Why You Need to Address Cyber Risk Now!

Today's criminal no longer needs a crowbar when a keyboard suffices and delivers better results. Once your company utilizes a computer network in its operation, collects or stores confidential information, intellectual property, or facilitates electronic payments and transfers, you are exposed to Cyber Risk.

Cyber risks are rapidly evolving, gaining media prominence, and it is just a matter of “when” your business will be impacted. Small and medium sized businesses (SMEs) think that it is just the high profile targets, whether Target or Home Depot, being attacked. We scoff as private photos of celebrities are leaked and say to ourselves that these are prominent figures and this won’t happen to me. However 72% of attacks recorded occur on SMEs with an average cost of $300,000 per attack. Cyber attacks on Barbadian business are happening right now and some recent cases have included:

• E-mails being spoofed and orders forged to obtain payment.
• Accounts hacked and digital signatures stolen to transfer funds from banks.
• Extortion from sensitive and confidential data.
• Malicious code and viruses interrupting operations.

Further SMEs are less likely to have the resources to put effective cyber defenses in place and are also less likely to be able to absorb the financial impact of such crimes. As we become more reliant on technology to drive operations we need to look to business resilience in the face of these new threats.  We look to our security systems and our insurance coverage as our final fail safe. However, as inadequate as your firewall and antivirus will likely prove to be, there are equally as many gaps in your insurance programme. 

 

Traditional insurance cover will not adequately respond

Internet and network exposures are increasingly subject to exclusion from "traditional" insurance policies. The reason being is that general liability and property policies were originally designed to respond to liabilities and natural perils that damage physical assets. Some examples of gaps in traditional policy forms include:

• Propertypolicies typically limit coverage to damage to/loss of use of tangible physical property, several insurers expressly exclude coverage for any damage to data. 

• Most liability policies do not cover economic loss due to cyber risk damages

• The theft of intellectual property is not addressed by most policies3

• Crime policies often contain confusing exclusions and limitations when it comes to employee dishonesty and computer fraud. Money is narrowly defined in a number of regional policies.

• Coverage may not exist for third party losses due to computer viruses or unauthorized access to private and confidential information

• Advertising injury coverage under general liability policies does not completely address intellectual property infringement, content and advertising offences over the internet

• Many companies do not have errors and omissions policies, and where they do, such policies often contain cyber breach exclusions

• Professional liability policies may exclude coverage because the internet related work may go beyond the scope of an insured’s current professional services

• Many insurance policies have geographical limitations; the internet does not

 

Shifting trends in Cyber Insurance Market

With new threats emerging daily the insurance market’s capacity for cyber risk and scope of coverage terms is evolving.

Since starting to write this article JP Morgan was breached in the largest attack thus far which affected data of 76 million households and 7 million small business customers. Insurers are also reacting to the threat from ShellShock a 22 year old exploit bug which may threaten at least half of the systems running on the internet. Many industries running the affected Bash software include Nuclear, Oil, Utilities, Marine Transport and more.

The possible catastrophic risk exposure and aggregation of losses has insurers debating cyber exclusions or other limitations to their exposure. The future outlook for you, as you try to source the coverage, is that property and liability policies will be tailored to cover their original intent, and cyber risks will be more specifically underwritten and covered under specialty Cyber Insurance policies.

 

What action should I take?

The desired outcome is to reduce your cyber risk and reduce the possibility of a breach or interruption to your business in the first place. You need to protect yourself should the worst occur.

• Assess your risk. The resiliency of your systems and management protocols is your first port of call, and a risk assessment of the vulnerabilities needs to be undertaken. This review should also extend to include your crisis plans because after a breach how you respond will have a significant bearing on your company’s reputation with your customers.  Resources for your systems risk assessment include:
• Your systems security experts on the technical aspects, in some cases they would provide network penetration testing.
• Your risk and insurance advisors (brokers) also can undertake a risk assessment of the management systems and protocols.

• Eliminate the gaps. Following your assessment an accurate picture of your vulnerabilities will become clear. On the technical side it is time to plug the gaps employing hardware and software solutions. From the review of management protocols you can implement an enterprise framework addressing key areas including:   Network Management, Electronic Access Control, E-mail usage and Protection, Physical Access Controls, Vendor Management and more. Your framework should leverage all business areas including IT, Operations and Legal.

• Obtain insurance where needed.  With the cyber risks identified, and those managed through controls where possible, you now need to ascertain the financial resources available should the worst occur. With an average cost of $300,000 to small to medium business, and some losses ranging as high as $1.5 to $30 Million in larger entities, your Board and Management need to work with your risk advisor (broker) and review how much financial risk you can retain.

Insurance terms are then negotiated for the limit of risk you cannot bear without exposing your company. Undertake an insurance wording gap analysis of your current insurance programme. The preference will be to extend the existing insurance programme to cover the cyber risks you have identified where this is cost effective.

However, as noted previously many insurers are restricting the amount of cyber cover under the traditional property and liability wordings. In such an instance a tailored cyber insurance policy may be your only course of action. Underwriters need to assess the results of your cyber risk assessment and any remaining gaps may directly impact on premium charged. Your risk advisor (broker) can then negotiate terms with underwriters for a comprehensive cyber privacy and network protection insurance policy which spans a broad spectrum of coverage types.

The cyber insurance policy typically includes: business interruption coverage; privacy and security liability; crisis and ‘event’ management costs; information assets and cyber extortion. Any policy cover negotiated should include coverage on a worldwide basis and provide for remediation services in the event of a cyber breach allowing for your rapid and robust response to any form of cyber intrusion whilst minimizing business impact.

 

Learn More:

Contact us to request our Cyber Risk Self Assessment – 246-426-5062 or info@lynchbrokers.com

Stay up to date on Cyber Risk issues will our Online Toolkit:

http://usa.marsh.com/NewsInsights/Toolkits/CyberRisk.aspx

Do you want to learn more about how cyber risks can threaten your business? Our experts guide you on our webcast:

http://usa.marsh.com/NewsInsights/ThoughtLeadership/Articles/ID/21778/Webcast-Cyber-Risk-and-Security-Replay.aspx