The Cyber Highway…Supply Chain Essential

Are you on road to the Cyber Highway?

It is unlikely that your supply chain is travelling in this direction yet as this initiative was only launched last month in London by Lord David Blunkett, the chairman of Cyber Essentials Direct Limited.

The concept behind this is to help improve a businesses cyber security posture and to provide reassurances in their supply chain which traditionally can present a significant cyber security threat…… an area which businesses often overlook and who have little or no control over.

What is the Cyber Highway?

It is a user friendly on-line portal certification process aimed at large businesses who rely on their supply chains. Cyber Essentials is the certification process that will be utilized. which is a UK Government Scheme that was launched in 2014 to help businesses protect themselves against mainstream cyber attacks. During this process it will also be possible for businesses to monitor the progress of their suppliers in attaining Cyber Essentials accreditation.

Certain Government departments already require their suppliers bidding for contracts to be Cyber Essentials certified. This requirement is likely to become more widespread in other industries in the future as cyber security becomes an increasing focus in the commercial world.

The Benefits

  • It is designed for all business sizes
  • It is a series of clear self-assessment statements
  • The provision of a comprehensive quality assurance frame -work
  • A user friendly on-line platform
  • A fully integrated and comprehensive cyber security self auditing system
  • Provision of a complete range of accessible tools and solutions

Helping the Cyber Landscape

It assists in securing the supply chain of business

It protects the infrastructure of businesses with whom larger companies trade

Post BritExit it is important that British businesses hold a recognized cyber security certification and this will further highlight.

Cyber Claims in the Supply Chain 

One of the highest profile cyber claims is that of the Target Corporation which took place in 2013 where cyber criminals infiltrated a third party supplier in order to gain access to Target’s data network. This breach costs Target $61M and had a impact on their profits which fell 46% that year.

Stuxnet is a malicious computer worm that is normally introduced to the supply network via an infected USB flash drive and targets automated process that control machinery on factory lines. There have been a number of reported incidents involving Stuxnet.

On-line retailers is another business sector that can be susceptible to compromises due emanating from a supply chain vulnerability. Home Depot suffered a credit data breach in 2014 which was due to stolen credentials from a third party vendor.

Implications for Cyber Insurance

Cyber insurers are likely to favor the instigation of the Cyber Highway as this represents improved risk management to the supply chain of businesses which currently offers concern to them being an avenue for claims that it presents to hackers and the ability to compromise their computer systems that may lead to a data breach or resulting in cyber crime.

CiSP – Cyber Security at your finger tips

Artificial Intelligence

CiSP stands for the Cyber-security Information Sharing Partnership and has been formed jointly by industry and government which sits in CERT-UK.

What is CiSP?

It is an online social networking tool that was established in 2013 which allows members to exchange information on threats and vulnerabilities as they take place. CERT – UK is the national computer emergency response team with a number of responsibilities that stem from the UK Cyber-Security Strategy. It is used by many businesses across industry and provides reports that help its members to improve their awareness of cyber security threats.

Recently the South West Regional Group launch of CiSP took place , this was the 12th and final launch carried out in the UK. This was jointly sponsored by the SW Regional Cyber Crime Unit (RCCU) , CERT-UK and J.P. Morgan (Regional Champion). The profile of the sponsors demonstrates the importance that attaches to CiSP and the impact that is perceived that it can make in developing the cyber security programs of businesses.

Why should you become a member of CiSP?

  • Early warning of cyber threats that may affect businesses
  • Collaboration between businesses and government in a secure environment
  • Ability to help businesses protect their livelihood from cyber threats
  • Businesses can learn from the experiences of others….both mistakes and the successes
  • Availability of specific sector content on cyber threats and incidents that have taken place
  • Businesses that have a small or non-existant cyber security budget can avail themselves of the information
  • Any business can join and benefit from the scheme
  • It costs nothing to become a member and can help a businesses prepare for a cyber attack

CiSP Membership Link

How CiSP can help a Business?

  • Alerts and advisory papers on cyber security
  • Reports om trend threats
  • Malware and phishing e-mail analysis
  • Guidance and best practice on common areas on both a national and global basis

One of the key features is the Fusion Cell that consists of a team of analysts taken from government and industry who provide source analysis of cyber threats and vulnerability updates.

The scheme is aimed at SME’s who are considered one of the most vulnerable business sectors with varying degrees of cyber maturity. It is therefore important that they understand how to protect themselves from cyber attacks and the resulting cyber crime that can occur.

Industry Endorsement

The British Insurance Brokers Association ( BIBA) is going to sponsor its members to join the scheme in order to help improve awareness about cyber cyber risks that exist.

This will no doubt become a common theme within other industries in the future.

Insurance has a role to play 

Cyber insurers and specialist insurance brokers can also contribute to CiSP by providing current data and information of cyber security attacks and data breaches that they have been involved with and managed.


Cyber Insurance – The Moody Teenager

cyber insurance

Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex !  In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?

The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed  to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.

This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-


Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional  indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.

2. Policy Coverage

The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.

3. Cost Prohibitive

The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.

4. IT Reluctance

The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.

5. Data & Privacy Laws

There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.

6.Maturity of Market

The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.

Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.


Cyber Insurance – 2016

Cyber Insurance

2015 was a pivotable year for cyber insurance , with a number of high profile incidents involving cyber crime and data breaches occurring around the world. This tested policy wordings and provided a perspective of how such claims will be managed by insurers.

The topic of cyber insurance is now firmly on the agenda’s of many businesses and rates high on risk registers , how this exposure is managed is very much down to the individual approach of a business and how their perceive a cyber threat would impact.

The need for cyber insurance will be determined by the risk landscape which operates in a dynamic technological environment.

Some of the factors that may influence the growth of this specialist form of insurance  are likely to be the following :-

  • A cyber security breach is almost inevitable and more emphasis will be placed on CEO’s and CISO’s to become responsible for data breaches and how they are able to mitigate such cyber risks within a business.
  • The threat of cyber attacks to critical infrastructure , whether this be of a political or criminal nature.
  • The “Internet of Things” , as electronic devices become inter connected , this increases the opportunity for cyber crime and data breaches to take place.
  • Cyber security businesses will be in increasing demand as insurers will depend more and more on their expertise in the assessment and management of cyber risks.
  • The increase in ransomware gangs as they utilise more sophisticated malware which businesses may fail to recognise should they not maintain the latest cyber security methodology .
  • Cloud security is perceived as a larger than life threat as many businesses now rely to a certain extent on this form of developing technology for storing data. How safe this technology has not yet really been been subject to hackers focus and presents a real threat to the safeguard of data.
  • Certain businesses sectors remain a high risk, such as health , finance and on-line retailers. This are the sectors where there is the highest take up of cyber insurance and it is conceivable that this will continue.
  • The growing threat of cyber terrorism will remain with terrorist groups targeting government, military and critical infrastructures.

It will be fascinating to see how these factors do influence the rise of cyber insurance , in the course of events insurers will need to develop their products to respond to the evolving cyber risks that will unfold this year.

Read more

Cyber Liability – The Internet of Things

Cyber Liability - The Internet of Things

The “Internet of Things” is the product of the increasing connectivity of corporate computing infrastructures, industrial machinery and electronic consumer devices.

This provides new cyber threats to businesses which will need to be managed through a combination of robust cyber security measures and cyber liability insurance.

The phase, the “Internet of Things” is associated with devices that are capable of communicating via the internet through programmed commands or by “learning “patterns of behaviour and activity so as to recognize common occurrences  in our daily lives and communicating with other devices accordingly

With more devices and people being connected to the internet in the coming years, this will produce a global impact with the estimated market for the “Internet of Things”thought to be $66 billion between now and 2019.

From a business and consumer perspective this has many advantages , whether it be controlling an industrial process remotely to switching on your central heating whilst you are on the way home on a train, it does however come with very real cyber related threats.

The main threat bought by the “Internet of Things” is the vulnerability of the loss of data and the compromising of personal information as devices will have access to such information about a business or individual . This scenario makes it a prime target for a security breach from a targeted hacker attack.

Examples of recent attacks this year :-

  • Hacking attack of a German steel mill where hackers gained control of a smelting furnace and caused it to over heat resulting in damage to the furnace and interruption to the business.
  • Hackers took remote control of cars steering , braking and acceleration
  • Baby monitors being hacked allowing third parties to control the monitors

This year Lloyd’s of London commissioned a report where a hypothetical attack was carried on the  electricity grid of the Eastern US. It was calculated that the loss could equate to $2 trillion which would not all be covered by insurance.

A cyber liability insurance policy will provide coverage for both third party and first party losses. This encompasses a businesses third party liability and first party exposures resulting from a data security breach , the response and associated investigation costs . It can also respond to business interruption loss  and damage to a businesses computer systems and it’s data. The policy however is unlikely to respond to all first party damage and claims involving bodily injury . It will therefore be necessary for other insurance policies to be reviewed by your insurance broker to ensure that an any gaps in coverage are appropriately addressed.


Small Businesses – Cyber Security

Small Businesses - Cyber Security

It may be obvious but what cyber security exposures does a small business have that could lead to cyber crime or a data breach ?

A typical small business is likely to have the following  cyber security exposures:-

Computer Servers – your servers and servers of other third parties of who you may be dependent upon.

Laptops – of all your employees and any temporary staff.

Mobile Devices – do you know who has a mobile device, do they work from home , do they use wi-fi in the local coffee shop ?

Removable Media – are all USB sticks accounted for and are employees allowed to remove then from the office?

Paper Records – do you still use paper files , these should be replaced by electronic files.

Electronic Files – what data is stored on your electronic files , is it personally identifiable information ?

Company Website – is this protected by the most up to date firewalls?

Databases – what data is stored on your electronic files , is it personally identifiable information ?

Software – how old is your software , does it need to be updated , is it regularly patched ?

Computer Networks – what is your dependency on third parties?

Use of Cloud Services – does your cloud provider purchase professional indemnity insurance ?

Once you are comfortable that your have identified all of your technologies , a risk analysis should be carried out , followed by a review of your internal procedures such as the website privacy policy and conditions. This should be carried out in tandem with all of your external procedures and providers , such as any third party and cloud providers for whom your computer services may be relying on.

Are your Business Continuity Plans and Disaster Recovery Plans up to date ?

Are your staff trained in all the most up to date cyber security company policies ?

Have you considered Cyber Insurance for your business  ? – the purchase of this type of insurance is the balance between owning your cyber related exposures and being confident that you can manage and accept these risks. This is against the risks that you may not be able to manage and the areas that could cause the business a significant loss and impact severely on your balance sheet.