Why cyber risk should be a priority for every boardroom

 

A common mistake many organisations make is to leave responsibility for managing cyber risk to the IT department. In reality, improving cyber security and cyber resilience is an enterprise-wide challenge, which requires buy-in from every employee.

Organisations’ potential exposure to cyber risk has increased significantly over the last 18 months. The COVID-19 pandemic has seen many organisations accelerate the digitalisation of their processes so that they can connect with their employees, consumers, suppliers and other stakeholders digitally. Not only does this mean they are becoming more reliant on digital connectivity, they are also processing ever larger quantities of data, much of which could be attractive to cyber criminals.

Arunava Banerjee, Senior Cyber Risk Consultant, Zurich, says: “Cyber risk is not just about malicious intent. It can also include technical failures or inadvertent data breaches by employees. A cyber risk mitigation strategy needs to consider all the cyber threats your organisation could face.”

Board members should understand their own exposure to cyber risk

Authorities and regulators are now making it increasingly clear that they expect cyber risk to be a board level priority for organisations large and small. Directors and officers should also be aware of their individual exposure to cyber risk. This could include claims relating to breaches of fiduciary duty to shareholders, if it is alleged individual board members should have done more to prevent a cyber attack or data breach, or taken swifter action to mitigate the resulting damage.

Compounding this risk, some forms of cyber attack involve social engineering techniques that specifically target or imitate senior managers and leaders. Such techniques include whaling, a highly targeted form of phishing, whereby a message purporting to be from a senior figure within an organisation aims to trick the recipient into performing an action, such as transferring money.

While there have not been significant numbers of cyber-related D&O claims to date in the UK, organisations’ increasing exposure to cyber risk is expected to give rise to greater numbers of claims in the years ahead.

5 ways to build and improve cyber resilience

  • Treat cyber risk like other financial and operational risks. Ensure it is high on the boardroom agenda, and that it is budgeted for and appropriately resourced
  • Carry out regular, systematic assessments of cyber risk across all critical processes, in order to understand your exposures and the potential impacts of different cyber incidents
  • Be clear on roles and responsibilities, and establish clear channels for managing and escalating cyber incidents
  • Ensure senior managers and board members are appropriately trained in cyber security and cyber risk
  • Don’t treat cyber insurance as a silver bullet. Insurance can be invaluable in helping organisations recover quickly after a cyber incident, but it will not stop incidents happening in the first place, nor will it address the root causes of such incidents. Organisations should focus on improving their cyber maturity, rather than relying solely on cyber insurance

The role of senior leaders in managing cyber risk

Senior leaders and managers play a crucial role in ensuring cyber risk is understood and managed throughout an organisation. It cannot simply be a case of allocating a budget for cyber security and then leaving it to one department or one individual to take ownership of the problem.

Arunava says: “Senior leaders must ensure responsibility for cyber risk is not siloed within IT. It should be treated as an enterprise-wide challenge.

“Organisations will often say ‘cyber is on my corporate risk register’ but how are they actually mitigating it? Cyber risk needs to be an active part of your enterprise risk management programme and understood, managed and evaluated at every stage – change management, new projects and so on.”

Above all, Arun concludes: “Organisations must have the mindset that a cyber incident could happen tomorrow and they need to be ready for it. It’s time to stop reacting and start anticipating.”

This article is adapted from an original post by Zurich which can be found here.

Cyber resilience before cyber insurance

Resilience is the measure of how readily an organisation can carry on in the face of disruption or a changing environment. And nothing tested the operational resilience of organisations more than the recent Covid-19 pandemic.

The portion of businesses buying cyber insurance reportedly doubled in 2020. Unfortunately, the very same factors that led to this rush to buy, have also led to a change in the dynamics of the cyber insurance market. More cyber criminals are being drawn into the space by increasingly lucrative earnings, and this has led to a rise in frequency of claims. At the same time, these claims are also more expensive to handle as the combined impact of privacy breaches and business interruption is felt. All of this has led to a so-called “hardening” of the market, which is being felt in a number of ways.

Firstly, premiums are rapidly increasing in order to fund these more frequent and severe claims. Secondly, insurers are less willing to provide large limits in an effort to protect themselves from the highest losses. Finally, more restrictive cover is being offered; most notably through the occasional imposition of sub-limits and co-insurance (whereby the Insured will have to retain a portion of their own risk).

There are of course plenty of things that an Insured can do in order to mitigate the impact of this shifting market, most importantly taking the time to fully explain their exposures and controls to underwriters. Some key controls that insurers are looking out for include:

  • Multi-factor authentication for remote and privileged access
  • Segmentation of their systems to protect crown jewels and prevent lateral movement
  • Endpoint protection solutions
  • Monitoring and response capabilities (either inhouse or outsourced)
  • Offline (or isolated within a cloud) backups
  • Rapid patching, especially for high critical vulnerabilities

Zurich Resilience Solutions explore this in more depth in their report which can be found here.

Cyber vulnerability: Log4j update and actions

 

Recently, a severe vulnerability has been identified in Log4j which is a piece of software widely used by applications and other services across the internet.

You may have heard about this in the news or read about it online.

What does it mean for you and your business?

The vulnerability means businesses can be exposed to cyber attacks so it’s important that your IT team or outsource service provider take action to identify if your systems are at risk. The National Cyber Security Centre (NCSC) has issued some advice and guidance on fixing the issue here.

It may not be immediately clear if the software, servers or systems that are used rely on the Log4j component, so it is vital to follow the guidance from the NCSC above.

In addition if you have a cyber policy, it is critical that you install the relevant updates and ‘patch’ your systems accordingly to ensure you continue to receive all the benefits of your policy.

Four simple steps to enhance your cyber protection

 

The threat of a cyber attack remains one of the biggest potential risks for UK business owners.

Taking these small steps will help ensure that your business is protected.

 

This has been reproduced with the permission of Beazley Group PLC.
                                     

 

Lack of Cyber Cover Leaves SME’s Exposed to Attacks

 

86% of SMEs do not have any cyber insurance in place according to a recent survey by Aviva.  This lack of insurance protection comes at a time of rapid digitisation, with statistics showing that 41% of SMEs updated their website in response to the pandemic while 39% moved online or improved their online offering.

96% of those businesses that made changes confirmed they would keep their online developments, yet only 11% had updated their cyber cover.

In the report, Aviva states that the pandemic has accelerated digital adoption across all businesses, meaning cyber insurance has quickly moved from a perceived luxury to an absolute must-have.

Cyber cover doesn’t just protect businesses against an attack, but it also ensures they have fast access to expert specialists, so they can return to normal as quickly as possible in the event of a cyber incident.

Six top tips for business owners

  • If you are unclear about your digital risk, contact your insurance broker to understand the risks to your business and what protection you may need.
  • Always use individual identification and passwords to access computer equipment and change default manufacturers passwords.
  • Back up all data every seven days or less and store back-ups securely and away from the data or programs they relate to.
  • All personal data must be stored and disposed of in a secure manner. The definition of ‘personal data’ includes information you hold on suppliers, business emails and employee data.
  • Install any updates for firmware, operating systems, software or programmes within 14 days of release where the updates address a vulnerability described by the provider as critical, important or high.
  • Ensure that any equipment connected to the internet or other network is protected by a suitable firewall and ensure it is updated automatically, or at intervals of a month or less.

Contact us today to understand the cyber risks your business faces and what protection you may need.

For more information on keeping your business safe online visit the NSCSC Cyber Aware pages.

 

Cyber: What is Phishing?

Cyber-security for your business

According to the Government’s Cyber Security Breaches Survey 2020, phishing is currently the most common form of cyber-attack in the UK. The proportion of British businesses experiencing a phishing attack has risen from 72% to 86% since 2017. This means almost 9 out of 10 organisations have been targeted.

Phishing is a method that cyber-criminals use to gather personal information. In these scams, phishers send an email or direct users to fraudulent websites, asking victims to provide sensitive information. These emails and websites are designed to look legitimate and trick individuals into providing credit card numbers, account numbers, passwords, usernames or other sensitive information.

 

 

Phishing is becoming more sophisticated by the day, and it’s more important than ever to understand the different types of attacks, how to identify them and preventive measures you can implement to keep yourself safe.

Get Informed, Stay Protected

It’s no longer enough to simply install antivirus and anti-malware software. It is important that you stay informed on the most recent cyber-attacks and up-to-date protection strategies. The National Cyber Security Centre is a good place to start.

If you want to improve your cyber security further, then you can also seek certification under the Cyber Essentials scheme, which has the benefit of demonstrating to your clients (or prospective clients) that you take the protection of their data seriously.

In addition to providing risk management tips for both employers and individuals, we can help keep you informed on the biggest happenings in cyber-security and provide robust insurance solutions. Contact us today to learn more ways to stay cyber-safe.

Cyber Insurance

Cyber-attack trends continue to evolve in these uncertain times, and it can lead to lost revenue, damaged reputation and regulatory fines. Be sure to regularly review and update your policy to avoid the ruinous ramifications of a cyber-attack.

If you don’t have cover and you use computers or the internet at work, hold customer/supplier/employee data, carry out online transactions, or even just use social media, you should be thinking about it.

Contact us today to discuss cyber insurance for your business.