[BreachExchange] Cyber villains pose greater risks to smaller companies

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 6 19:00:57 EDT 2016


http://www.ft.com/intl/cms/s/2/cd8b641a-f820-11e5-96db-fc683b5e52db.html

An attack can seem very innocent at first. It can look exactly like an
email from the chief executive or a message from a supplier or a bank. But
links in malicious messages can set off a devastating sequence of events
that could lead to data loss, unwanted encryption of systems and ransom
demands, or damage to property if connected infrastructure control systems
are hijacked.

For large companies, cyber attacks can be an unwelcome distraction that
takes a while to sort out. For small and medium-sized businesses, the
impact can be far more serious. “Large companies appreciate the risks
quicker but small companies face even more severe risks,” says Stephen
Ridley, head of UK cyber business at insurer Hiscox. “Even a small breach
could be curtains for them. Something mundane could turn out to be
incredibly problematic.”

The problem for smaller companies is attacks are becoming more common.
According to a UK government report published in May, a third of small
businesses has had a cyber breach over the past 12 months. For medium-sized
businesses, that figure rises to just over half.

It is no surprise, then, that the insurance industry sees cyber attacks as
a business opportunity.

The cyber insurance market for large businesses is already well developed
but providing cover for small businesses is currently much less widespread.

Mark Camillo, cyber leader at insurer AIG, estimates that less than 2 per
cent of businesses in Europe have some sort of cyber insurance. “Small
companies don’t think they’re going to be targeted with this sort of
attack,” he says, “so it is a surprise when they are hit.” In the US, cyber
insurance is well established. Laws require companies to report to both
regulators and affected customers when information has been stolen, and
insurance covers them for the costs of making these reports.

Jamie Bouloux, a cyber expert at insurer Ryan Specialty Group, says:
“Notification charges can be huge in the US, and there is also the
potential for class action lawsuits.”

An EU data protection regulation, due to come into force in 2018, will
impose similar requirements on European companies. This is expected to spur
a much wider take up of cyber insurance.

“There are obligations to report data breaches to regulators and
individuals in some circumstances and, where this needs to be done, the
timescales are short,” says John Benjamin, partner at law firm DWF.

He says the EU regulation will result in a much higher standard of privacy
protection than that provided by US legislation, where the rights of the
individual are not as well protected.

Mr Benjamin adds: “Potential fines will be a lot higher than those provided
under current law. They will be similar to antitrust-style penalties, which
are based on global turnover.”

Cyber insurance can cover business interruption, damage that hackers cause
to IT systems, extortion (where a ransom is demanded, with payment often
required in the digital currency bitcoin) and the costs of dealing with any
legal or regulatory investigations. It will not, however, cover the costs
of fines and penalties. The EU rules allow fines of up to 4 per cent of
global annual turnover in the event of a breach.

For the insurers, helping clients to deal with the practical consequences
of a breach, rather than simply sending a cheque to pay a claim, is a big
selling point. “The most important part of the cover is the claim response
and the direct access to service providers. A big part of it is the crisis
management piece,” says Mr Ridley, of Hiscox. Services provided by insurers
can include IT forensics specialists, who can work out exactly what has
happened, legal advice and public relations consultants, who can help the
company to send out the right message to its customers.

Some policies are also preventive. “A lot of cyber policies now include
loss prevention to help a small business stop getting hacked in the first
place,” says Mr Camillo.

“That can include devices which are updated every 10 minutes with
information on the latest hacking groups.”

It can also include training to help businesses better understand the risks.

Prices, according to Mr Camillo, can start at about £50 for £25,000 of
cover and then rise from there. He says that costs for bigger policies,
which can provide £5m or more of cover, vary from 0.5 per cent of the sum
insured to 2 per cent, depending on the exact type of insurance bought.

The price can also vary by industry. “A credit card processor or a health
facility with access to sensitive medical data would pay more than a
company without access to these records, such as a manufacturer,” says Mr
Camillo.

Nevertheless, a lot of small businesses choose to operate without
standalone cyber insurance. That is partly because some elements of cover
are already provided in existing policies. Property, professional indemnity
or kidnap and ransom policies sometimes provide cyber cover, or at least do
not specifically exclude cyber attacks in their policies.

Insurers believe there is plenty of potential to increase the take-up of
cyber insurance policies. “The standalone cyber insurance market for SMEs
hasn’t quite picked up as we might have expected,” says Mr Bouloux of Ryan
Specialty. “Lots of companies aren’t aware that the product exists or
aren’t aware that they could be a target. But awareness is growing.

“There is a lot more publicity around the fact that small companies can be
a target due to a lack of training, a lack of security management, small IT
budgets or the use of older operating systems.”

Cyber insurance: what to look for in a policy

The Association of British Insurers has produced a guide for SMEs thinking
of buying cyber insurance. It highlights six things that SMEs should look
out for in their cover:

• Loss of income caused by a cyber attack.

• Costs associated with privacy breaches. This can include the costs of
notifying customers and any legal costs that arise.

• Cyber extortion demands.

• Protection against loss or damage to data.

• Legal claims relating to the company’s digital media presence.

• Forensic support from IT specialists after a breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/2f4b9cbb/attachment.html>


More information about the BreachExchange mailing list