‘Prevention is better than cure’: How to cover your business for cyberattack

Cyberattacks are no longer an “if” but a “when” for businesses. The only question therefore is whether organisations should seek cover for the revenue and reputational losses associated with it.

"We have seen a steady rise in the frequency of cyberclaims in Ireland and across Europe over the past number of years – barely a week goes by without news of a major cyber incident being reported," says Richard O'Dwyer, managing director of Hiscox Ireland an insurance provider that specialises in business risk.

The 2019 Hiscox Cyber Readiness Report surveyed more than 5,000 businesses of all sizes, across seven countries and a range of sectors, to get an idea of their approach to cybersecurity strategy over the past year.

The data collected revealed that 47 per cent of organisations with less than 50 employees had suffered a cyberattack in the previous 12 months – up 33 per cent from 2018. Even more worryingly, the percentage goes up, to 74 per cent, for organisations with more than 1,000 employees.

In terms of sectors, technology, media and telecommunications companies are most exposed, with 72 per cent of these companies suffering a cyber-incident in the last 12 months. “These are staggering statistics that all companies need to be aware of and in turn, be prepared for,” he says.

Among cyberattacks ransomware, a type of malware that threatens to publish the business’s data or block access to services until a ransom is paid, remains the main driver of the cyber claims Hiscox sees. But “the nature of these attacks is escalating and constantly evolving, which can be more difficult for businesses to navigate,” he says.

“In the past, hackers typically carried out mass ransomware attacks against a vast array of organisations through phishing emails. This has now evolved to much more targeted and intelligent attacks which involve a hacker silently gaining complete access to an organisations’ network and systems over a period of weeks, before encrypting everything – including any backups that may exist. This leaves companies, both large and small, completely vulnerable to potentially large scale loss.”

Depending on the type of attack, the impact will differ and can, for some businesses, prove catastrophic. “In previous years, the ransoms being demanded were quite small – less than €5,000 on average – but we now are seeing ransoms that run into the hundreds of thousands [of] euros, which can be detrimental to the organisation, in particular for SMEs who may have to consider closure if not protected.”

Last year Hiscox developed a Hiscox Cyber Exposure Calculator (hiscoxgroup.com/cyberexposurecalculator) to raise awareness of the potential financial impact of a cyberattack.

It provides risk estimates based on an organisation’s industry, revenue and level of security. While the tool has been developed by cyber and actuarial experts, and calibrated with industry claims data, it should be used for educational purposes only, he points out, but can be a beneficial first step in becoming more aware and further protected.

“Outside of the monetary cost, a key issue is that many small businesses do not have the people or processes in place to properly handle an incident and get their operations back up and running. Without the right resources in place, cyberattacks can paralyse an organisation’s operations for a period of months, during which time many customers may choose to take their business elsewhere,” he says.

There are also the legal costs, breach notification costs and interruption to general business to consider.

“Nowadays most organisations and consumers realise that data breaches and other sorts of cyber incidents are a fact of life. What people, and regulators in particular, really care about is how the incident is handled,” he says.

If the incident is not seen to be handled swiftly and professionally, customers may quickly lose confidence with the company, leading to a lack of trust and damage to reputation. “It would be wise practice for a company to issue a holding statement to all stakeholders following a breach of data security, to reassure that action is being taken to recover data and any losses that may occurs,” he recommends.

Hiscox customers have access to PR consultants and crisis communication specialists included in their policy to manage this exposure.

Other than that, “prevention is better than cure” he says. “Being aware of these threats is half the battle.”

Reusing passwords

Business email accounts being compromised is another significant cause of cyber claims.

“Most of us are guilty of reusing passwords, and hackers know this. This is particularly problematic given our growing reliance on cloud-based solutions. Many of the attacks we see involve hackers reusing password and username combinations that were previously compromised in data breaches at other companies to gain access to individuals’ web email accounts,” he cautions.

The vast majority of these attacks can be stopped by implementing multifactor authentication on all web email accounts and simply being “vigilant”, he says.

Where things do go awry, cyber-insurance policies can provide cover for almost any type of incident, from costs arising from data breaches to the loss of revenue resulting from a ransomware attack.

“Hiscox cyber-insurance policies also come with access to a 24/7 cyber-incident response service – this gives our customers the peace of mind that they have access to a co-ordinated team of technical, legal and crisis communications experts to get their business back up and running,” he says.

It’s worth noting however that professional indemnity policies will only cover cyber losses resulting from third-party lawsuits against an insured. They do not cover things like losses of revenue from a cyberattack, nor do they provide the insured access to an incident response service.

Hiscox provides free value-added services to help its customers improve their cybersecurity before an attack occurs.

“Smaller organisations receive free cyber-awareness training for all of their employees through the UK’s GCHQ-accredited Hiscox CyberClear Academy. Larger organisations can request a complimentary BitSight cyber security report, which provides a data-driven view of their organisation’s cybersecurity posture,” he says.