News and Articles - Specialist Risk Insurance Solutions

Cyber webinar follow up: your questions answered

Written by Georgia Green | February 12, 2021

Is cloud more secure than the tin box file server in the cellar/attic?

There are a number of reasons why adopting the cloud, migrating to the cloud, making the full use of the opportunity that cloud technology provides is a good thing. But as to whether it's more or less secure, that really depends on a range of things. You do not have to go to one of the big three providers to get cloud services, but you really need to make the right decision about which cloud services you are adopting and which software solutions you are using and which cloud services they use. Then you can take a view on whether the security posture, structure and setup in place fits the risk that you are willing to carry.

Most reputable, large-scale cloud providers invest far more in security than you ever will. Therefore, for most organisations, it is one of the most secure methods. The cloud is a very secure environment, the providers know what they are doing and it's their job to protect your data. But there is a common misconception that outsourcing to the cloud outsources your liability, or perhaps decreases your risk which is not true. There have been examples in the past year where cyber criminals have targeted large cloud computing systems whereby in the process, they have hit thousands of other businesses. All organisations that host their data on those platforms may have also been exposed and therefore, they would have had to notify their clients about the potential breach.

We're a small company with a staff of 7 people. Our core responsibilities do not lie with cyber security and insurance. What would be your advice to us?

  • Ensure there is clarity around process and understanding who is responsible for data breach reporting.
  • Have a data impact assessment undertaken by a specialist practice such as Priviness and if you are marketing, understand how much and what data you hold and for what purpose.
  • Examine your consents and legitimate business interest basis and how data is being safeguarded.
  • Consider the training offered to staff and what contractual obligations you are exposed to.
  • Take advantage of a cyber insurance policy. Premiums are very modest and a fraction of the businesses main insurance exposures - a Cyber policy will deliver much of the support and the panic button to guide you through the management and recovery of any claims/loss.

Is it possible for a business to use G-mail, Slack, Google docs and other data-sharing platforms to be cyber secure?

It is important to be aware of what your obligations are and using them. There are not certain platforms that are more secure than the next it's just which are the ones that are exposed first, and you know we saw this as soon as everybody moved to remote working and started using Zoom, which was thrown under the bus because they had a few incidents, causing people not want to use the platform.

We recommend reading terms and conditions, reading the privacy policies and just being aware that you still have an exposure being the data collector in the first instance. Try to find the balance between productivity and security at the same time and plan if goes wrong.

I think Lindsey referenced construction companies/exposures earlier. Are their sector-specific cyber risks she was thinking of in relation to this?

Every industry has a cyber exposure which is backed up by CFC’s claims data, whether they are a target or they are caught in a  larger-attack and happen to be an unintended victim.

Construction firms or heavy industries tend to be a most-frequently targeted industry due to the amount of inbound and outbound payments that are being made. Other exposures include being reliant on systems for machinery and dealing with vendors and suppliers.

So can staff use personal computers to use the firm's cloud system

This is possible; however, once you start bringing in devices that are not provided by the workplace then your business’s risk dramatically starts to escalate.

How do you accurately estimate your Cyber insurance requirements &/or cover?

Speak to your broker, they will be able to share industry-specific examples and provide threat risk analysis reports and access specialist services, including KYND.

Certain countries were historically linked to early cyber crime and scams. Is that now lazy thinking and do the panel have a sense of where, geographically, most attacks emanate from now and does it matter?!

There are certain countries that were historically linked to cybercrime and scams; however, we are seeing the threat changing to criminal networks. Cyber criminals are everywhere and the majority of cases we see are people demanding money, access to networks and access to information because they can sell it or monetise it.

Is Zoom secured I understand they did a good update recently?

All third-party software should be considered carefully but as per the discussion, consider how the system is controlled, what processes are in place, are you using secure password access, consider what information is discussed on these systems and where using recordings where these are then saved and stored.

Zoom like many video conferencing services have invested heavily in improving their data and software security but all data protection and software security is accurate as at the date it is written and so there is a case that all software systems are playing "patch-up rather than catch-up" with threat actors and malicious software so always ensure you are using the latest versions of any software and install uploads and updates regularly and without delay.

Does the panel have a sense of how many cyber claims are never actually made i.e. companies are never actually aware that an attack has happened?

In terms of awareness, there will be a huge number of businesses that have been breached by malicious software and malware without knowing, particularly businesses where there is a policy of BYOD. The greater issue is more likely to be businesses who are compromised, but do not have the protection or know that this insurance and support service exists and so the losses are absorbed by the business and managed internally, with varying success.

Is a cyber scam from a current rather employee (rather than a disgruntled ex-employee) primarily a cyber risk, a PI/D&O risk) or a criminal one i.e. if poor corporate cybersecurity is a contributory factor in the employees ability to exploit it, are the directors' actions a contributory factor and have a liability?

There is a common misunderstanding around the cover that is provided under a PI policy that this will cover any financial liability that a business would suffer, however, in addition to providing the indemnity, a Cyber policy provides a business with immediate access to a dedicated response team to manage the crisis. In addition, a Cyber policy will also cover the legal costs, forensic costs to determine what has happened to your system, notifying your affected customers, loss of profits for everyday that you are down as a business, system damage, rebuilding your systems if they are lost or corrupted. PI is not going to provide coverage for these elements, it will only provide coverage if a third-party liability claim is made against you by one of your customers.

The way that a business handles an incident initially can largely mitigate and avoid third-party action. Cyber is also a D&O issue because people will look to the board after a cyber event has happened and the board will be blamed for not making decisions to invest in the security of systems. D&O cover does not typically account for cyber and there are often cyber exclusions on D&O policies, and as a result, our insurance partner, CFC, have included excess layer protection in the event that coverage doesn’t exist under the D&O policy.

When looking for insurance coverage, consider affirmative language, first-party costs, ask about the security team because access to experts is a key reason to buy a Cyber policy so you should know who the experts are.

Physical attacks (such as piracy) now have a well-worn path to resolution with Crisis Management teams etc. What does a Cyber Crisis Management response look like?

If your business is a victim of a cyber attack and you have a Cyber policy, you can contact the emergency response helpline and within minutes you will be assigned a dedicated response team of cyber experts. These experts will manage the entire crisis including negotiating with the hacker, rebuilding your systems if they are lost or corrupted. Your business will also be assigned legal experts, forensic teams to determine what has happened, PR experts to manage your business’s response and communications, regulatory experts to deal with any investigations and ultimately, all costs associated in responding to the crisis are covered by the policy.

Do Cyber insurers buy Cyber insurance and from whom?

Yes, from specialist financial lines insurers and re-insurers. As with all organisations, the reputational damage risk for any insurance/financial institution could be devastating so this is a risk that is carefully managed and transferred.

Won't banks indemnify companies for payment fraud type losses?

Banks have a greater duty of care to individuals than businesses and whilst a bank may reimburse you if you are compromised as a result of identity theft or system compromise, where businesses fall foul of social engineering scams or business email compromise and are persuaded to send payment to the wrong recipient, the bank is following the instructions from you and legitimately discharging their duties, in this instance the bank will not reimburse. It should also be noted that banks are increasingly undertaking pre-payment checks to ensure that account owner name and account details match and asking pre-payment for account holders to check the means in which a payment request has been made and whether the individual/business has secured verbal/secondary verification. If a business falls victim to one of these social engineering/invoice hijacking scams, a Cyber policy can cover the loss if Crime cover is included. Best advice is always to verify verbally before sending any payment or altering any payment details/actioning any payment request/changes.

Is claims for Data going to be the next PPI?

Whilst there is an increasing trend of class action and claim farming activity specifically related to data breaches and increasing regulatory fines, this is not specifically being driven by GDPR, it is however an issue that is not going away and claims frequency and legal action is likely to increase significantly in the coming years.

Most of our data and system information is paper-based/offline – so aren’t we immune from these sorts of claims?

A cyber policy and indeed the relevant legislation refers to DATA, it is not specifically referenced to electronic data and therefore the duties and safeguards necessary and discussed should apply to all data whether paper based or not. All GDPR processes and approaches should apply to all data storage. A Cyber policy and the breach response service would also apply in the event of a data breach including paper/hard copy records.

Our accountant manages all our payroll, and our data is in their cloud software – are we not protected by them?

Whilst your accountant may well have a duty to safely manage your data and data that you process for third parties you must not forget that you remain the data controller and they become a data processor on your behalf, as a result any action will be directed to you. As discussed in the session, whilst your accountant may well also have Cyber Liability cover as part of their PI insurance this will indemnify them for any costs and awards following an allegation/action. This cover will not provide you with the support necessary to mitigate the consequence of a data breach and to prevent lasting reputational harm. If a client is suing you, it is potentially already too late!

Watch the webinar on-demand

If you missed the webinar, you can register to catch up on-demand here.

If you would like more information on our cyber offering, please click here. Alternatively, get in touch with our expert team who will be more than happy to help you:

cyber@specialistrisk.com

020 7977 4800