The evolving threat of cyber-crime: the importance of insurance in managing and mitigating the risk to businesses

Date: 22/09/2021
Author: James Fletcher
Company: Gallagher

In an increasingly connected world, cyber threats continually evolve. As the risk of cyber-crime increases, threatening a business’s financial status as well as its reputation and customer trust, developing resilience to cyber liability is now a significant challenge for organisations of all sizes in Greater Manchester. James Fletcher, Managing Director of commercial insurance broker Gallagher’s Manchester city centre office, highlights how businesses in the region can minimise the risk of financial, operational and reputational harm, in the event they are targeted by cyber criminals.

Greater Manchester has a £5 billion digital economy[1], and is now emerging as the fastest-growing tech city within Europe, only second to London when it comes to investment.

As many Greater Manchester businesses become more reliant on technology, providing criminals with a new means to attack businesses in the region with increasingly sophisticated techniques, cyber-attacks are now a growing concern.

In fact, almost 40% of UK businesses experienced a cyber incident in 2020, according to the latest Cyber Security Breaches Survey[2] produced by the Department for Digital, Culture, Media and Sport (DCMS). Among those businesses that were targeted, more than a quarter (27%) experienced attempted attacks at least once a week.

Financial losses suffered following cyber incidents can be substantial, with DCMS estimating the average cost of a cyber-security incident in the past 12 months to be £8,460, increasing to £13,400 for larger organisations.

Under GDPR regulations, data protection laws which were introduced in 2018, businesses can also be fined up to €20 million or 4% of their turnover (whichever is the higher figure) in the event of customers’ personal identifiable information being lost, stolen, or leaked.

As well as having potentially significant financial implications, companies are likely to experience substantial downtime between an incident occurring and its resolution, affecting the ability to operate, as well as potentially having an effect on the business’s reputation and client confidence.

In recent years, there has been a significant recent surge in ransomware attacks – involving hackers breaking into networks of organisations and installing malware that prevents users from accessing their computers or the data that is stored on it, before demanding a ransom. This increase is showing no sign of slowing down, with the National Cyber Security Centre (NCSC) handling more than three times as many ransomware incidents in 2020 than in 2019[3]. Beyond the financial losses and the disruption to operations that can be brought about by systems going offline as a result of a ransomware incident, there is also a growing trend for cyber-criminals to threaten to release sensitive data stolen during the attack, if the ransom is not paid, causing further reputational damage to the impacted firm.

Increasingly, cyber criminals look to exploit the weakest link in a business’s security chain, people, with attackers using phishing emails - messages that ask for immediate attention, leading the victim to reveal sensitive information, click a malicious link, or open an infected file - to con unsuspecting employees into compromising their security, transferring money or sharing sensitive company data. Phishing attacks continue to rise, with DCMS reporting that there has been a 14% increase in businesses experiencing incidents of this type between 2017 and 2020[4]. In some attacks, cyber-criminals are known to invent ‘true to life’ scenarios to convince victims to divulge sensitive information, having often researched their victim in advance of their first conversation.

Although best cybersecurity practices are important - such as ensuring employees have strong passwords in place, conducting regular systems and software updates, and turning on multiple-factor authentication – Greater Manchester businesses are leaving themselves exposed to financial and reputational damage if they don’t also consider having specialist cyber insurance in place.

Though a dedicated, standalone cyber insurance policy cannot protect a business from cyber-crime completely, it can help it to recover should its data or electronic systems be lost, damaged, stolen or corrupted – responding to the immediate impact of an attack by working to quickly restore network systems and data, while seeking to minimise business interruption, including covering loss of income during any periods of disruption. A range of support measures are also included such as help with developing cyber risk management procedures, including legal advice and forensic IT consultants who help to establish the existence, cause or scope of a security incident.

With cyber criminals constantly finding new ways to hack into businesses, and due to the fact that risk exposures can vary greatly from one organisation to the next, there isn’t a one size fits all approach to cyber risk management. Engaging the support of a specialist insurance broker is a good first step. They will assess the specific risks faced by the individual business, identify any gaps in its cybersecurity, and then advise what type of policy is appropriate.

To ensure businesses are able to understand what a particular insurance policy includes before buying, brokers will highlight the extent of the cover provided and any exclusions, avoiding confusion or misunderstanding later down the line about what may or not be covered in the event of a claim.