It’s no secret that a cyber attack can have catastrophic affects on a business. Just take Ashley Madison. The Canadian dating website was the subject of a huge attack in 2015 that saw hackers gain access to the company’s user data. Given the nature of the website – which used the slogan: ‘Life is short. Have an affair’ – the user data was extremely sensitive and resulted in huge financial implications.
However, as an SME, it is understandable to assume that falling foul to a cyber breach is highly unlikely for your business. But is it?
“In the last few years, cyber risk has evolved beyond data privacy. The term cyber attack has expanded to include any kind of hack on a system through which a criminal or malicious party wants to raise money or cause disruption,” explains Jayne Thomas-Hall, class underwriter for cyber at Barbican Insurance Group.
“Criminals have realised that, just as data has a financial value, so does threatening a company’s ability to function. As well as encrypting data and charging the target company to get the data back, hackers can now use sophisticated software to disrupt company systems while demanding ransom payments.”
Thomas-Hall explains that these attacks can be indiscriminate and, therefore, should be taken seriously by small companies.
An increased threat
“In 2016, 46% of UK companies detected at least one cyber attack – according to government figures – which is double the number of attacks compared with 2015,1 ” says Thomas-Hall, “and these figures only account for known breaches. It also estimates that one in eight known cyber-attacks across Europe are targeted at UK firms.2"
“If a company holds personal data, or if its systems are critical to its operation, then some form of cyber cover is needed."
Choosing suitable coverage can be a challenge, but Thomas-Hall says that the key is to buy cover that is appropriate.
“For the vast majority of small businesses, this means protecting themselves against data privacy and ransomware attacks. Buying cover that gives you a claims response tailored to your needs is also very important. If you are a 24-hour business, you’ll need access to a 24/7 response.
“Choosing insurance that offers you an experienced team of ‘breach coaches’ that can walk you through the claims process, help keep the business running and ensure you don’t fall foul of the regulatory requirements in the event of a cyber attack is also important.”
When a hack occurs
If a hacker infiltrates your system it can mean serious financial and legal implications for your business.
“If a company that holds personal data comes under attack, it is likely the hackers will use that data to defraud and extort money, and costs to investigate a data breach can be very expensive before even factoring in the potential third party liabilities,” Thomas-Hall explains.
However, the financial implications from a ransomware attack are immediate, as the first step is usually a demand for money.
“The victim must decide whether to pay, how to get its business back up and running and whether payment of a ransom could expose the company to subsequent attacks. These are complex considerations that demand advice, but good advice comes at a cost,” Thomas-Hall continues.
“Having money available to pay for third party liabilities from a data breach or to restart operations if the system is shut down could save a business from going under.”
Regulation on the horizon
In May 2018, the General Data Protection Regulation (GDPR) will come into force in Europe, giving individuals more control by having the right to ask for their personal data to be erased. The regulator, the Information Commissioner’s Office (ICO), will be given more power to defend consumer interests and issue higher fines of up to £17m or 4% of global turnover – whichever is higher3 – making data protection even more relevant.
“Under GDPR, businesses must have an understanding of what personal data they hold and where, whether they have collected and processed the data properly, who they are sharing it with, who is processing the data on their behalf, and who they are processing it for,” Thomas-Hall says. “In the event of a cyber attack, they must recognise that they have been attacked, establish the extent of the data breach and report it within 72 hours.
“A company’s bottom line could be hit very hard if it has not prepared in advance or does not understand its system well enough to identify where it has been compromised. The financial implications could even have the ability to sink a small business.”
1 Department for Culture, Media & Sport; Cyber security breaches survey 2017; https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf. (2017.)
2 An IDC InfoBrief, sponsored by Splunk; Investigation or exasperation? The state of security operations; https://www.splunk.com/pdfs/info-briefs/the-state-of-security-operations.pdf. (2017.)
3 www.iconewsblog.org.uk, 9 Aug 2017
The opinions expressed by third parties are their own are not necessarily shared by St. James’s Place Wealth Management.
Your St. James’s Place Partner will be able to advise you on which of our panel providers you would need to be referred to, given your particular circumstances for further advice in this area.