Cyber Risk to your business
Modern businesses rely heavily on computer software and the internet when dealing with digital data and they are becoming increasingly aware of the cyber risk exposure faced by their organisations.
There has been a spate of extremely high profile cyber security breaches in recent years. What was first viewed as a spike in activity is slowly being recognised as the new normal. The forecast for 2015 is just as cloudy as 2013 and 2014, with no let up on attacks to steal valuable information such as client databases, pricing lists or even details of a new tender.
What’s the risk?
Cyber criminals can go after and make use of:
• valuable customer databases
• confidential customer information such as bank details
• employment information such as national insurance numbers
• social media accounts
• intellectual property such as product designs
• digital and cloud stored assets
How cyber threats enter your business
What are the most common cyber security risks? And how do these breaches occur? Hear from Eric Franz, head of commercial product and Steven Sanders, Global account director at Aviva.
Get ahead of the game
With new EU regulations coming in 2016, businesses will need to comply with more onerous rules around notification, consent and the right to be forgotten – breaches could result in significant fines of up to 2% of their turnover. This means it’s crucial that businesses take the appropriate steps to secure against cyber security.
Whether your website has been hacked or your data is compromised speed and quality of response is critical. That’s why at the heart of most cyber cover a range of proactive risk management tools to help you manage their cyber exposure and provide remediation services should a breach occur is on offer.
Over the last few years there has been increasing focus on cyber risks and associated insurance cover. AUK Government survey carried out in 2014 estimated that 81% of large corporations and 60% of small businesses suffered a cyber-breach in 2014.Whilst over 60% of incidents reported to insurers are the result of accidents,cyber-crime is now the world’s fastest growing category of organised crime and the majority of high value losses stem from actions designed to cause harm.
1. Definition of Cyber Risk
The Institute of Risk Management defines cyber risk as,
“any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”
Almost every organisation faces exposure to loss resulting from damage or destruction of its computers and computer networks. This can lead to business interruption, income loss,damage management and repair costs and reputational damage.
Non malicious events such as major physical incidents, for example, fires, explosions, floods and natural disasters, can have a devastating effect on a business. A good example of this is the recent Holborn underground fire which caused considerable damage to services effecting network access for hundreds of businesses and, in some cases, consequent supply chain disruptions.
Malicious events such as cyber-attacks are designed to cause maximum disruption exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, data and software destruction or deletion, theft of funds, reputational damage and liability to third parties (such as customers and supply chain partners).
2. Potential Losses from Cyber Attacks
Potential losses deriving from cyber-attacks or non-malicious IT failures fall into the following categories:
Intellectual Property (IP theft)
Loss of value of an IP asset, expressed in terms of loss of revenue as a result of reduced market share.
Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber-attacks or other non-malicious IT failures.
Data and software loss
The cost to reconstitute data or software that has been deleted or corrupted.
The cost of expert handling for an extortion incident, combined with the amount of the ransom payment.
The direct financial loss suffered by an organisation arising from the use of computers to commit fraud or theft of money, securities, or other property.
Breach of privacy event
The cost to investigate and respond to a breach event, including IT forensics and notifying affected data subjects. Third party liability claims arising from the same incident. Fines from regulators and industry associations.
Network failure liabilities
Third party liabilities arising from certain security events occurring within the organisation’s IT network or passing through it in order to attack a third party.
Impact on Reputation
Loss of revenues arising from an increase in customer attrition or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event.
Physical asset damage
First party loss due to the destruction of physical property resulting from cyber-attacks.
Death and bodily injury
Third party liability for death and bodily injuries resulting from cyber-attacks.
Incident investigations and response costs
Direct costs incurred to investigate and ‘close’ the incident and minimise post incident losses.
3. Risk Profile
For larger organisations intellectual property theft is considered to be the risk which would have the most severe impact and issues of quantification can be challenging because IP assets and the loss suffered by an organisation are difficult to value.However, key risks also include the unauthorised disclosure of personal data,system outage events and consequent reputational damage. In fact it is estimated that reputational damage accounts for 5% – 20% of the cost of a cyber-security breach for large businesses.
Whilst physical losses area less publicised element of cyber breaches they are a growing concern and can include damage to plant and machinery and system malfunctions. In Germany in 2014 a spear phishing
4. Risk Mitigation
In June 2014 the UK Government announced the launch of the Cyber Essentials Scheme. It has been designed to fulfil two functions:
The British insurance market is already able to offer businesses cyber insurance products; the market in London being responsible for more than 10% of global cyber insurance business.
However there is a great deal of confusion as to the level and type of insurance available or in place,how to quantify it and what sort of risks can be insured.
Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.
If you would like to discuss this further or require a quotation please contact us on 01744 886077