IT systems are an integral part of virtually every small or medium business. With this, the cost that accompanies a breach or failure of these systems grows bigger and bigger. Many businesses cannot afford the risks cyber attacks pose, which have the potential to ruin reputation as well as capacity. Insurance against a potential attack is no longer an optional expense.
Professional and management risk underwriting manager at Markel UK, Liam Greene, said that professional services businesses are most likely to be at risk from a data breach.
“They have client data, and for anyone that has client data it’s personal and business information,” he said. “It’s risky because it’s easier to get a hold of it, whether it’s via a web portal, your network, or it’s sat on a USB stick.”
Attacks targeting data are becoming more frequent by the day. According to the ‘Cost of Data Breach Study: Global Analysis’
report compiled by PWC, in 2015 there was a 38 per cent increase in detected security incidents over the previous year.
Cyber insurance is the best way to protect against the ever-present threat of a breach. Greene said while regular insurance might cover some of the damage, cyber attacks cause more specific problems.
“For insureds, particularly for SMEs, the main risks, which they may not immediately appreciate, are in what happens in the critical 48 hours after the breach has occurred,” he said. “How breaches are dealt with, both in terms of the insured’s own IT capabilities, and in terms of impacts on customers, really can make or break a business. SMEs probably won’t have the technical, legal, web and credit monitoring, and PR resources which may need to be deployed straightaway after a breach is identified, which is why access to these resources is an integral part of our cyber policies.”
Markel’s cyber insurance covers the three main components of a breach.
First is the technology, which leaves a company scrambling to measure the extent of the damage. According to Greene, an in-house or contracted IT department might not make for an impartial assessor.
“They might be worried about their own professional services and whether they’ve missed anything, so really getting in an expert who’s independent, who’s quick and experienced on the subject. That’s the essence of what cyber cover is,” he said.
After a data breach a business also needs to consider their legal responsibilities.
“Since about the 2000s most of the states in the US have had a requirement to report cyber breaches to their respective regulators,” said Greene. “Regulation isn’t that prescriptive in the UK, although telecom companies are required to report breaches to the Information Commissioner’s Office. But increasingly there’s the development of a voluntary trend to report and make breaches public. That’s partly driven by views of people’s right to know if their private data has been stolen but also because people who have had data stolen now have the right to take legal action against the organisation that lost it.”
The legal actions a company may have to take can change quickly, and businesses need to get fast advice. Greene recalled a case involving an extortion attempt, where a company was blackmailed with the threat of all their client records being released. The blackmailers produced a small number of records, claiming this was proof they had access to everything.
“The business had no evidence they did have all the files, so they didn’t want to tell everyone their data might have been breached because they didn’t want to scare everyone unnecessarily,” he said. “As the whole claim unfolded the IT service providers looked at the network, whether had it been breached and had any members of staff pulled data off the system. And when it did become apparent that data had gone, the legal advice changed.”
A business also needs a plan on how to publically handle a breach in order to protect their reputation. An example of poor PR management is TalkTalk’s response when it suffered an attack in 2015. The company decided to talk to the media before it informed its customers while sending very unclear messages regarding the extent of the damage. Cyber insurance, such as Markel’s, will equip a business with a plan to make sure it doesn’t stumble during its response.
Greene said companies still see the risk of a data breach as an IT issue rather than an insurance issue, and should instead consider treating their data like they would a building.
“I don’t need the best lock in the world and every intruder detection system going, I just need a decent building lock and insurance policy in case it’s broken,” he remarked. “It’s a balance of spending all your money upfront on IT security, or doing the right thing and having an insurer to sit behind you.”
A cyber insurance policy such as Markel’s answers all the big questions a business has to ask itself when it needs to respond quickly and effectively to a cyber security crisis.
Markel makes senior appointment as it consolidates lines
Markel UK picks healthy option with move into nutrition and supplements market