Call us now on: 01494 450 011 Get in touch

logo
Menu

Cyber Insurance – Is your business covered?


02/07/2015

Businesses rely heavily on computer software and the internet when dealing with digital data and they are becoming increasingly aware of the cyber risk exposure faced by their organisations.

Over the last few years there has been increasing focus on cyber risks and associated insurance cover.

A UK Government survey carried out in 2014 estimated that 81% of large corporations and 60% of small businesses suffered a cyber-breach in 2014. Whilst over 60% of incidents reported to insurers are the result of accidents, cyber-crime is now the world’s fastest growing category of organised crime and the majority of high value losses stem from actions designed to cause harm.

1. Definition of Cyber Risk

The Institute of Risk Management defines cyber risk as,

“Any risk of financial loss, disruption or damage to the reputation of an organisations from some sort of failure of its information technology systems.”

Almost every organisation faces exposure to loss resulting from damage or destruction of its computers and computer networks. This can lead to business interruption, income loss, damage management and repair costs and reputational damage.

Non malicious events such as major physical incidents, for example, fires, explosions, floods and natural disasters, can have a devastating effect on a business. A good example is the recent Holborn underground fire which caused considerable damage to services effecting network access for hundreds of businesses and, in some cases, consequent supply chain disruptions.

Malicious events such as cyber-attacks are designed to cause maximum disruption exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, data and software destruction or deletion, theft of funds, reputational damage and liability to third parties (such as customers and supply chain partners).

2. Potential Losses from Cyber Attacks

Potential losses deriving from cyber-attacks or non-malicious IT failures fall into the following categories:

Loss Category Description
Intellectual Property (IP theft) Loss of value of an IP asset, expressed in terms   of loss of revenue as a result of reduced market share.
Business Interruption Lost profits or extra expenses incurred due to   the unavailability of IT systems or data as a result of cyber-attacks or   other non-malicious IT failures.
Data and software loss The cost to reconstitute data or software that   has been deleted or corrupted.
Cyber extortion The cost of expert handling for an extortion   incident, combined with the amount of the ransom payment.
Cyber-crime/cyber fraud The direct financial loss suffered by an   organisation arising from the use of computers to commit fraud or theft of   money, securities, or other property.
Breach of privacy event The cost to investigate and respond to a breach   event, including IT forensics and notifying affected data subjects. Third   party liability claims arising from the same incident. Fines from regulators   and industry associations.
Network failure liabilities Third party liabilities arising from certain   security events occurring within the organisation’s IT network or passing   through it in order to attack a third party.
Impact on Reputation Loss of revenues arising from an increase in   customer attrition or reduced transaction volumes, which can be directly   attributed to the publication of a defined security breach event.
Physical asset damage First party loss due to the destruction of   physical property resulting from cyber-attacks.
Death and bodily injury Third party liability for death and bodily   injuries resulting from cyber-attacks.
Incident investigations and response costs Direct costs incurred to investigate and ‘close’   the incident and minimise post incident losses.

3. Risk Profile

For larger organisations intellectual property theft is considered to be the risk which would have the most severe impact and issues of quantification can be challenging because IP assets and the loss suffered by an organisation are difficult to value. However, key risks also include the unauthorised disclosure of personal data, system outage events and consequent reputational damage. In fact it is estimated that reputational damage accounts for 5% – 20% of the cost of a cyber-security breach for large businesses.

Whilst physical losses are a less publicised element of cyber breaches they are a growing concern and can include damage to plant and machinery and system malfunctions. In Germany in 2014 a spear phishing scam allowed hackers to access a steel mill’s system preventing a blast furnace from shutting down in the appropriate manner causing massive damage to the mill.

4. Risk Mitigation

In June 2014 the UK Government announced the launch of the Cyber Essentials Scheme. It has been designed to fulfil two functions:

  • To provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats; and
  • To offer a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

The Cyber Essentials scheme concentrates on five key controls. These are:

  1. Boundary, firewalls and internet gateways – devices designed to prevent unauthorised access to or from private networks;
  2. To secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation;
  3. Access control – ensuring that only those who should have access to systems have access and at the appropriate level;
  4. Malware protection – ensuring that virus and malware protection is installed and is up to date; and
  5. Patch management – ensuring latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

In addition to implementing those basic cyber security controls an organisation may undergo certification and it is expected that insurers, investors and auditors will start to take certification into account when assessing an organisation’s risk profile.

5. Cyber Insurance

Earlier this year the Association of British Insurers suggested that cyber insurance should become as common a purchase for UK businesses as property insurance within the next decade.

The ABI note that there are five key reasons why cyber policies are a business essential and these are:

  • Cyber-crime is one of the fastest growing forms of crime in the world;
  • Cyber threats are at the cutting edge of technology, changing so rapidly that it is almost impossible for individual companies to keep their defences ahead of the game;
  • Businesses are increasingly dependent on IT for their everyday activities;
  • Cyber-attacks and failures can result in businesses closing or having to dramatically change what they do;
  • The British insurance market is already able to offer businesses cyber insurance products; the market in London being responsible for more than 10% of global cyber insurance business.

MRIB has been working with our clients guiding them through the product options, as with all products that are new the perception is that the cost can be prohibitive but they are not.

Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.

 

For further information on this issue please contact: MRIB

Email: marketing@mrib.com
Tel: 01494 455 666