Cyber Insurance for Small Businesses

CiSP – Cyber Security at your finger tips

by
Artificial Intelligence

CiSP stands for the Cyber-security Information Sharing Partnership and has been formed jointly by industry and government which sits in CERT-UK.

What is CiSP?

It is an online social networking tool that was established in 2013 which allows members to exchange information on threats and vulnerabilities as they take place. CERT – UK is the national computer emergency response team with a number of responsibilities that stem from the UK Cyber-Security Strategy. It is used by many businesses across industry and provides reports that help its members to improve their awareness of cyber security threats.

www.cert.gov.uk/cisp

Recently the South West Regional Group launch of CiSP took place , this was the 12th and final launch carried out in the UK. This was jointly sponsored by the SW Regional Cyber Crime Unit (RCCU) , CERT-UK and J.P. Morgan (Regional Champion). The profile of the sponsors demonstrates the importance that attaches to CiSP and the impact that is perceived that it can make in developing the cyber security programs of businesses.

Why should you become a member of CiSP?

  • Early warning of cyber threats that may affect businesses
  • Collaboration between businesses and government in a secure environment
  • Ability to help businesses protect their livelihood from cyber threats
  • Businesses can learn from the experiences of others….both mistakes and the successes
  • Availability of specific sector content on cyber threats and incidents that have taken place
  • Businesses that have a small or non-existant cyber security budget can avail themselves of the information
  • Any business can join and benefit from the scheme
  • It costs nothing to become a member and can help a businesses prepare for a cyber attack

CiSP Membership Link

How CiSP can help a Business?

  • Alerts and advisory papers on cyber security
  • Reports om trend threats
  • Malware and phishing e-mail analysis
  • Guidance and best practice on common areas on both a national and global basis

One of the key features is the Fusion Cell that consists of a team of analysts taken from government and industry who provide source analysis of cyber threats and vulnerability updates.

The scheme is aimed at SME’s who are considered one of the most vulnerable business sectors with varying degrees of cyber maturity. It is therefore important that they understand how to protect themselves from cyber attacks and the resulting cyber crime that can occur.

Industry Endorsement

The British Insurance Brokers Association ( BIBA) is going to sponsor its members to join the scheme in order to help improve awareness about cyber cyber risks that exist.

This will no doubt become a common theme within other industries in the future.

Insurance has a role to play 

Cyber insurers and specialist insurance brokers can also contribute to CiSP by providing current data and information of cyber security attacks and data breaches that they have been involved with and managed.

 

Cyber Business Interruption – “Biggest Concern”

by
cyber business interruption

Cyber business interruption is considered by 49% of businesses to be their biggest concern in the event of  a cyber breach according to the Institute of Directors recent policy report “Cyber Security; underpinning the digital economy”

Cyber security: underpinning the digital economy

The report, sponsored by Barclays carried out a survey of 1000 businesses which showed that one in eight members suffered damage as a result of a cyber business interruption attack. Of this 11% suffered actual financial loss which demonstrates that cyber crime can impact on the balance sheet of businesses in a significant fashion. Interestingly only 28% of these incidents were reported to the police.

Some other highlights of the Institute of Directors Policy Voice Survey were as follows:-

  • 57% had a formal cyber/information security strategy in place
  • 49% said they provided cyber awareness training for employees
  • 43% didn’t know where their data was physically stored
  • 72% experienced social engineering scams
  • 20% hold cyber insurance (with 21% unsure if they did have this)
  • 21% are considering the purchase of cyber insurance

The survey demonstrates that cyber security is taking a much higher profile within businesses and they are now actively improving their cyber security but there is room for considerable improvement. There were many key moments in 2015 with the high profile breaches of TalkTalk and Ashley Madison which has made businesses look up and think ” could this happen to us”? The answer is of course “yes” and in fact could be happening right now with an average breach taking six months to discover.

Richard Benham, Professor of Cyber Security Management , the author of the report has identified four key trends that are likely to become increasingly important in the coming years:-

  1. Cyber in the boardroom – cyber risk is now at boardroom level and cyber risk strategies are likely to be formulate here.
  2. Cyber education – the UK government will play an important role through the promotion of Cyber Essentials and the instigation of courses such as The National Awareness Course.
  3. The Cloud – this will rise in prominence but businesses most not ignore the management of their data.
  4. Cyber insurance – this form of insurance has developed in recent years to cover both first and third party exposures of a businesses , whilst still an evolving product it is being considered by more businesses and this is likely to increase.

The Institute commented  “Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

The report concludes highlighting that cyber security is an international threat, the suggested key is to have in place a credible plan that can assess the large spectrum of threats and how these can best be managed by a business.

UK businesses can achieve this through robust cyber security management , this should be complemented with cyber insurance on the basis that coverage is appropriate for the business and that it is not recognized to be the “cure for all evils” in the cyber threat landscape that exists today.

A cyber insurance policy can provide coverage for cyber business interruption by way of standard coverage or a bespoke policy endorsement therefore helping a business to manage this cyber peril.

Cyber Insurance – The Moody Teenager

by
cyber insurance

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex !  In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed  to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-

1.Knowledge

Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional  indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.

 

Small Businesses – Cyber Security

by
Small Businesses - Cyber Security

It may be obvious but what cyber security exposures does a small business have that could lead to cyber crime or a data breach ?

A typical small business is likely to have the following  cyber security exposures:-

Computer Servers – your servers and servers of other third parties of who you may be dependent upon.

Laptops – of all your employees and any temporary staff.

Mobile Devices – do you know who has a mobile device, do they work from home , do they use wi-fi in the local coffee shop ?

Removable Media – are all USB sticks accounted for and are employees allowed to remove then from the office?

Paper Records – do you still use paper files , these should be replaced by electronic files.

Electronic Files – what data is stored on your electronic files , is it personally identifiable information ?

Company Website – is this protected by the most up to date firewalls?

Databases – what data is stored on your electronic files , is it personally identifiable information ?

Software – how old is your software , does it need to be updated , is it regularly patched ?

Computer Networks – what is your dependency on third parties?

Use of Cloud Services – does your cloud provider purchase professional indemnity insurance ?

Once you are comfortable that your have identified all of your technologies , a risk analysis should be carried out , followed by a review of your internal procedures such as the website privacy policy and conditions. This should be carried out in tandem with all of your external procedures and providers , such as any third party and cloud providers for whom your computer services may be relying on.

Are your Business Continuity Plans and Disaster Recovery Plans up to date ?

Are your staff trained in all the most up to date cyber security company policies ?

Have you considered Cyber Insurance for your business  ? – the purchase of this type of insurance is the balance between owning your cyber related exposures and being confident that you can manage and accept these risks. This is against the risks that you may not be able to manage and the areas that could cause the business a significant loss and impact severely on your balance sheet.

A Data Breach might be happening right now …

by
A Data Breach Might Be Happening Right Now ....

Data Breach – this can occur when you don’t know it and could be happening in your business right now …….

The average time before a data breach is detected in a business is 205 days and has been know to be as long as 8 years.

In the real world a bank robbery occurs in a matter of minutes , in the virtual world a compromise to your security and the gradual stealing of data could occur over many days and even years without you being aware.

It is therefore very important that a businesses has effective cyber security measures in place to combat and manage a potential data breach.

The key to this process centers around three main areas:-

  • The most up to date software or software that is regularly patched.
  • Effective risk management procedures which are constantly reviewed and supported by management at all levels.
  • Regularly updated business continuity /disaster recovery plans.

With this in place it increases the chances of discovering a compromise of your computer systems at an early stage…. – it is very unlikely that you will achieve 100% certainty.

Once discovered it is vitally important that the management of a data breach is carried out in a prompt and organised fashion . If it is not it could make the difference between a business surviving and not being a viable entity post data breach.

A cyber liability insurance policy can help mitigate the impact of a data breach by providing the following benefits:-

  • Crisis Management – this involves the appointment of a crisis management consultant to assess and manage the data breach.
  • Public Relations Costs – the purpose of a PR consultant is to manage the data breach in the public domain so that reputational damage can be minimal.
  • Call Center Costs – the utilization of a call center will assist in the additional costs incurred in the management of customers concerns about the possible loss of personal information and notification of the incident.