Digital technologies are an essential part of business today. All businesses rely on information technology (IT) infrastructure to some degree in order to increase their efficiency and improve their productivity.
This is precisely why cyber and data security breaches can be so damaging.
A 2016 UK Government survey* estimated that 65% of large firms detected a cyber security breach over a 12 month period, with 25% of these firms experiencing a breach at least once a month.
The average cost of a cyber & data security breach to large businesses was reported to be £36,500, and the most costly breach identified was £3million.
The most common attacks (70%) involved viruses, spyware or malware. Then of course there are the ramifications that exposure to these risks can cause such as business interruption, income loss, damage management, repair, and the possibility of reputational damage.
We therefore encourage our customers to consider putting in place specialist insurance to protect their business should the worst happen.
Existing insurance policies may provide some elements of cover against cyber & data risks, however, cyber & data insurance is ideal where customers hold sensitive customer details such as names and addresses or banking information, rely heavily on IT systems and websites to conduct their business and process payment card information as a matter of course.
The managing partner at a private medical practice switched on his PC on a Monday morning to be greeted with a message stating that all patient records held on their network had been encrypted and demanding a payment of £30,000 in bitcoin in exchange for the encryption key.
He contacted an IT forensic specialist who confirmed the level of encryption, and confirmed that the only alternative to an encryption key would be wiping the ransomware from the network, risking the loss of all other critical data as part of the process.
The last data backup was performed a week ago, meaning a significant amount of recent data was at risk, so they had no option but to pay the bitcoin ransom to protect their confidential data.
They also engaged the forensic specialist to remove the remaining malware from their network at a cost of £10,000.
An international real estate client experienced a denial of service attack on their IT systems which was not only operationally damaging for the company, but also had the potential to severely impact upon its brand and market standing.
The insurance policy not only covered the loss of income but also provided cover for PR expert support to mitigate any reputational damage.
An employee from a chain of opticians received an email to say that she had been caught speeding and clicked the button which offered to show a photograph of her being caught in the act. Shortly afterwards they received an email from someone in Russia to say that they had infected their systems with the Cryptolocker virus and that all files on its servers were encrypted.
The encrypted files included patient records and software used to run the business. The Russians were asking for £400 in Bitcoins for the decryption key. The insurers approved payment of the ransom. Unfortunately this only recovered 90% of the files and they needed an IT contractor to help them recover the remainder.
Their insurance policy covered this business interruption as well as the costs of being unable to trade for a couple of days and not being fully up-to-speed for a couple of weeks. Total cost was £60,000.
An unencrypted memory stick was lost. It had been provided to a potential buyer as part of the due diligence process during a corporate acquisition transaction when it was stolen along with the owner’s handbag from a public place. It contained personal and sensitive data of over 500 employees including home addresses and bank details. A fine was levied by the Information Commissioner’s Office (ICO) and significant costs were incurred. In this scenario, the insurance policy allowed the firm to engage expert data risks or protection lawyers, liaise with the ICO and inform affected employees.
Hackers gained access to a Wholesalers email system and sent emails to all of their customers purportedly from either the Chairman or Finance Director saying that the Company has changed its bank details. Considerable time was spent contacting over 200 customers to tell them to ignore the email as it is not true. Several had already changed their records.
An Engineering Client had a virus planted into their system and were unable to use their IT for 5 days whilst their IT support resolved the problem. Cost to rectify, £22,000 and all accounting, invoicing, stock control was affected, no payments could be made or received and it coincided with monthly payroll time which delayed paying the employees.
Client suffered an IT breach where 400,000 fake credit card statements were sent to their customers and other companies throughout the UK. The I.T. costs to rectify the damage plus estimated loss of revenue cost £24,000.