Cyber Risk: Are You Covered?

The last few years have seen many news stories that are reporting high-profile and extensive cyber-attacks, from interference with the US elections, hackers stealing billions of records user data, to data ransom on a massive scale, resulting in companies finding themselves on the hook for hundreds, even millions, of pounds in order to get their data back.

The 2020 SolarWinds attack impacted around 18,000 of their customers, which included government agencies, in this unusual attack – rather than going after SolarWinds’ data, the hackers installed malicious code into to SolarWinds’ resource management software, Orion.  This software, like most software, updates regularly, and it was during the push of updated code to its customers that the malicious payload was distributed, opening backdoors to customer systems.

In 2020 the GPS technology company Garmin was subjected to the WastedLocker ransomware attack that took down all services, including its main web site.  The attack also broke functionality on customers’ devices, resulting in devices used by pilots to become entirely unusable.  It’s thought that, after several days’ of outage, Garmin settled the US$10m ransom in order to recover its services.  This week, Miami-based IT firm Kaseya fell victim to a ransomware attack that operates in a similar way.

The threat of data loss due to hacking attempts is real to even the smallest of companies.  Our reliance on electronic storage of documents is now so ingrained that even an hour without access to a file server can cost a business in both financial and reputational terms.  Even without the costs incurred by loss of personal data, which could result in heavy penalties under GDPR laws, a small business could easily see costs of a few thousand pounds in order to restore data; the costs of restoring one’s reputation could be incalculable.

The risk of cyber attack has increased since March 2020 as companies have moved their teams to work from home where the IT department has much less control over network security, especially where staff are using their own devices while away from the office.  This has lead to an increase in uptake of cyber insurance, which bolsters cover that may be very limited on other types of business insurance.

Losses as a result of cyber attack are generally described in two categories: first-party and third-party.  First-party losses are those which affect you, the business suffering the attack.  First-party insurance would typically cover against loss or damage to digital media, business continuity impact, extortion (such as ransomware attack), costs of employing professionals to analyse and repair systems that have been affected by the incident.  Third-party insurance would cover a business for defence, damages, and compensation costs that may be incurred as a result of privacy breaches.

When asked who should take out cyber cover, an insurer would most likely respond with, “Everyone!”  However, although one could put the decision to take out cyber insurance to the back of their mind, thinking that the risk is too low to be significant; with almost every business working online and reliant on complex IT systems, often interacting with systems and software from outside suppliers, the risk is real, and potentially more significant than one may think.  It only takes one person to click one link in one email from one sender, and in no time at all a business’ entire IT infrastructure has been compromised.

With an increasing reliance on smartphones, laptops, and the current working from home adaptation, the risk of cyber attack has probably never been more apparent or immediate.  While an IT department can build secure networks and policies, hackers are always one step ahead, and with large and often untraceable gains to be made, there is plenty to keep them motivated to find ways to access your IT systems and data.