In this Q&A we discuss all things cyber security with Marc Rocker, Head of Cyber at Towergate.
A few years back, I attended a seminar on cyber insurance, and it really opened my eyes to the potential impact a cyber-attack can have on a business, as well as the significant differences in cover available on the market.
Rather than shy away from it, I took it upon myself to spend time delving into policy wordings, and talking to colleagues and insurers who knew a bit about it - essentially making sure that on a daily basis, I was doing something cyber-related.
That’s how I realised that cyber insurance is going to become an important consideration for businesses in the future, and I wanted to be at the forefront of that when talking to my own clients.
I think there’s misconceptions around how vulnerable businesses are to a cyber-attack. There is a belief that smaller businesses are less at risk, but the reality is that all businesses are vulnerable.
Cyber-attacks are not necessarily targeted at you, you may just be collateral damage. The criminals simply do not mind who falls victim; they will use ransomware against you, and they will try to extort money from you.
We need to stop thinking about cyber-attacks as how they’re portrayed in movies. Cyber-criminals are sophisticated, with high-end software, and they spend just as much as a top-end global company on the best technology available.
The truth is that cyber insurance should form part of every business' resilience strategy. In December 2023, the UK Parliamentary Joint Committee on the National Security Strategy (JCNSS) issued a report on ransomware, detailing its impact on businesses and national security, and how difficult it was to recover from such an attack. One thing that is resoundingly clear from this report is that businesses who have bought cyber insurance fare better than those that have not.
If you get hit with a cyber-attack and you have not got the resources to rebound and recover, your business can disappear. You only need to look in the press to see real-life examples of UK companies that have ceased trading because of a cyber-attack.
Most businesses think of data in terms of private individuals who are customers. They tend to ignore the data they hold on employees, or commercially sensitive data. – e.g., if they’re negotiating a deal with a new supplier or acquiring a business. This is the sort of data they need to think about.
Even if you don't hold data, you should still think about how much you rely on technology to control your business’s processes or machinery. Some modern combine harvesters, for instance, use a GPS system so that it knows what route to take. If a farmer lost access to that, they would have a problem on their hands.
Outsourcing your IT does not make your business a lesser risk. Criminals are aware of these outsourced companies and if they can successfully infiltrate them, they don’t just get access to one business but potentially hundreds.
If you look at the SolarWinds attack in 2020, that's a classic example of hitting an outsourcer and getting access to a lot of businesses.
When you buy cyber insurance, it is definitely a case of you get what you pay for.
At the lower end of the scale, the £100 policies you mentioned would provide just one part of the three most important elements of cover I mentioned – the incident response element.
But if you look at the most comprehensive cyber insurance available, you’ll find protection that’s not just about intervention but also about preventing a cyber-attack in the first place.
When selecting your cover, you need to be looking at what the cover provides rather than the cost. Ultimately, it’s important to remember that this policy can be the difference between your business existing in 12 months and not.
Both!
Robust security measures will help you minimise the risk of an incident. There’s no way we’ll ever be able to guarantee with 100% certainty that an attack won’t happen, but having the support of an insurer with specialist services can be the difference between your business existing in 12 months or ceasing.
When we talk about cyber insurance, you'll hear us use a term called “proactive cyber”, meaning the insurers are going to give you access to tools to help you to manage your risk and mitigate claims if they do occur.
Ideally, you should not consider cyber insurance to be part of your insurance spend but rather part of your IT expenditure. If possible, you should put it under the control of your IT director and manager as, in the event of a cyber incident, they are going to be the ones dealing with it and trying to get your business back up and running. They are the team who will need access to these tools and support, and they will need it fast.
Not all policies do. Some are purely traditional cyber insurance policies which will respond if things go wrong and that’s all.
Good policies will give you the tools and services you need to prevent a loss from occurring, but no one can ever be 100% certain that they’re not going to experience an incident.
The worst-case scenario is that your business ceases to exist. If you watch the news, you will have seen that a very long-established company called Knights of Old suffered an incident last June which they couldn't survive. The BBC report stated the company suffered a cyber incident, and this has cost them their entire business. That incident alone cost 730 people their jobs.
Most brokers can and do provide cyber cover for their clients, but at Towergate I want us to be able to provide the best solutions available.
We've set up a network of cyber specialists across our business, which means in every area of the country we've got somebody that has knowledge of cyber insurance and what's going on, whilst at the same time the client's existing team retain their overall responsibility for looking after the clients’ other needs.
For example, as a cyber expert, I wouldn’t know about the type of cover required for a farmer so it’s better that we leave those aspects of the policy to the experts in farm insurance. Then, when they need to discuss cyber insurance, they can be directed to engage with the cyber team to discuss this aspect of their policy. Personally, I think this is a win-win for our clients as they get the benefit of having two specialists in their corner rather than just one.
Additionally, we have just launched a new and exclusive cyber insurance product with our partner, rrelentless. This product includes a wealth of tools for our clients to help prevent a loss, which is so important.
If you visit BBC Cyber, you’ll see they have a dedicated area with information around cyber-attacks and criminal gangs which have been shut down. Sky News also offers a similar resource which is extremely useful. You can also set up Google alerts in order to keep abreast with the latest reports.
And finally, I’d suggest following us on social media, where we hope to share even more useful information relating to cyber security.
If you’re really interested in cyber-attacks, I’d recommend a book called ‘Fancy Bear Goes Phishing’ by Scott Shapiro, which discusses some of the most notable cyber-attacks that have taken place since the dawn of the internet.
It’s difficult to say as it changes all the time.
I think ransomware will continue to be a dominant factor that businesses will need to consider very carefully. Ransomware has changed. When it first appeared, it took the form of targeted attacks and the demand for huge sums of money, whereas now it is more of a scattergun effect. They cast the net wide but demand lower ransom fees, so the severity of these attacks is in theory reducing but the frequency is increasing.
This in turn will inevitably lead to increased pressure on the cost of cover from insurers. In the UK, we are seeing new entries into the cyber insurance market so that may potentially offset the increases being levied because of ransomware.
I think risk management will become more important for clients and could be the deciding factor between being offered cover and not being able to obtain cover.
AI is something to keep an eye on. Cybercriminals are very adept at embracing new technology, probably more so than traditional businesses. I've heard of AI being used to dupe a finance director into making a significant payment that they thought they were discussing with their CEO on a video call, only to discover afterwards that it wasn't the CEO on the video call at all, so I think the insurance industry will be looking to harness AI to help counter the threat that is posed by cybercriminals.
Finally, there's always the unknown. If a major global cyber event occurs, what is the cost likely to be and what impact is it likely to have? What will happen in terms of the cover that's available and all the rates and costs of the insurance?
This may blow a lot of people’s minds, but cyber-attacks are not a new thing at all. In fact, the first recorded cyber-attack happened almost 200 years ago in France in 1834, when the attackers sold financial information using the French Telegraph System!
You need the right type of cyber insurance in place should you suffer a cybersecurity attack. See our cyber insurance webpage, call us on 0333 0608 275 or request a callback.
Date: May 17, 2024
Category: Small Business