Cyber security and cyber insurance

Shane Hennelly, Joint Managing Director, Thompson Insurances on the threat of cyber attack and how you can manage cyber risk.

The recent ‘WannaCry’ ransomware cyber attack affected 200,000 organisations worldwide including the UK’s National Health Service (NHS). The most exposed computer systems were those operating older versions of Windows or those without Windows updates as they were not patched by Microsoft and were left open to cyber attacks. If you send or receive emails and store customer data, you have a cyber risk exposure. If your customer data is breached by a cyber attack, you are open to legal actions by your customers and fines by the Data Protection Commissioner’s office.

Cyber insurance is a form of risk transfer worth considering but before exploring this let’s examine what your business should look at first if you are grappling with your cyber risk exposure. As is so often the case, prevention is better than cure:

Short Term

• Cyber security should be on your board agenda.
• You should set up a cross departmental cyber working group within your business.
• Your business should be familiar with your legal and regulatory obligations around data security.
• Migrate away from Windows XP (unsupported by Microsoft since 2004) and older unsupported versions of Windows.

Medium Term

• Your business should have a formal Information Security Policy to include business partners/vendors obligations.
• Ongoing staff training is critical to avoid innocent cyber breaches.
• An Incident Response Plan should be drafted and regularly updated.

Long Term

• Implement ongoing audits.
• Carry out ongoing monitoring and testing.

The 2015 NetDiligence Cyber Claims report showed that 78%  of cyber claims relate to crisis services. This is a very important added value element of cyber insurance cover. When a cyber breach occurs, you can phone a 24-hour response line which immediately coordinates IT forensic engineers to figure out what’s happened and specialist legal and PR professionals to manage the fallout of a cyber breach in a controlled manner.

Customers frequently tell me their IT systems are current, robust and regularly tested and, therefore, cyber risk is not a concern for them. This is a big mistake. Studies show 35% of cyber breaches have an internal cause. This can be innocent, e.g., an employee clicking on an attachment within a spam email which opens your computer system to malware, or it can be malicious.

A cyber insurance policy can cover third party financial loss, cyber extortion costs, damage to your own computer systems,business interruption as a result of a cyber incident, previously mentioned crisis services and fines imposed by the Data Protection Commissioner’s office. The EU-wide General Data Protection Regulation (GDPR) becomes enforceable from May 2018 and provides the Data Protection Commissioner’s office with much wider powers to fine organisations as a result of data breaches.

An entry-level cyber insurance policy, with a limit of indemnity of €500,000 for an Irish-domiciled organisation with a turnover less than €10m and a minimum level of information/ IT security, costs in or around €1,000. Choosing a limit of indemnity is not an exact science but it boils down to your company size, risk profile and budget.

Thompson Insurances have partnered with HAI to offer members a free, no-obligation risk management survey. Shane can be reached on shane.hennelly@nti.ie to discuss cyber insurance in more detail.

This Business Support article featured in the July/August edition of The Hardware Journal.