The Case for Cyber Insurance
23 January 2024
Cyber insurance is a hot topic in boardrooms today with discussions about employee security awareness training programmes coming in a close second. Insurers today offer a wide selection of innovative cyber related insurance products to afford their policyholders protection against all manner of cyber-attacks.
The threats posed my cyber-criminals through hacking and ransomware are constant. Technology is trying to keep-up with phishing and malware downloads that plague Webservers, but lax security both in the office and homes, exploit weaknesses to highjack computer networks and steal precious data.Regulators like the Information Commissioners Office (ICO) require firms to report to them if any personal data has been lost in 72 hours. A tall order for any size of firm, whoever they are. However, today most cyber insurance policies provide a 24/7 Helpline allowing time to decide if they should in fact alert the authorities or not.
Most cyber-risk insurance policies offer these core covers, giving firms a crucial lifeline when they suspect or indeed have had a cyber-attack. Most attacks target poorly protected Webservers. However, those that have a Web Application Firewall (WAF) or Intrusion Prevention System (IPS), will examine any incoming emails and Web downloads for suspicious content and block them, if needs be. It is a sort of ‘gatekeeper’ of the Webserver that protects the firm from common breaches, such as spyware and virus attacks.
Many firms now have cyber insurance to prevent their Webservers from being hacked. Firms are taking their insurance plans more seriously now and not just for PII or commercial policies, but their cyber risks too. Commentators report that firms known to have taken out cyber insurance appear to have greater loyalty amongst their clients in contrast to their more hesitant rivals.
In some ways the term ‘cyber’ puts too much emphasis on IT solutions to deal with attacks. Whilst IT is certainly part of the answer, there is much more that firms can do to protect themselves. Having the office or practice manager to oversee security throughout the office is one possible answer. When firm’s stored their records manually, not online, it was simple to lock them up and go home. Today requires a lot more planning with encryption and strong passwords.
Most off-the-shelf software systems, like Microsoft 365 offer firms good storage solutions which when combined with multi-factor authentication acts as a double lock. There are many ways to keep your firm safe from attack; some firms have written their own cyber security policies, others maintain an assets register, stressing the importance of cyber security in the office is another, staff rules, the do’s and don’ts when using the office network and at home, testing of back-ups and restored data, updating of operating systems, as well as having a specific ‘go to’ person in the office for reporting possible security issues.
A lot of firms have some if not all these now in place to keep staff up to date with helpful guidance. With today’s cyber insurance policies, you are treated to the luxury of a broad range of services each specifically designed to guard against, and if need be, repair data, reputations, client claims and the restoration of lost records.
These will typically include: • Cost of notifying clients of a GDPR breach and subsequent updates. • Cost of managing and mitigating reputational damage. • Access to forensics and incident response services. • Damages claimed by clients as a result of a GDPR breach. • Loss incurred by third parties through your transmission of a virus or other malware. • Cyber extortion / blackmail / ransomware. • Electronic theft and computer / telecommunications fraud. • Social engineering fraud. • Access to 24/7 incident helpline.
Having a healthly appreciation of these threats offers firms their best chance of avoiding them and if and when they are attacked, insurers can intervene and apply some or all the services mentioned above. One of the most common cyber attack methods is called, ‘Business Email Compromise’ fraud. This is where an email is sent from what appears to be a trusted source, like the ‘boss’ or senior mangement, with an instruction, usually to send money, which is diverted to the criminal’s account. Where there are humans involved this type of attack can be dangerous, although the signs are that ‘humans’ are doing a lot less clicking these days.
Firms who encourage cyber security awareness in their staff will also stand a better chance of avoiding an attack. Having staff paying greater attention to incoming emails and Web downloads reduces the likelihood of a cyber attack by empowering them to play a vital role in protecting the business to become its “human firewall”. Having a Cyber Essentials Certification, and especially Essentials Plus, will also help secure better terms from your insurers. Having these credentials will reassures them that the business has subjected itself to scrutiny and, in the case of Essentials Plus, an onsite audit of its policies, processes and procedures from top to bottom, to make it far less vulnerable.
Firms are also now starting to arrange cyber security awareness training for their staff. Typically online, these training programmes can be managed by the Human Resources department or the Cyber Security Officers office. Online courses can be arranged according to risk types; a receptionist being low risk and accounts high risk, with the former receiving relatively low risk training and accounts receiving the maximum training instruction.
Most of the antivirus companies offer this kind cyber awareness training as well as many other specialist providers. 2022 was another record year for cyber crime with criminals continuing to exploit home workers and office email addresses. With more firms now insured, industry as a whole is safer. Employers are making their home workers security more robust, whilst improving IT systems back in the office. Premiums for cyber insurance are holding steady and although some commentators are predicting rates rising, most have kept their premiums in line with inflation. Having an annual check-up of premiums at renewal is sensible, particularly if the firm has business expansion plans. Are you expecting to enlarge your Family Law division, for instance or create a new department or planning a business takeover? Each will need a review and probably more insurance cover.
Firms who have already suffered a cyber-attack and survived will know how it feels. Having the managerial vigilance and commercial strength to deal with this demonstrates a type of due diligence and commitment to the firm’s stakeholders and clients. Paying close attention to the firm’s approach to risk and its management sends a signal to the insurers of the firm’s intentions. In any event having set procedures in place to deal with hackers, phishing, and ransomware attacks shows-off the firm’s commitment to defending itself.
The evidence that cyber insurance can make a big difference to a firm’s reputation and market standing seems clear but some are still opting to just risk it! By not having a cyber insurance policy regulators such ICO, SRA and FCA may assume the firm is not taking its client privacy and data security seriously enough and put them on the naughty list. The Financial Conduct Authority (FCA) continues to campaign for firms to sign-up for cyber insurance, encouraging them to protect clients’ privacy as part of their responsibility to treat clients fairly as well their duty of care and fair presentation. They are also responsible for organising Cyber Coordination Groups (CCGs) that coordinates better cyber security in the insurance, legal and SMEs sectors.
This group encourages professional firms to take out cyber insurance as part and parcel of their wider obligations to clients and compliance with GDPR and ICO regulations. Cyber-security awareness is crucial for any firm looking to improve its in-house security, staff resilience towards phishing, malware, ransomware extortion and looking to comply with GDPR and UK data protection legislation. If organisations are to manage the ever-present threat of cyber-attacks, they will need to be prepared to build defences by using every means possible, including cyber insurance.
Other Press Releases By This Company
- 23/01/2024 - Hybrid Office
- 30/11/2023 - Cloud Services - Things Worth Checking
- 04/04/2023 - Email marketing was the most used digital communication tool in 2022.
- 27/01/2023 - Cloud Services – things worth checking
- 27/01/2023 - 'Prove It'
- 02/12/2022 - Cloud Services – things worth checking
- 02/12/2022 - Designing a Cyber Defence Strategy for your Firm
- 12/10/2022 - 'Prove It'
- 02/08/2022 - Social Media - No longer an abstract asset?
- 02/08/2022 - Grow Your Website & Online Presence
- 02/08/2022 - Tackling data overload and cybercrime
- 06/06/2022 - Using Our Smartphone Security Credentials
- 06/06/2022 - Making Home Working Work
- 06/06/2022 - Tackling Incoming Cyber Threats
- 05/05/2022 - Videos and Social Media
- 14/04/2022 - Digital Signing Conveniences
- 14/04/2022 - Zero Trust Cyber and Data Security
- 14/04/2022 - Firms Getting Serious About Cyber Security
- 14/04/2022 - Create a Bigger and Better Web Presence
- 14/04/2022 - What is Social Engineering?