Cyber Insurance, Risk and Protection

The need for some type of cyber insurance often only becomes apparent, sadly, after someone has experienced the devastating effects of cyber crime.

 

Cyber Insurance

Cyber Insurance needs to work at two levels. The insurance provider needs to work with the individual / business to help them understand what the risks are and how best to minimize them, and secondly, to be actively involved at the outset of any data breach or cyber crime in helping them to resolve it and restore systems.

Cyber Security

Cyber Security is clearly better understood than it was a few years ago , but for whatever reason, there is still often a huge gap between people getting what cyber security means, and the belief that they could themselves be at risk, and what that would mean in reality for them.

Cyber Crime

Cyber crime in reality often refers to information has been stolen from an individual / organization which is then used in some type of fraud or blackmail against the owner of the information, or the owner of the business involved. Cyber crime can refer to information that is digital or paper, and can refer to organisations that are multi-national through to one person websites.

The increasing growth of the internet of things means that devices of all types from smartphones through to baby monitors are vulnerable to some type of cyber attack. This risk will grow massively over the next couple of years.

The need for effective cyber insurance will also grow, and a good insurer will not only provide cover, but should work with the individual / business to have in place a preventative IT strategy that fully understands the nature of the risks posed, and does all they can to minimise them.

INCIDENT MANAGEMENT TEAM

What is also important is that a cyber insurance policy includes access to what is referred to as an incident management team. This means that in the event of any data breach, the insurance company, or Lloyd’s syndicate, will provide significant input to help deal with the reality of managing the breach and restoring systems.

This means providing a support team who will oversee the following areas :

– Investigate the data breach, find out how it happened and restore the IT systems to full integrity as soon as possible.

– Notify clients / customers of data breach and its implications, and notify any relevant regulatory bodies within specified time line.

– A Legal Team

– Able to offer clients / customers access to a credit monitoring system to help in the event of identity theft

– A Specialist who can negotiate in the event of some type of kidnapping demand for return of information or ransomware

– A PR company or similar who can help deal with any potential reputational damage.

CYBER INSURANCE  RISKS

Cyber insurance risks need to be identified clearly and specifically, a process normally referred to as cyber security. Once the risks have been identified, then a clear plan can be put into place to minimise such risks, and a cyber insurance policy can be tailored around such a preventative strategy.

CYBER INSURANCE and  DATA BREACH

Any organisation, business or non-profit of any size, or any individual running a business is potentially at risk of what is normally referred to as a data breach. This essentially refers to any loss of personal data about individuals, and can refer to names, addresses, dates of birth, credit card information, bank details, Social Security numbers etc.

Such a breach can either be digital or paper or a combination of both. A data breach can happen in a variety of ways. Perhaps the most commonly thought of way of a data breach happening is through unauthorised access by way of someone hacking into a network and accessing information that they are not authorised to have.

This type of hacking can lead to stealing of information, installation of ransomware and theft of monetary or informational items of value. There are numerous other ways a data breach can happen, some of which are more routinely refer to in cyber security briefings.

CYBER INSURANCE – CYBER SECURITY

Email

Email still remains a high risk for cyber security in a number of different ways. Clicking on attachment’s can lead to a variety of malware programs that can steal personal information.

These are commonly referred to as computer viruses, worms, trojan horses, spyware and addware. Other common email threats such as phishing, spam, pharming, spoofing etc can be potentially damaging and easily lead to a data breach.

Passwords

The issue of passwords still very difficult in most organisations. Systems need to be in place to make sure that staff have secure passwords, and that they are changed on a regular basis.

Social Media Networks

Social media networks present a real cyber threat to many businesses in a variety of ways. Not only are businesses and organisations themselves creating high profile social media presences, but many staff will have their own social media profiles on many different platforms such as Facebook, Twitter, LinkedIn, Google + etc.

The result of this is that there is a huge amount of personal information available through the social networks that pretty much anyone can access and use to build up a profile of staff members of people within the organisation. This can lead to a very high cyber security risk in many different ways.

IDENTITY THEFT

The potential risk of identity theft as a result of a data breach can have serious indications, both for the organisation concerned and any individual whose identity may have been stolen or compromised.

This type of data breach can be either related to stored information on customers or clients, or social media profiles as outlined above.

Home/Mobile Working

A significant amount of work is now done outside the office environment, as well as within one, with the growth of the mobile internet and people working at home.

This means that a significant amount of information relating to the company’s business  and their line of work is carried out in environments that are at risk because they are not secure enough. This has potential for a huge number of data breaches.

INTERNET of THINGS

The Internet of things is a phrase referring to the rapid growth of how access to the Internet is being installed in pretty much everything that people own, buy, wear, use or have access to in everyday life. Practical examples include televisions, refrigerators, cars, clothing, speakers, pacemakers etc

Amazon’s Echo is a good indicator of how far wireless internet usage is likely to develop, both in the home, in the car and pretty much everywhere where people have wireless internet access.

The security implications of the Internet of Things are huge, both for people in their everyday lives, and for people who mix any type of professional work with home life.  This area of risk is likely to grow hugely over the next few years.

CYBER INSURANCE – INCIDENT MANAGEMENT

The number of insurance companies and Lloyd’s syndicates offering Cyber Insurance is relatively small at the moment. Those that do underwrite this type of risk have formed a fairly comprehensive support package around their insurance policy.

This not only offers financial indemnity/compensation but also a wide range of supporting services to help manage and deal with the immediacy of any significant data breach.

The management of a data breach is crucial, and it is important that any insurer offers a complete incident management team to offer help and support, either in-house or external. Such an incident management team needs to offer help in the following areas.

There needs to be an immediate technical investigation of how and why the data breach occurred, exactly what damage has been done, and what needs to be done from a technical point of view to restore the IT systems to a level of acceptable security.

There needs to be a legal team available who can give advice at every level, in terms of potential liabilities connected to any breach. An incident management team needs to be able to contact any customer or client whose information has potentially been breached and advise them accordingly, and notify any relevant regulatory body of such a data breach.

This normally has to be done within specific time limits. Some insurers offer a free credit monitoring system for customers or clients whose information has been breached, or where there is a potential risk of identity theft, as a result of a data breach.

There is also the issue of reputational damage, and for some organisations and businesses, a data breach can represent significant damage to their brand or name. Some insurers will offer access to a PR company who will offer advice and guidance on how to handle this issue.

In addition to an incident management team, the cyber insurance policy needs to offer financial indemnity or protection in a number of areas, such as loss of income, cyber extortion, hacker damage and any actual criminal activity itself.

Cyber extortion can be a very real financial threat to a business or organisation, where essentially information or data is either ‘kidnapped’ and a ransom demanded for its return, or where a system is effectively locked down due to some type of malware, and a ransom demanded to release it.

A data breach can result in a company or organisations IT system being in-operative for a significant period of time before it can be put right again, which can obviously have significant implications in terms of business interruption, and loss of income or revenue.

CYBER INSURANCE – CYBER GOVERNANCE

Cyber Governance is the name often given to what is considered best practice for establishing and maintaining a structure and set of policies for preventing a data breach.

Any organisation or individual wanting to take out cyber insurance will need to give a detailed account of what cyber governance plan they have in place.  Such a cyber governance plan should have at least some of the following elements in it.

There needs to be a named person whose specific responsibility is overall cyber security of the organisation or company. Ideally this person needs to be at board level, or senior enough to have influence with the management or ownership of the company or organisation.

Such an individual should be responsible for producing and overseeing cyber security policies and procedures throughout the company or organisation, making sure they are updated on a regular basis, that all staff are made fully aware of what such policies and procedures are, and that new staff are inducted accordingly.

The named individual should also be responsible for the overall training of staff within the organisation of staff relating to cyber security and risk issues. Background checks should be done on any employee or subcontractor who has access to the organisations IT systems or has access to any type of sensitive information, whether digital or paper.

It is important in any IT system to limit access to any area to those people who actually need it. This is especially important in terms of cyber security, where access to secure information or sensitive data is restricted to specified individuals who need to have access to it.

Have systems in place to encourage staff to change their passwords on a regular basis. Also to make sure that staff have secure passwords and are educated about the risks of insecure passwords.

This in practice can be difficult as people often can’t be bothered, or use passwords that they can easily remember. It is however really important, and systems should be put in place to make sure that this happens.

Systems should be in place to make sure that anti-virus, anti-spyware and anti-malware software are in place, and are automatically updated and any patches automatically installed. Firewalls should be used and updated at every appropriate level of system infrastructure.

Some type of intrusion protection or intrusion prevention system should be installed throughout the IT system and constantly monitored. In addition to a cyber governance plan, it is also important to have a specific disaster recovery plan, tested on a regular basis and communicated to all appropriate staff accordingly.

Be aware of what information is regularly worked on outside the IT system environment, by staff working on such information on smart phones, tablets, laptops, USB drives etc. As part of the cyber governance plan such activities should be monitored, and restricted wherever possible unless absolutely needed.

Systems should be in place to restrict specific employees access to any  part of the IT system wherever needed, and such restrictions should be able to be enacted with immediate effect. This may apply if a member of staff leaves, or is found to be engaged in activity which could be detrimental to the company or organisation.

An important but sometimes overlooked part of a cyber governance plan is to monitor and restrict any employee taking or removing physical documents or paperwork away from a secure environment without prior authorisation or relevant authority. This should also include them sharing  sensitive information with people who do not have a right to access such information.

BIG DATA AND ARTIFICIAL INTELLIGENCE

The issue of big data presents new and specific problems in relation to cyber security and cyber insurance. The nature of the amount of data that is currently collected by governments and organisations, means that there is going to be a market and increased development in the use of artificial intelligence to use such data to detect trends and future behaviours within a variety of contexts.

The issue concerning cyber security is that such storage and manipulation of data is likely to happen across a wide spectrum of servers and IT systems, which by their very nature will expand the opportunities for potential data breaches as outlined above.