Cyber security is seldom far from the headlines these days. Whether it is celebrities such as Taylor Swift finding that personal (and often intimate) photographs suddenly appear in the public domain or the news at the weekend that President Obama’s emails have been hacked by Russians, these incidents are not only embarrassing but serve to highlight the ease at which media and communication platforms, even at a government level, are readily accessible to hackers.
Such attacks can have very serious consequences, not just for the individuals involved but also for the businesses that are targeted. Earlier this year a high street retailer signed an undertaking with the Information Commissioner’s Office (ICO), to make a number of substantial changes to its data protection policies, after the exposure of millions of customers’ personal data following a hacking incident. A database, due to be decommissioned, was left unencrypted which allowed a hacker to potentially gain access to customers’ website passwords and contact details. The company did not store banking details. However, as passwords were contained on the database, the hacker could have gained access to a large volume of accounts that customers held with other organisations.
The retailer agreed to address data protection issues and to carry out a comprehensive action plan to ensure any issues were resolved, including ensuring all servers and websites were subject to regular penetration testing and providing formal data protection training to all employees.
An ICO spokesperson highlighted two important data protection issues – (i) the lack of data protection security and (ii) the unnecessary retention of unused personal data – that were relevant to the breach. Firms need to be aware that stringent data protection measures are required even for data that is no longer required. The purpose for which data is retained should be continually reviewed and information should be securely deleted if no longer required.
The incident also demonstrates the action the ICO is prepared to take for ‘near miss’ scenarios. In this case, despite the fact that there was no evidence to indicate that the data had been misused, the retailer was still required to implement extensive (and no doubt costly) rectification procedures.
Sadly this isn’t an isolated case. A report published recently by the UK Government found that 81 per cent of large companies and 60 per cent of small businesses have been hit by a breach of their cyber security during the past year.
Ministers estimate that cyber security breaches cost the UK economy billions of pounds each year, with the average cost of attacks on small businesses almost doubling between 2013 and 2014. With so much money at stake, it’s no wonder that politicians are getting serious about the issue.
The Government wants to turn the UK into one of the safest places in the world to carry out online business. Francis Maude, Minister for the Cabinet Office, considers the extensive knowledge of the UK insurance industry to be crucial for the progression of this long-term economic plan. He is keen to make use of the UK insurance market’s reputation for assisting businesses with mitigating risk in other areas to ‘help guide and incentivise significant improvements in cyber security’.
Mark Weil, CEO of Marsh UK & Ireland considers banking, utilities and other heavily regulated sectors are already predisposed to security risks of this nature. However, firms outside of these industries are not used to cyber-security risk, and therefore, to enable these businesses to cope with the increasing threat of hacking and attacks of this nature, substantial upgrades are required including ‘creating a joined-up recovery plan that brings together financial, operational, and reputational responses’.
Responsibility for cyber security needs to go all the way to the top. Surveys have revealed that 52 per cent of chief executives think that their companies already have cyber security protection in place, but in fact only 10 per cent of businesses actually do hold such policies. About half of companies didn’t even know that cyber security insurance existed.
One of the recommendations from the UK Government’s report was that a member of each company’s board of directors should take responsibility for cyber security. And the report went further, suggesting that businesses need to stop thinking of online attacks as an IT issue but instead see them as a commercial risk that will affect all parts of their operations.
As well as selling policies, ministers recognised that insurers have a role to play in spreading the word about the need for protection. Insurers need to ask their clients the right questions about security, the report said.
One step is for insurers to make sure that businesses – both large and small – are signed up to the UK Government’s Cyber Essentials scheme. Businesses that want to win government contracts that involve handling personal information and providing certain IT products and services have needed to be signed up to the programme for tenders issued since last October.
Now the UK Government wants to roll out the scheme even further by getting insurers to ask their clients about their cyber risk management and spread the word about best practice. Insurance brokers are agreeing to include Cyber Essentials accreditation as part of their risk assessment for small businesses in an effort to encourage greater adoption.
Insurance is no substitute for stopping cyber-attacks in the first place. But, to quote Barack Obama ‘if we’re going to be connected we’ve got to be protected’ and at least having a policy in place will help to limit a firm’s risk exposure if the worst should happen and a cyber attacker breaks through a company’s defences.
Tim Smith, Partner - BLM
0+
