in place to keep staff up to date with helpful guidance.

With today's cyber insurance policies, you have the luxury of a wide choice of services, all of which are especially created to protect against and, if necessary, restore data, reputations, customer claims and lost documents. These typically include:

·        Cost of notifying clients of a GDPR breach and subsequent updates.

·        Cost of managing and mitigating reputational damage.

·        Access to forensics and incident response services.

·        Damages claimed by clients as a result of a GDPR breach.

·        Loss incurred by third parties through your transmission of a virus or other malware.

·        Cyber extortion / blackmail / ransomware.

·        Electronic theft and computer / telecommunications fraud.

·        Social engineering fraud.

·        Access to 24/7 incident helpline.

Firms stand the best chance of avoiding these threats if they have a healthy understanding of them. If and when an assault occurs, insurers can step in and provide any or all of the aforementioned services.

One of the most common cyber attack methods is called ‘Business Email Compromise’ fraud. This is where an email is sent from what appears to be a trusted source, like the ‘boss’ or senior mangement, with an instruction, usually to send money, which is diverted to the criminal’s account.

This kind of attack can be harmful when people are involved, though there are indications that ‘humans’ are clicking much less frequently these days.

Encouraging awareness

Firms who encourage cyber security awareness in their staff will also stand a better chance of avoiding an attack. Staff paying greater attention to incoming emails and Web downloads reduces the likelihood of a cyber attack by empowering them to play a vital role in protecting the business to become its ‘human firewall’.  

Having a Cyber Essentials Certification, especially Essentials Plus, will also help secure better terms from your insurers. Having these credentials will reassures them that the business has subjected itself to scrutiny and, in the case of Essentials Plus, an onsite audit of its policies, processes and procedures from top to bottom, to make it far less vulnerable.

Firms are also now starting to arrange cyber security awareness training for their staff. Typically online, these training programmes can be managed by the Human Resources department or the Cyber Security Officers office. Online courses can be arranged according to risk types; a receptionist being low risk and accounts high risk, with the former receiving relatively low risk training and accounts receiving the maximum training instruction. Most of the antivirus companies offer this kind cyber awareness training as well as many other specialist providers.

Having an annual check-up of premiums at renewal is sensible, particularly if the firm has business expansion plans. Are you expecting to enlarge your Family Law division, for instance or create a new department or planning a business takeover? Each will need a review and probably more insurance cover.

Firms that have already suffered a cyber-attack and survived will know how it feels. It shows a certain level of diligence and dedication to the firm's stakeholders and clients to have the managerial vigilance and commercial strength to handle this. A firm's intentions are communicated to insurers by paying particular attention to how the firm manages risk. In any case, having policies in place to handle hacker, phishing and ransomware threats demonstrates the company's dedication to protecting itself.

Some are still opting to not take insurance, despite the evidence showing that cyber insurance can make a big difference to a firm’s reputation and market standing. Regulators like the ICO, SRA and FCA may believe that a firm is not taking client privacy and data security seriously enough if it does not have a policy and place the firm on their ‘naughty list.’

The Financial Conduct Authority (FCA) continues to encourage firms to sign-up for cyber insurance, encouraging them to protect clients’ privacy as part of their responsibility to treat clients fairly as well as their compliance obligations within GDPR and ICO regulations. They are also responsible for organising Cyber Coordination Groups (CCGs) that coordinates better cyber security in the insurance, legal and SMEs sectors.

Ultimately, if organisations are to manage the ever-present threat of cyber-attacks, they will need to be prepared to build defences by using every means possible, including cyber insurance.

Alastair Murray is director at The Bureau the-bureau.co.uk