A Defining Year for Cyber Risk

Cyber Security Threats

2016 has been a defining year for cyber risk….

There have been many events that have contributed towards shaping cyber risk this year however there are a number of stand out “Influencers” that have impacted on businesses during the year and will continue to do so in the future.

This has raised the awareness of cyber risk in the UK and within the business community as a whole.

Such “Influencers” that have had a bearing on cyber risk are the following :-

1.The Threats


Ransomware is a form of malicious software that a hacker uses to encrypt the hardware of a computer, the hacker then extorts money normally in the form of bitcoins in exchange for the decryption code.

This form of cyber attack is now the most common in the UK with 54% of SME’s experiencing a ransomware attack. Surprisingly this is higher than in the US which is at 47%.

The impact is loss of income as a result of paying the ransom, loss of files, time spent by the business on remediation, downtime and the possible loss of life.

There is no sign of abatement of this form of cyber attack.


Phishing is recognized as a method utilized by hackers to gain access to personal or business details in order too commit a crime. This is normally an act of fraud or used to cause disruption to a computer system. It can involve the sending of a bogus invoice sent by e-mail requesting the payment of money to hackers bank account.

The UK is one of the most targeted countries for phishing scams.


Internet of Things     

The Internet of Things is the internet working of “connected devices”, “smart devices” including buildings via embedded electronics, software or sensors. These then enables these objects to collect and exchange data.

When these devices are infiltrated by a hacker the potential to cause disruption is enormous. The treats are two fold which can result in  denial of service attacks or the compromising of security leading to a breach of privacy.

This year saw a cyber attack on Dyn through the malware strain Mirai which targets vulnerable Internet of Things devices. The botnet used in this attack was possible via a compromised digital video recorder.

These forms of attacks are only likely to increase in the future as “connected devices” do not have adequate security protection in place to prevent such attacks.

2.The Breaches


Yahoo announced in the space of a couple of months two major breaches of their user accounts . One occurred in 2014 and consisted of the theft of half a billion of their user accounts , the other in 2013 thought to believed to be nearer a billion. Both attacks are believed to be state sponsored.

These are two of the largest ever recorded compromises of personal information. It demonstrates that attacks of this nature are getting larger and that high profile companies are still a principal target for hackers.


Banks were hit hard by a number of cyber attacks this year ……. the list is a long one…..Bangladesh Central Bank where USD850M was stolen, Swift attacks on  banks in the Phillipines and Vietnam and the Banco del Austro, attacks also took place in the Ukraine and a number of US and Canadian banks.

In the UK , Tesco bank , HSBC and NatWest were all subject to cyber attacks but with limited losses to the banks.

Cyber attacks on financial institutions have increased dramatically over the past twelve months and good cyber risk management should be a key consideration for this sector.

SME’s and Public Sector are now a focus for Hackers

This year saw SME’s being the subject of increased cyber attacks and demonstrating that they too have a real cyber risk which cannot be ignored. Ransomware attacks were seen at businesses such as hairdressing salons to florists.

Local authorities and hospital were also targeted, the unluckiest county was probably Lincolnshire…… with the county council being hit by a ransomware attack and various hospitals in Grimsby, Scunthorpe and Goole where their computer network was compromised.

3.The Regulation

The Information Commissioners Office (ICO)

The ICO showed it’s teeth and fined TalkTalk GBP400,000 for various security failings following the cyber attack that took place last year.

It is likely that we will see the ICO exercise these powers more and more in the run up to the General Data Protection Regulations when they come into effect in 2018.

General Data Protection Regulations

These were finally adopted in April this year and will come into force on 25th May 2018

The clock is “ticking” and all business will need to assess what data they have, where it is stored and how they mange it, irrespective as to whether they are a data processor or data controller.

The fines for a breach are 4% of gross annual turnover so non-compliance is not an option.

Privacy Shield

The Privacy Shield is now “live” coming into force on the 1st August replacing the Safe Harbour. There have already been some challenges to this notably by Germany and its current framework maybe subject to change in the coming year.

What Else ….. ?

The Panama Papers, Brexit, Trump, the development of cyber insurance….. the list is endless.

This year has without doubt been a defining year for cyber risk….. 2017 will further shape the exposures and the vulnerabilities that businesses face from cyber risk.


Image : Shutterstock

The Basics of a Cyber Insurance Policy

Cyber Insurance Policy

What are the basics of a Cyber Insurance Policy?

This specialist form of policy provides coverage for internet based risks and data related exposures of a business.

It consists of third party and first party section where insurers follow a modular format, breadth of coverage varies from insurer to insurer. It is therefore important that you obtain the appropriate coverage once your cyber risks have been identified.

Cyber Insurance should not be considered in isolation and should form part of a businesses cyber risk management program.

The Basics of a Cyber Insurance Policy:-

1. Third Party Section

Network Security Liability

This provides coverage for a businesses liability to a third party as a result of the destruction of a third party’s electronic data. This also encompasses an inadvertent transmission of a computer virus to a third party.

Data Privacy Liability

This relates to liability to a third party which may cause unauthorized disclosure of personally identifiable information or corporate information.

Multimedia Liability

Your liability arising from content on your website as a result of a defamatory comment, infringement of copyright or invasion of privacy.

2. First Party Section

Network Business Interruption

This represents coverage for the interruption or suspension of your computer systems as a result of a network security breach or network failure , the later of which may not be automatically included. Insurers will reimburse a businesses and any expenses incurred in order to mitigate this.

Data Asset Protection

This provides coverage arising out of the corruption or destruction of your computer systems. The loss covered is the replacement and restoration costs.

Cyber Extortion

A threat to the computer network where a ransom has been demanded, this will include negotiation costs.

Crisis Management

Costs associated with responding to a data breach including forensic costs, credit monitoring, call center costs and public relations costs.


In addition to the policy coverage , it is important that the insurer is able to provide “vendors” who will manage a data breach , this should include as a minimum a solicitors , a forensic investigation company and a crisis response team.

Possible extensions to a Cyber Insurance Policy:-

Certain extensions are available generally for an additional premium , such as coverage where network interruption that has been caused by an outsourced service provider or that outsourced service provider has suffered a system failure that impacts on a business.

Further extensions can include coverage where there has been a cloud service failure that affects a business and criminal reward fund that allows for a reward for information that leads to the successful conviction of a hacker.

The Policy Limit 

The policy will be on an “aggregate” policy basis, i.e. the total number of claims made in any one policy year will not exceed the annual aggregate.

The Policy Excess 

A self – insured excess will be imposed by insurers which is the first part of any claim that the policyholder will need to pay.

The business interruption module will also be subject to a separate excess which is normally an hourly figure. This section will be subject to an indemnity period , which is the period that the policy will provide coverage for this module.

Does a Professional Indemnity policy provide coverage for Cyber Liability?

Professional indemnity policies have developed in recent years to provide a broad basis of coverage know as “civil liability” It is generally accepted that this type of policy provides elements of coverage that would fall into the third party section of a cyber liability policy and are recognized as the following :-

  • Breach of privacy of third parties personal data or confidential corporate information caused as a result of a compromise of a computer system.
  • Defamatory comments placed on your website as a result of unauthorized access to your computer systems by a hacker.
  • Inadvertent transmission of a computer virus, logic bomb, worm or Trojan horse by an employee that causes damage or loss to third parties computer systems.

Professional indemnity policies have insuring clauses that are tied back to claims being made arising out of the professional business of firm however cyber liability requires a wider policy trigger such as those losses caused as a result of an unauthorized access of a firm’s computer systems.

Cyber Liability Extensions 

An number of professional indemnity insurers will provide various cyber insurance related extensions, such as hacker damage or cyber extortion, these are only normally for small sub-limits of the main policy. One point to bear in mind if cyber extensions are added to a professional indemnity policy which is on an aggregate policy basis, any claims made arising out of cyber claims will go towards the overall erosion of the overall aggregate policy limit.


Some exclusions to take into account that may impact on the extent of cyber coverage under a professional indemnity policy are the deliberate acts and terrorism exclusions.

Not a substitute

The coverage for cyber liability under a professional indemnity policy should not be construed as a substitute for a stand alone cyber insurance policy and it is important that you seek proper advice from an insurance broker as to whether you have a requirement to purchase a cyber insurance policy.