“Highly recommend John Phillips. We’ve recently had to claim on our insurance due to the loss of our websites and the whole process has been SO efficient. Every company should have cyber insurance”
It would be too easy to end the conversation here but we genuinely believe in the value of the product and the profundity of the risk. It is easy to imagine a business premises going up in flames, but the damage a cyber incident can do can be far more destructive, and the consequences can be so much further reaching than you imagine. This is why it is so important to get the right advice to understand how a cyber incident can affect your business.
The sad fact is 60% of SMEs fold within 6 months of a cyber incident. But there are some steps you can take to reduce your risk, mitigate potential losses and ensure your robustness. We can help you to put together a road map to recovery.
The figures are showing us that only 11% of those without cover intend to buy in the next 2 years. The reasons that are cited are:
- 41% lack of priority
It is so difficult to assess priority when you do not have the full range of facts or the correct advice at your disposal. This is why it is so important to speak to our cyber insurance specialists who can help you to understand the exposures and how these can affect your business.
- 40% lack of budget
This is a tricky one to address. Particularly in challenging economic times we face. However, when looking at the cost of risk management versus the potential costs of an incident the picture becomes clearer. Options for mitigating your risk cost less than you might imagine and could save you more than just your worries! Prices for cyber insurance can start from as little as £150.00, reports for as little as £60.00 and training as little as £30.00. These low costs could prevent your business being stopped in its tracks.
- 36% lack of knowledge
This is where the insurance industry has to take some of the blame! The industry has been playing catch up with available technology like any other, but should be ahead of the game with the ways businesses can suffer losses in relation to this technology. The insurance as a whole is starting to wake up to the value of this type of cover. At JMP we have invested in developing our knowledge and network to make sure we can help our customers and offer the best products for the competitive price.
- 34% lack of regulatory requirement
It does not take much imagination to see a future where some forms of cyber cover will become a legal requirement. As a business you can take pride in recognising these trends early and showing your customers and supply chain that you take these threats seriously.
Figures from Security Intelligence
Do I need cyber insurance as a small business?
According to Hiscox Cyber Readiness Report 2020 nearly half (46%) of smaller firms believe that cyber attacks are mainly an issue for bigger organizations. Attacks against small businesses went by up by 243% in 2019 and a small business can expect up to 4,000 malicious log in attempts per month.
Could you have already been targeted? Would you even know? The truth is, when it comes to a cyber attack; it is not a matter of if but when. According to Verizon 68% of breaches can take months to discover. Websites such as weleakinfo.com have over 8 billion records including information such as passwords which can be easily searched for a small fee. It no longer takes a hardened cyber criminal to commit cyber crime and the nature of the event, as well as legal and jurisdictional limitations, makes these sorts of incidents almost impossible to police.
Do I need cyber insurance if my business does not handle personal data?
Hiscox have reported in their Cyber Readiness Report 2020 that cyber insurers have noticed a shift in the behaviour of cyber criminals. In the last year to they have moved focus to industries such as energy and manufacturing. This is moving away from data theft. There could be a few reasons for this. There is a reliance on computer systems but very little work on cyber resilience. This includes poor back-ups, limited disaster recovery planning or testing. These businesses also tend to have a low tolerance for outages making them high impact very quickly. This makes these sorts of businesses a popular target for cyber attacks such as ransomware.
Hiscox also state 41% of manufacturers report that they have already been asked by a customer to demonstrate or guarantee their cyber security processes. 37% have requested a similar demonstration from businesses they work with. 31% of manufacturers report that they could not evidence this if asked today. For businesses which cannot keep up with this expectation it will become increasingly challenging to trade.
One of the most striking examples of this sort of incident comes from Maersk who are one of the biggest players in global shipping. Every 15 minutes one of its ships arrives in port. It was one of the most badly hit companies caught in the crossfire of the NotPetya attacks of 2017. It had almost 50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries. It took 10 days to recover whilst its revenue was decimated.
Will a managed service provider cover my losses if they suffer an outage?
If you have collected data from anyone in order to use this in your organisation you would be classed in law as the data controller, and you have the ultimate responsibility for how it is stored and processed. Regardless of whether you outsource any of your processes or even your core infrastructure. In a study references in the Insurance Times, 16% of businesses believed that their business’s IT supplier looks after their cyber security needs.
Managed service providers are also increasingly under attack by ransomware. Hackers use techniques such as credential stuffing and spray attacks that exploit the fact that so many of us re-use passwords. It is perfectly possible for a cyber criminal to get lucky using this technique but it is also possible to suffer a more targeted attack. Some of the largest attacks have seen data dumps of up to 700 million records. Once a service provider suffers an attack, every organisation which relies on them is also being hit by system downtime and any data breaches. This can potentially lead to reputational harm for these organisations. MSPs can even act as a launching point for ransomware to spread to the organisations they serve. Organisations using MSPs should be aware of these risks and ensure they take their own measures to counteract them.
In order to deal with these issues, the most vital resource is time and your response needs to be quick. But this is made much more difficult as organisations move key parts of their infrastructure to the cloud. Often there is no access to the data monitoring system or the package purchased does not include the tools to conduct thorough investigation of any unusual activity. It is also difficult to track administration permissions granted or for bad actors to enhance permissions to their own ends. This can make it much more difficult to respond effectively as an organisation.
Not every policy will cover you in the event of your provider being hit and it is unlikely the provider will compensate you either. This kind of oversight could leave you hugely exposed, therefore it is key to get the right advice on your insurance cover.
Is cyber risk management expensive?
Despite our absolute belief in the necessity of this product we understand that no industry has been immune to the effect of the COVID-19 pandemic. This has had a negative impact on cyber security budgets. It has been found that 51% of small and medium-sized firms had stopped paying for a number of business insurance covers, including employers’ liability, business property cover, professional indemnity and cyber.
COVID has had a particularly massive effect on the retail and hospitality sectors. During the pandemic, hospitality businesses have been required to keep a temporary record of their visitors for 21 days. There are certain businesses which may already have the booking systems in place to appropriately meet these requirements but there are many who have never needed to store this sort of data before. Businesses such as public houses and coffee shops may have to be putting these systems in place for the very first time. Even under these circumstances it is important to ensure records are kept in a way which is GDPR compliant. This might seem like a daunting prospect but it does not have to be with the right advice.
Retail businesses have also had to adapt their approaches. GlobalData have stated 44.8% of UK consumers have spent more online because of the outbreak and, as a result of changing shopping habits, and are forecasting a rise of 14.3% this year (versus a pre-COVID forecast of 6.5%) and Bloomreach find that 46% of businesses are seeing growth as online sales spike, with 6% even reporting unprecedented growth. But this kind of growth through a new mode of trading can come at a cost. The more business traded through your website the higher the stakes in terms of what could be lost in the aftermath of an incident. But it is also a perfect time to review your risks and move the priority onto your cyber risk management strategy.
We understand that these budget related decisions are not easy to make. Now it is more important than ever to invest your insurance budget wisely. We can have a considered conversation with you about your exposures and concerns and how best to address these. If cuts need to be made we advise you on the possible impact this could make to your business as a whole. The softer impacts of a cyber are harder to quantify but can be no less important. Their gravity should not be doubted. In the Hiscox Cyber Readiness Report 2020, significantly more respondents this year mentioned either increased difficulty in attracting new customers (15% of firms that had been targeted, up from 5% before), the actual loss of customers (11% compared with 5% before) or the loss of business partners (12% compared with 4%).
To survive businesses have to be adaptable and dynamic and that involves a considered and ongoing assessment of the risks you face. In the current climate we must face these threats head on. Cyber insurers are there and ready to assist but you cannot afford not to have a cyber risk management strategy in place.