The recent data breachat Canadian owned infidelity site Ashley Madison, where customer data was stolen by hackers, highlights the impact a cyber attack can have on businesses. When a company’s whole offering centres around discretion and that is very publicly compromised, the consequences can be hugely detrimental...
The Ashley Madison situation, while perhaps on the extreme end of privacy violation, illustrates how a cyber attack can erode customer confidence. Any business holding customer data, irrespective of whether it is of a sensitive nature or has financial value, has a duty to protect it. Failing to do so will have two results:
- A loss of trust among its customer base and with it the likelihood of a loss of business
- An investigation and a potential fine by the local regulator. Currently in the UK the ICO (InformationCommissioners Office) can levy fines of up to £500,000 per data breach but when the European Commission’s General Data Protection Regulation comes in to force, sometime this year, the financial penalties for breaches will sky rocket to what is anticipated to be 5% of a company’s global turnover or 100m euro (whichever is greater).
Effective risk management will go a long way to protecting a business and the good news is there are a number of programmes out there to help companies understand and defend themselves from cyber threats. GCHQ provide the very useful 10 Steps to Cyber Security and the Government’s Cyber Essentials Scheme was launched in 2014 to promote safer online trading and to serve as a ‘kite mark’ of security.
No business however can be 100% secure and hackers are becoming increasingly sophisticated and cyber offences are providing a considerable source of revenue for Crime inc. When things do go wrong however, there are insurance policies that offer that added layer of protection but not all are created equally.
A good cyber liability policy should include the following:
- Comprehensive 1st and 3rd party cover;
- 1st party cover to include:
- Notification costs – businesses may be obliged to notify all persons whose data has been compromised. Deadlines for such notifications are likely to become tighter when the new European legislation comes into effect
- Credit monitoring costs – for the individuals whose credit card data has been lost
- Forensic costs – to understand what went wrong
- Business interruption costs – specific for non-physical damage
- PR costs – to manage the reputational impact of a data breach
- Service providers – be sure that your policy protects against the loss of your data by one of your service providers
- Non-targeted attack – some polices will only protect against attacks that have directly targeted your company. Be sure that your cover does not include this restriction.
- Extortion – which covers your business against ransomware and extortion from a hacker
- Internal error – not all data breaches are due to malicious behaviour, yet some policies only provide cover for this. Be sure your policy covers you for internal error
- 3rd party cover to include all third party liability in relation to the cyber event (whether an attack or a data breach) with cover for damages, invasion of privacy, libel, slander and defamation.
Cyber crime is on the rise and is currently estimated to be costing the UK in the region of £27 billion a year. All businesses holding customer data or transacting online need to take cyber security seriously and seek additional support to protect themselves. For further information, download QBE’s Protecting your business from cyber crime and data loss report