If there was any doubt that cyber crime had become mainstream, our insurance claims data should put the argument to rest. Of all the business insurance claims we see, businesses are 40% more likely to be a victim of a cyber attack than they are from a burglary. And, as the frequency of cyber attacks gathers pace so does the sophistication. Instances of cryptojacking have increased for example, while the risk of state sponsored attacks – think North Korea, Russia, Iran – could easily leave businesses caught up in the collateral damage. Robert Hannigan – a former director of the UK’s GCHQ, and a Hiscox advisor on cyber security – recently told Hiscox Global Insight that a state attack, ‘has become more likely’, labelling the cyber threat ‘a strange mixture … of high-end sophistication, nation state and criminal.’
Add to the evolving cyber risk the reporting requirements on businesses from the recently introduced EU General Data Protection Regulation (GDPR), then the need for fast and decisive decision-making both in preparing cyber defences and – in the event that computer systems are successfully hacked – when implementing an effective response, has never been as critical as it is today.
Where the cyber attacks are coming from
The most common forms of attack we currently see in terms of insurance claims are related to ransomware (37% of claims), followed by payment diversion fraud (14%), and a hacker specifically targeting an individual business (13%). But we are also seeing an increase in more sophisticated crimes such as cryptojacking (surreptitiously using a business’s computer systems to mine for cryptocurrency) and Border Gateway Protocol (BGP) hijacking (the takeover of groups of computer IP addresses).
Another growing trend is the ‘man in the middle’ attack, where a communication such as an email is intercepted and changed to persuade a business to make what they believe are genuine payments without being aware they are actually paying a fraudulent third party. And, while I’ve mentioned possible state sponsored acts, you can have unsophisticated attacks where someone simply goes on the dark web, buys some malware and launches their own small-scale cyber ransomware attack. These threats help explain the rapid growth of businesses committed to helping manage the cyber threat. It’s revealing that two of the companies in this year’s top ten for the Hiscox Sunday Times Tech Track 100 – Darktrace (9th in the ranking) and CensorNet (3rd) – both operate in the cyber security space.
Dealing with the uncertainty
Whatever the cause, a cyber attack can be a hugely uncertain time, particularly for a small, but fast-growing business that might have less well developed processes and procedures in place to counter the threat, or the resources to call upon when the worst happens. In the event of a hack, there is a whole host of activities that need to be undertaken to simply keep a business operational in what will inevitably be a very heated, tense, and stressful time. GDPR adds further pressure by legislating the need for a prompt response – within 72 hours – should personal information have been breached. In that time, businesses must report to the Information Commissioner’s Office the approximate number of individuals’ personal data records impacted, the likely consequences of the data breach and a description of the measures proposed or taken to deal with the incident.
Not only is there a big potential business interruption issue if systems go down, but there is a serious reputational issue if there is a data breach and clients’ data is compromised. Tech companies in particular are selling services based on an expectation of security of the customers’ data and the service they’re providing, which can make the reputational issue even more acute.
I recently saw a customer notification from a big pharmaceutical retailer advising some of its customers that it had been hacked. Impressively, they were able to advise their customers within 24 hours that they had had an event which involved the possible disclosure of customer information. They were able to be clear about what data had been accessed and what action they had taken, while at the same time advising customers to change their passwords as a precaution. This was a great example of a business showing fast decision making at a critical time.
It was clear that they had access to third party help such as IT forensics – a service typically provided through a cyber insurance policy – that meant they could quickly determine what happened, who was affected, what the impact was likely to be, and who they needed to notify.
If your business doesn’t have access to those vendors and/or have the right policies or procedures in place, then as a business, you’re going to find a cyber attack a very stressful event. If you can’t be sure what has happened and quickly understand the potential impact on your business, then the ability to be decisive in your decision-making, so critical in the immediate aftermath of a cyber attack, will be impacted resulting in possible financial and reputational damage.
Find out more about Hiscox cyber and data risks insurance