Cyber in focus - the data question

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insuranceage.co.uk/insurance-age/news/2435068/cyber-in-focus-the-data-question

Whether it is customers' personal details, credit card records or trade
secrets, data is key to the operations and success of many businesses
today. But, as this data can also be valuable to others, it's become a
prime target for cyber criminals.

Just how valuable it is can be illustrated by some of the recent cyber
attacks, with the likes of infidelity site Ashley Madison, Carphone
Warehouse and British Airways all experiencing high-profile cyber attacks
this year.

Size doesn't matter
But while these cases may suggest the hackers are targeting large
companies, Simon Calderbank, senior underwriter IT at HCC, said cyber
criminals don't care what size a firm is. "Hacking into a large firm can
take ages so we're seeing more cases where the cyber criminals target their
suppliers instead.

"As their security may not be so robust, it can be a much easier way to get
hold of the same data," he explained.

His observation is supported by data in a report, UK Cyber Security: The
Role of Insurance in Managing and Mitigating the Risk, which was led by the
Cabinet Office and Marsh. It found that while 81% of large organisations
had suffered a cyber security breach, 60% of SMEs had also been hacked.

Sarah Stephens, head of cyber and technology and media E&O at JLT
Specialty, advised that this doesn't necessarily mean the risk is any
lower. "Often the main issue is that SMEs don't have the resources to
prevent or detect non-targeted attacks," she explained.

"Further, they face exactly the same internal threats as larger business,
for instance disgruntled employees or human error," Stephens added.

Accidents do happen
Indeed, according to the UK Cyber Security report, more than 60% of
incidents reported to insurers are the result of an accident. These can
include an employee leaving a laptop on the train or someone emailing data
to the wrong person.

Unfortunately, whether human error or something more malicious, where
there's a data breach, there can be significant penalties.

The Information Commissioner's Office (ICO) can levy a fine of up to
£500,000 for a serious breach but Scott Bailey, senior underwriter of
emerging risks at Markel International, commented that the reputational
damage can be even greater: "The ICO publishes details of fines for the
world to see, and no company wants to be publicly named and shamed."

And these fines are set to get even larger. The EU's Data Protection
Regulation is still under consultation, with Calderbank expecting it to be
in force by 2017 at the earliest, but it includes a proposal to increase
the maximum fine to 5% of global turnover. "It could have a massive
effect," he added. "The risk needs to be recognised."

SME advice
Providing support and advice surrounding this risk is therefore important.
"SMEs need to put appropriate risk management in place but also consider
cyber insurance as this provides valuable cover for damage but also
disaster recovery," said Andrew Gibbons, managing director of Mason Owen
Financial Services.

Typically a cyber liability policy will cover both first and third-party
liability plus access to a range of benefits, such as forensic and
reputation specialists to help a firm recover following an incident.

Risk management is equally important. This can include firewalls and
anti-virus protection but also employee education, to prevent any
accidental breaches.

Encrypting data is also key. "Many data breach laws recognise encrypted
data differently to unencrypted data," commented Bailey. "If encrypted data
is stolen, it's highly unlikely the perpetrator will be able to do much
with it."

The government is also keen for businesses, but especially SMEs, to embrace
its Cyber Essentials certification. This focuses on basic cyber best
practice and insurers are being encouraged to make it part of their risk
assessment process for SMEs.

Cyber future
Cyber insurance is also set to become a much more important purchase, with
the government working with the insurance industry to make the UK a world
centre for cyber security insurance.

Stephen Wares, cyber risk practice leader at Marsh, said that, although
take-up of cyber insurance is only around 2% in the UK, compared with 10%
to 15% in the US, this could change.

"The London Market is one of the most innovative in terms of coverage and
has the potential to become a centre of excellence. We're now working with
the government and other insurance companies to promote the UK as a place
for cyber risk management," he noted.

Looking to the future has also prompted calls for a pool such as Flood Re
to manage catastrophic losses. For instance, in July, Z/Yen Group published
a long finance report, Promoting UK Cyber Prosperity: Public-Private
Cyber-Catastrophe Reinsurance, calling on the industry to consider a
catastrophe reinsurance fund.

But Wares believes this is still a way off. "We're very much in the infancy
of cyber insurance but it's definitely a growth area," he commented. "Once
penetration rises in the UK, then it could be something we consider. But
first we must grow the market."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!