Facing up to the online threat
Cyber risk rarely strays far from the headlines, whether it’s a data hack into TalkTalk’s systems that led to the communications business facing a loss of £60 million, or the embarrassment of the marital dating site Ashley Madison ‘losing’ personal details of thousands of its customers. As businesses and individuals increasingly conduct their lives online, the risks and the potential downsides of falling foul of a cyber hack or an intrusion continue to grow, as does the importance of taking active precautions to minimise the threat.
Cyber risk defined
The Institute of Risk Management defines cyber risk as ‘any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems’. It can reveal itself in all sorts of different forms, from a type of data breach such as a hacker managing to gain access to a business’s or individual’s database and steal confidential data – seen in the TalkTalk case, to a hacker gaining access to a company’s systems and rendering them inoperable until a ransom is paid.
The victims can range from multi-national blue-chip companies, right through to sole trader businesses, private individuals and governments. In fact some of the most spectacular cyber crimes have been inflicted on government departments, for example last year’s theft of 21 million personnel records of US government employees, including fingerprint details, social security numbers, names and addresses. Other examples of data theft include US shopping chain Target having up to 70 million customer records and payment card information stolen. Many individuals have also fallen victim perhaps by clicking on an email attachment and unintentionally allowing a virus to freeze their computer or steal confidential data.
Not always a crime
Cyber risk is not always the result of crime either. Last year, an HIV clinic was fined by the Information Commissioner’s Office (ICO) for accidentally revealing the names of patients in the ‘To’ field of an email bulletin. Losing a laptop or a memory stick containing personal, unencrypted information can also represent significant cyber risks.
A response to the growing incidences of cyber risk has been greater collaboration between the UK government and the insurance industry to help firms better manage their cyber risks. One particular initiative – Cyber Essentials – provides a ‘clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats’. In turn, insurers have recognised that having Cyber Essentials certification in place is a good indicator of a business’s approach to cyber risk and should make it easier for them to get insurance coverage.
Insuring against the risk
Insurance as an option to help mitigate the threat is also now becoming more widespread. As a rule of thumb, if a business holds sensitive customer details including names, addresses and banking information or is reliant on computer systems to conduct its business, has a website, and/or is subject to a payment card industry (PCI) merchant services agreement, then buying some form of cyber insurance is important. Ideally the insurance should provide costs and support if an organisation suffers a data breach, or if systems are damaged by a hacker or normal business activities are interrupted. It’s key that the support element means a business can quickly access the forensic, legal and reputational support that is key following a cyber incident. There should also be protection if a third party – such as a client – decides to sue the business following a data breach for example.
It is clear however that many businesses do not consider insurance when it comes to assessing the risk; a government report last year put the figure at just 2% of large firms taking out cyber insurance down to 0% for smaller businesses. Recognising this, the industry is continuing to work with the government to promote the benefits of cyber insurance including collaboration between Lloyd’s, the Association of British Insurers and the government to develop a guide to cyber insurance.
How safe is my data?
From a consumer perspective, insurers themselves are also becoming more accountable when it comes to holding customers’ data. New European legislation which is currently being introduced means that insurers and other businesses could face fines and penalties for loss of personal data of up to 5% of global turnover.
As the data that businesses hold on our behalf gets safer, there is also a growing importance that we, as individuals, also take basic cyber security precautions. A government and industry campaign – Cyber Streetwise – has been launched to help improve online safety behaviour amongst individuals and small businesses. Cyber Streetwise recommends three basic steps: use strong random passwords; install security software; and update software regularly. These three simple ways can help prevent all but the most determined of cyber criminals.
For more information about cyber security for your business, visit cyberessentials.org
This article is issued by Cazenove Capital which is part of the Schroders Group and a trading name of Schroder & Co. Limited, 12 Moorgate, London, EC2R 6DA. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority.
Nothing in this document should be deemed to constitute the provision of financial, investment or other professional advice in any way. Past performance is not a guide to future performance. The value of an investment and the income from it may go down as well as up and investors may not get back the amount originally invested.
This document may include forward-looking statements that are based upon our current opinions, expectations and projections. We undertake no obligation to update or revise any forward-looking statements. Actual results could differ materially from those anticipated in the forward-looking statements.
All data contained within this document is sourced from Cazenove Capital unless otherwise stated.