In focus: The data question by Sam Barrett
SMEs are increasingly at risk from cyber criminals and brokers are at the forefront of advising and protecting clients from online attacks.
Whether it is customers' personal details, credit card records or trade secrets, data is key to the operations and success of many businesses today. But, as this data can also be valuable to others, it's become a prime target for cyber criminals.
Just how valuable it is can be illustrated by some of the recent cyber attacks, with the likes of infidelity site Ashley Madison, Carphone Warehouse and British Airways all experiencing high profile cyber attacks this year.
Size doesn't matter
But while these cases may suggest the hackers are targeting large companies, Simon Calderbank, senior underwriter, IT at HCC says the cyber criminals don't care what size a firm is. "Hacking into a large firm can take ages so we're seeing more cases where the cyber criminals target their suppliers instead. As their security may not be so robust, it can be a much easier way to get hold of the same data," he explains.
His observation is supported by data in a report, UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk, which was led by the Cabinet Office and Marsh. It found that while 81% of large organisations had suffered a cyber security breach, 60% of SMEs had also been hacked.
Sarah Stephens, head of cyber and technology and media E&O at JLT Specialty, says this doesn't necessarily mean the risk is any lower. "Often the main issue is that SMEs don't have the resources to prevent or detect non-targeted attacks," she explains. "Further, they face exactly the same internal threats as larger business, for instance disgruntled employees or human error."
Accidents do happen
Indeed, according to the UK Cyber Security report, more than 60% of incidents reported to insurers are the result of accident. These can include an employee leaving a laptop on the train or someone emailing data to the wrong person.
Unfortunately, whether human error or something more malicious, where there's a data breach, there can be significant penalties. The Information Commissioner's Office (ICO) can levy a fine of up to £500,000 for a serious breach but Scott Bailey, senior underwriter of emerging risks at Markel International, says the reputational damage can be even greater: "The ICO publishes details of fines for the world to see, and no company wants to be publicly named and shamed."
And these fines are set to get even larger. The EU's Data Protection Regulation is still under consultation, with Calderbank expecting it to be in force by 2017 at the earliest, but it includes a proposal to increase the maximum fine to 5% of global turnover. "It could have a massive effect," he adds. "The risk needs to be recognised."
Providing support and advice surrounding this risk is therefore important. "SMEs need to put appropriate risk management in place but also consider cyber insurance as this provides valuable cover for damage but also disaster recovery," explains Andrew Gibbons, managing director of Mason Owen Financial Services.
Typically a cyber liability policy will cover both first and third party liability plus access to a range of benefits, such as forensic and reputation specialists to help a firm recover following an incident.
Risk management is equally important. This can include firewalls and anti-virus protection but also employee education, to prevent any accidental breaches. Encrypting data is also key. "Many data breach laws recognise encrypted data differently to unencrypted data," says Bailey. "If encrypted data is stolen, it's highly unlikely the perpetrator will be able to do much with it."
The government is also keen for businesses, but especially SMEs, to embrace its Cyber Essentials certification. This focuses on basic cyber best practice and insurers are being encouraged to make it part of their risk assessment process for SMEs.
Cyber insurance is also set to become a much more important purchase, with the government working with the insurance industry to make the UK a world centre for cyber security insurance.
Stephen Wares, cyber risk practice leader at Marsh, says that, although take -up of cyber insurance is only around 2% in the UK, compared with 10% to 15% in the US, this could change. "The London Market is one of the most innovative in terms of coverage and has the potential to become a centre of excellence. We're now working with the government and other insurance companies to promote the UK as a place for cyber risk management," he explains.
Looking to the future has also prompted calls for a pool such as Flood Re to manage catastrophic losses. For instance, in July, Z/Yen Group published a Long Finance report, Promoting UK Cyber Prosperity: Public-Private Cyber-Catastrophe Reinsurance, calling on the industry to consider a catastrophe reinsurance fund.
But Wares believes this is still a way off. "We're very much in the infancy of cyber insurance but it's definitely a growth area," he says. "Once penetration rises in the UK, then it could be something we consider. But first we must grow the market."