Cyber Risk and Insurance

03 Dec 2014

This article appeared in the Hampshire Chamber of Commerce Chamber News December 2014.

You will have heard about recent high profile hacking events but you may not have put two and two together and worked out that everyone with a computer is at some risk of hacking. Clearly, this risk applies to individuals and some of the high profile events have concerned individuals. However, the risks apply equally to business.

Put simply, according to The Institute of Risk Management, cyber risk means any risk of financial loss, disruption or damage to reputation arising from some sort of failure of information technology systems.

You may ask whether this threat is a real one for business or whether it really only applies to high profile celebrities.  Statistics released by the U.K. Government’s Department for Business Innovation and Skills found that in 2013 some 60 per cent of small businesses and 81 per cent of large businesses experienced a cyber attack or security breach of some kind. This suggests the threat is real enough as hackers are targeting small business who as electronic trusted suppliers, provide a “back door way in” to larger firms systems.

Assuming the threat is a real one, then your next question may be to ask what you have to lose in any event. The answer is, a lot!  In a relatively simple case there could be loss of income and staff and management time in dealing with the immediate problems presented by the attack.  In a more substantial case there will be costs of notifying clients or customers and the less easily quantifiable cost of damage to reputation.  There are also potentially the costs of claims for loss of sensitive information.  Litigation could also take the form of claims arising from an inability to meet contractual deadlines due to your network being down. In addition to all this there is the possibility of criminal and regulatory sanctions including large fines if strict data protection rules are breached.

When considering what positive action to take there are clearly practical steps to minimise the risk and also you need to give consideration to obtaining appropriate insurance cover in the event that a problem arises.  Practical steps start with a review to identify key assets and potential weaknesses in security with the aim to develop a plan to reduce these weaknesses.  Compliance with a particular security standard is a good starting point.  Most organisations will also need to kick start a culture change, so that computer users recognise their role in preventing attacks.

On the insurance front most standard business insurance will provide little or no cover for these risks. It is likely that a specific policy will be required.  Such policies are not new but they are now more widely available and financially affordable.  Careful consideration will need to be given to the requisite cover and this will depend on the nature of your business.  You may only need what is known as first party cover to protect against financial loss to your own business.  Alternatively you may need more wide ranging cover to include protection against third party claims. Whatever your needs it is a good idea to speak to your broker or current insurance providers in order to make sure you are covered.  This may mean that you avoid the need to call in the lawyers.

This article was contributed by two members of Hampshire Chamber’s Tax, Finance and Legal Committee. Kelvin Farmaner, Partner and Head of Insurance Litigation Team, Trethowans LLP Email: kelvin.farmaner@trethowans.com and Tony Knight, MD of Knightsure Insurance Brokers Ltd Email: bestcover@knightsure.co.uk.