Covering the attack
The increasing pace and cost of cyber-attacks mean businesses can ill afford to ignore the threat.
In 2015 Ashley Madison, an extramarital dating site built on the principle of confidentiality, was the subject of a vast cyberattack. In the assault, a group of hackers called The Impact Team posted online the identities and communications of thousands of the company’s customers.
In the year following the attack, Ashley Madison lost more than a quarter of its revenue1 – and faced a $450 million2 class action lawsuit brought by affected customers. If any doubt remained over the financial impact of the breach, it was surely put to bed when the company itself offered $500,000 as a reward for information leading to the arrest of the hackers.
A study by Accenture shows that the average cost of a cyberattack in 2016 was $9.5 million, up 27% from the previous year, while it takes an average of 23 days to resolve a ransomware attack – or 50 days for a malicious insider’s attack.3 The total cost of cybercrime globally each year is $450 billion, according to a study by Hiscox Insurers.4 The same study warned that fewer than half of the businesses in the US, UK, and Germany are prepared to deal with cyberattacks. Part of this increase reflects the rise of new kinds of attacks.
“In the last few years, cyber risk has evolved beyond data privacy to include any kind of hack on a system through which a criminal or malicious party wants to raise money or cause disruption,” says Jayne Thomas-Hall, class underwriter for cyber at Barbican Insurance Group. “Criminals have realised that, just as data has a financial value, so does threatening a company’s ability to function. As well as encrypting data and charging the target company to get the data back, hackers can now use sophisticated software to disrupt company systems while demanding ransom payments.”
Government figures show that cyberattacks in the UK doubled in 2015, and that the UK accounts for one in eight known cyberattacks across Europe.1 When risks are so high, the key is not so much whether to buy insurance against cyber threats in the first place, as choosing which package best suits your business.
“For the vast majority of small businesses, this means protecting against data privacy and ransomware attacks,” says Thomas-Hall. “Buying cover that gives you a claims response tailored to your needs is also very important. If you are a 24-hour business, you’ll need access to a 24/7 response.”
Thomas-Hall recommends finding an insurance package that provides you with an experienced team of “breach coaches” who, in the event of an attack, can walk you through the claims process, help you keep the business running and ensure you don’t fail to meet any of the regulatory requirements. After all, if a hacker makes it into your system, both the financial and the legal implications can be far-reaching.
“If a company that holds personal data comes under attack, it is likely the hackers will use that data to defraud and extort money, and costs to investigate a data breach can be very expensive before even factoring in the potential third party liabilities,” says Thomas-Hall.
Ransomware attacks, however, are potentially even more difficult to navigate, since attackers tend to demand immediate payment, and threaten severe penalties for non-compliance.
“The victim must decide whether to pay, how to get its business back up and running and whether payment of a ransom could expose the company to subsequent attacks. These are complex considerations that demand advice, but good advice comes at a cost,” says Thomas-Hall. “Having money available to pay for third party liabilities from a data breach or to restart operations if the system is shut down could save a business from going under.”
There is still another motivation for businesses to arm themselves in advance, in the form of the General Data Protection Regulation. The act, which comes into force next year, gives clients the right to ask for their personal data to be erased, and increases the expectations placed on the businesses themselves.
“Under GDPR, businesses must have an understanding of what personal data they hold and where, whether they have collected and processed the data properly, who they are sharing it with, who is processing the data on their behalf, and who they are processing it for,” Thomas-Hall says. “In the event of a cyberattack, they must recognise that they have been attacked, establish the extent of the data breach and report it within 72 hours.
“A company’s bottom line could be hit very hard if it has not prepared in advance or does not understand its system well enough to identify where it has been compromised. The financial implications could even have the ability to sink a small business.”
4 The Hiscox Cyber Readiness Report 2017, accessed 16 November 2017