Cyber Risk – What’s the issue?
- Cyber Crime has moved from a fringe risk to a mainstream concern
- The key US insurers involved in the sector have gone to The Biden Administration to set up a strategic task force at a cost of $10m
- Zero-day ransomware attacks are now a regular feature
- The risk has been heightened by systemic reliance on Azure, AWS and Google docs, and more significant scrutiny of data loss by regulators
What is the relevance to my insurance?
- A significant number of our clients still don’t buy cyber insurance
- For those that do, Insurer expectations on security, procedures and firewalls has significantly increased
What is it?
Cover for Cyber falls into 4 camps
- Own system cleanup following a cyber event such as CryptoLocker – you may be covered by your IT support contract
- Business Interruption – what loss of gross profit will your business incur whilst the systems are down?
- Liability for breach of data or loss of Intellectual Property – Cyber Liability
- Cyber crime – loss of funds or stock due to cyber phishing attack
What are the Regulations?
- GDPR (EU) 2018 – From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this within72 hours of becoming aware of the breach. Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.
- Each state of the US has its own rules which carry financial penalties – this is relevant for those operating E-commerce facilities
What is the small print?
- At Castlemead we use the market standard implementation of risk management by the key 5 insurers we arrange Cyber cover with.
- Warranties and conditions have tightened significantly and 5 years ago this wasn’t an issue.
- Payments made to incorrect bank details following fraudulent emails, is Castlemead’s No 1 claim reported. This accounts for 60% of cyber losses.
- Insurers expect a check of bank details to be made independently by phone for each new or bank account change requested
- On the tech side Insurers now expect
- MFA (Multi Factor authentication) for key email and business database systems
- Data encryption in transit and at rest
- Client work through firewalls and have endpoint protection for PC’s – this is very hard to achieve with significant teams working remotely
- Daily backups that are ‘cold’ not available to be compromised. Key systems such as Office 365 don’t achieve this, and the Cloud lulls us into a false sense of security
What do I need to do?
- Castlemead have a risk management checklist, you should share with your IT support team. Download here. Use it to set a benchmark score.
- In our opinion, the threat level to our customers is now such that a robust cyber programme of insurance is worth the premium.
- For existing customers we can discuss these issues at your next review or contact your account manager for more information.
- If you are not currently a Castlemead customer – get in touch – we would be happy to review the pros and cons of such a programme with you.