Another day, another cyberattack: the latest victim of a major hack in the UK is Dixons Carphone, which recently admitted to a huge breach involving 5.9 million payment cards and 1.2 million personal data records.
The attack, which came to light earlier this month but is reported to have happened in July last year, comes just months after Carphone Warehouse was fined £400,000 by the Information Commissioner's Office (ICO) for an earlier breach that took place in 2015.
While not all businesses will hold millions of customer records, Phil Edwards, managing director at QPI Legal, which is part of the PIB Group, tells Insurance Business that all companies today need to face up to the threat of a cyber event.
“If you talk to cybersecurity experts they will tell you that it’s not a question of if, it’s a question of when,” Edwards said.
Cyber criminals today are ahead of the game: “It’s very difficult to stop them completely. You’ve got to try and slow down their progress, but then be ready to react if and when it does happen.”
And while corporate giants such as Dixons Carphone are often considered the most visible targets for hackers, smaller businesses are no less at risk.
“These criminals are not as directly-targeting as people think. They throw out a wide net and see who they can catch – and it’s usually the people who’ve got the poorest defences that they will catch,” Edwards said.
“With Dixons, I’d imagine they are probably much more of a targeted risk due to the size of the information base being stolen. But cyberbreaches like this don’t just happen because people hack into your systems and steal information. Cyber risk is across the board, it is for everybody.”
Under the new General Data Protection Regulation (GDPR) laws, Dixons Carphone will be required to take a number of actions including notifying all affected individuals. They may also need to keep a running credit check on them for 12 months to monitor whether any third-parties attempt to use the stolen data – an aspect which can be picked up by the better cyber policies – Edwards explained.
Having notified the ICO – which under the GDPR, must be done within 72 hours of discovering a breach – the company has handled the event “reasonably well,” so far, according to Edwards.
“There hasn’t been a big panic about it, they have told people what they are doing and how they are going about it, and actually, their name hasn’t been muddied.”
Having a contingency plan in place is crucial for organisations today, particularly as social media fuels the fire of reputational risk around breaches.
Brokers can play a key role in helping businesses manage their cyber exposure and contingency planning – but an understanding of this specialist area is key, Edwards urged.
“The main point is to talk to somebody who understands cyber risk, who understands the differences in the policies, and who understands how it would react to the different risks within a particular business and culture,” he said.
“It’s also crucial to understand the importance of key aspects like getting the PR right when you have experienced a problem. Very often when I talk to my clients about cyber, I do so as a portfolio of policies and look at where it fits in or overlaps with the others. It’s not OK for policies to have gaps in between them, because clients can then have a false sense of security. That’s one of the biggest risks – assuming you’re insured when you’re not.”
