Cyber and Data loses are the fastest growing area of risk in the UK. Following recent changes in legislation around how we hold and process personal data, businesses of all sizes are now at risk of huge costs in the event of a data breach. With cyber crime on the constant up, is this something you can afford to risk as a business owner or manager?
Cyber & Data Insurance
As reported in the 2018 Cyber Security Breaches Survey, 43% of businesses had suffered a cyber security breach or attack within the past 12 months. This increases to 72% for business with a turnover over £5 million.
Fraudulent emails, scammers, viruses and malware were the most common causes. The ONS reported that computer misuse crime (malware) was up 63% in 2017 against 2016 with the majority of victims identified as organisations, not individuals.
The average financial impact for businesses reported by the survey was £3,100. Firth & Scott have assisted clients in the East Midlands with claims which have exceeded this sum a hundred fold.
The Risk To Your Business
A cyber or data loss can catastrophically affect a business in a number of ways; business owners and managers must give consideration to the following:
- The financial cost to your business of repairing your website, software, retrieving lost data etc.
- The financial impact of being unable to operate due to loss of your systems or data
- The impact on your customers as a result of a cyber or data loss
- Reputational damage caused by data breaches or security attacks
- Your duties under current legislation following a data breach (see below)
Even the most organised businesses with firewalls, encryption, patching procedures, SEO management in place and employees well trained in preventing data breaches are not infallible to a cyber or data loss. These procedures are excellent for reducing your level of risk, however like sprinklers cannot extinguish every fire, these methods cannot stopper every attack.
Data Breach Ramifications
This is arguably the most essential element of cover for the majority of companies. Due to an alarming frequency of hacks, ransomware, theft of credit card details, phishing mails etc., data breaches are taking a prominent position in daily headlines. Company reputations are being irreversibly damaged as a result of not effectively handling data breaches.
All businesses have mandatory breach notification obligations towards regulators, individuals or other companies to whom they provide services.
The new General Data Protection Regulations (GDPR) includes specific breach notification guidelines. When a security incident happens, good practice is to follow the following steps:
Step 1: Investigate the Incident – Is the Incident a Personal Data Breach?
Step 2: Investigate the Scope, Nature and Possible Consequences
- What is the source of the personal data breach?
- How many individuals are affected by the personal data breach and is the data breach likely to result in a risk to the rights and freedoms of the individuals affected?
- Does the personal data compromised include sensitive data?
- Was the compromised personal data encrypted or secured in a manner which makes it impossible for a third party to assess?
- Which steps are taken to mitigate (further) loss of personal data?
- Which parties are involved in the data breach?
Step 3: Investigate Notification Obligation to Supervisory Authority – needs to be reported with 72 hours
Step 4: Investigate Notification Obligation Individuals
Step 5: Create and Maintain an Internal Breach Register
Step 6: Evaluate the Personal Data Breach and Update Technology and Policies
Failure to report a breach to the ICO could lead to a fine of up to 10 million Euros and other sanctions that they deem appropriate. There is also the additional factor of a requirement to compensate individual data subjects due to the harm suffered through the data breach. The potential impact of a breach is highly likely to have catastrophic financial consequences.
Data Breach Claims Example
One of our clients has recently suffered a ransomware attack which involved the removal of staff data only. This was a large company who specialise in information technology development. They were certainly very aware of the potential cyber risks and their staff members were appropriately trained. Following the attack they found the assistance that their cyber insurers gave them absolutely invaluable in relation to reinstating the data, establishing how the breach occurred (which is a legal requirement) and in dealing with the resulting data protection breaches and crisis management following the breach.
The final costs in relation to the breach alone amounted to £350,000; however, this breach only related to 250 personal records. No fine was imposed or third party claims made due the swift and proper response by our client they were able to give due to the assistance of their Insurers.
How Insurance Can Protect Your Business
Insurance can provide cover in respect of the following areas:
- Breach costs
- Damage to your computer hardware and software
- Consequential loss of profits
- Cyber crime – including theft of funds, identity theft, telephone hacking, and phishing hacking
- Cyber extortion
- Privacy Protection
- Claims for damages from third parties
- PR costs
- Helpline assistance
In the event of a cyber attack you will need assistance from a specialist Cyber crime IT forensic expert and specialist solicitors to represent you if there is a data breach. Cyber Insurers will provide these and pay their costs.
Cyber Insurance will also pick up the cost of reinstating your computer and consequential loss you suffer and also any claims which are made against you for compensation from the persons whose personal data has been breached.
We strongly recommend that you hold Cyber and Data Insurance as you currently are uninsured against these losses which we consider could be catastrophic to your business. Please contact us to discuss this further as there are a wide range of policies available with varying levels of cover and we can tailor your insurance to your needs.