Mieke Speeckaert - Legal Director, Property & Liability Manager
Cyber attacks are on the rise but to understand the bigger picture you must first understand what cyber attacks are. Cyber attacks are defined as one of the following five acts: Illegal access to IT systems, Corporate espionage, Data or system interference, Cyber extortion and Internet fraud.
Cyber attacks are happening worldwide. According to a survey of PwC conducted by 7,300 respondents across 123 countries, 31% of the respondents experienced a cyber attack in the past two years. 14% found that cyber fraud was the most disruptive form of fraud losing over one million dollars. One percent even lost over 100 million dollars.
This type of crime is also happening in Belgium. A survey conducted by KULeuven shows that more than half (67%) of Belgium businesses have been the victim of cybercrime at least once in the past year.
The most common type of fraud is ‘disruption of business processes’, it affected 30% of businesses worldwide during the past year. This type of fraud can result in severe financial losses.
As an Independent Insurance Broker, at Concordia, we analyse our clients’ businesses, help them identify the risks and propose customised solutions to insure their organisation from potential cyber and all other threats. In the past years, we’ve worked with a number of clients and their IT departments to prepare a tailor-made proposal to insure their business from cyber attacks. Here are the steps to take to make your company cyber attack proof, analyse if you need cyber insurance and how this can affect your business.
1. IT -audit
The first thing a company should do to minimise the risk of a cyber attack is to conduct an IT-audit. This audit examines and evaluates the current status of the company’s infrastructure, policies and operations. It gives the company an indication of their current situation and provides answers to questions like:
- Is our system accessible for hackers?
- Is our data completely protected?
- Have we already been hacked?
- Did a hacker visit our system?
After conducting the audit, a company can determine their weak spots and risks. Without this audit, a company is blind and cannot undertake the right actions to improve the IT system.
2. Prevention and follow-up
The second step is to set up cyber prevention measures. Every employee’s computer and smartphone is an opportunity for hackers to get into the company’s system. That is why the IT team has to make sure that hackers can’t get past the firewall.
A simple measure every company can take is to send an email once a month to its employees to change their password. Next to this, the password should be strong which means you should have a combination of capitals, numbers and signs. The company should review their cyber prevention measurements regularly to be up-to-date with the newest software and minimise the chance of hackers getting into the system.
3. Cyber Insurance
Before helping you choose your insurance, we analyse your current insurance portfolio to determine the risks that are already covered by other insurances like PI (professional indemnity insurance), Property/BI, D&0, etc. This allows us to negotiate the best cover and premium solution for your business.
This is often combined with our legal services in regards of screening and deregistration of contractual clauses. An example is the processor contract which is an insurance that covers other parties. Concordia also supplies tailor-made clauses with limited liabilities for specific amounts or lots.
These exercises, analysis of the insurance portfolio and the legal services, can provide a clear view of the ‘resting risks’ you might want to insure.
Concordia works with three main types of cyber insurance, all focused on different domains.
The first type focuses on liability exposure. When you think that you might suffer from claims from third parties during a cyber attack, this might be the right insurance for you. This type of insurance can, for example, centre around lost or damaged data and sensitive information. When a company gets hacked, their client’s data may become public followed by multiple lawsuits. That is why an insurance that focuses on liability exposure must be tailor-made. The insurer will base his opinion on multiple factors like:
- The use and volume of data
- A contractual analysis of documents with, for example, suppliers
- The quantity of the possible exposure
After this analysis, the insurer can advise you about the insured amounts.
The second type of insurance centres most around ‘own damage’. When you get hacked, your system can be down for some time causing you to lose business deals. That is when ‘business interruption’ comes into play. A review of policies on the insurance market concluded that some insurers do not cover the full extent of the BI. These insurers only cover the loss of exploitation and not the gross profit. The big difference is the ‘deduction of all costs related to the company’ as opposed to only the deduction of the variable costs. These variable costs have to be calculated annually. A good broker keeps your industry and profile in mind to recommend the right cyber insurance for your company.
For example, Concordia keeps the client’s industry in mind to include the risk of ‘material loss’ (a controversial concept in cyber insurance). Each company needs a different type of insurance regarding this topic. If your company has a production site you can suffer from a (temporary) loss of goods through manipulation of the stock and delivery IT system. The value of goods is primordial in this dispute with insurers. That’s why it is important to have a tailor-made solution.
Recently, one of Concordia’s clients, a company that specialises in payroll, HR and social security services, suffered from ‘business interruption’ claims. Their hosting provider was executing maintenance on the network when there was a lockdown of the entire system. The company’s software was not accessible for four days for them nor their clients. Because of this lockdown, they suffered ‘own damage’ through business interruption. As our client, they were insured against cyber attacks with full cyber coverage. Concordia could support them with its claims regarding insurance. The company’s insurance had the right formula to cover this business interruption.
The last type of insurance mainly focuses on CEO fraud better known as phishing. Criminals pretend to be someone in the company and make the client of the company pay on a fraudulent bank account. CEO fraud is widespread, 33% of businesses have experienced this type of fraud in the last two years.
These criminals are getting better at flawlessly and imperceptibly taking over the identity of, for example, a supplier or your CFO. They have one goal: to make your company pay sizeable amounts by threatening your daily tasks.
Last year an association for brokers and real-estate became the victim of mail hacking. The company had closed a deal with a client that wanted to rent a house. The client needed to pay a deposit, and therefore the company sent an email with the bank account details. Hackers intercepted that mail and changed the bank account details. As a result, the client deposited the money on a fraudulent account, and the owner of the house never saw the money.
The company’s client suffered from exposure to potential damage and financial losses. The company itself had to conduct a full audit to determine the damage of their system and intercept other fraudulent emails. Next to this, the company had emergency costs to inform their clients of the hacking.
Cyber attacks are on the rise, not only in the US but all around Europe as well. Every company should take the adequate steps to prevent possible cyber attacks. Auditing the company, taking prevention measurements and implementing a follow-up strategy are necessary steps if you want to reduce the risk of a successful hack. Getting cyber insurance not only covers financial losses but is also a form of risk management. The best solution is always one that combines the knowledge of a specialised insurance broker and the IT department.
Do you need guidance in making your organisation cyber attack proof? Contact us today. Count on our expert knowledge and high service level to find the ideal, tailor-made solution in collaboration with your IT department.