Cyber liability and the protection of client data
There has been much discussion about organisations viewing ‘big data’ and ‘analytics’ as the future of customer insight, but what happens when data is…
There has been much discussion about insurers and commercial organisations viewing 'big data' and 'analytics' as the future of customer insight, but what happens when crucial data is stolen? Kurt Rowe and Ed Lewis ask how your organisation is placed to deal with a cyber attack…
You've seen the news in the papers (or the online press to use a modern medium). Just recently, Sony was the victim of an attack which saw its intellectual property, including unreleased films, posted on the internet for free. In May, eBay was the subject of a cyber attack that saw personal details of 233 million users stolen. Cyber attacks happen regularly, and they are not just aimed at large commercial organisations: the odds are that your firms have been the subject of a cyber attack, you just don't know it, as it would have been prevented by your security software. That said, what if, like Sony and eBay, your security software was breached? What would you do and how would you even know you'd been the victim of such an attack?
Firstly, what is a cyber attack and what is its purpose? A cyber attack is an attempt to breach your security software electronically and is motivated socially and politically but the motivation for the attacks that you are more likely to face is profit, pure and simple. A cyber attack can take various forms, from hacking into your systems to steal data, to bombarding your site in the hope that your system will fail, allowing them to steal data, and finally, to take control of your site to hold it to ransom. Either way, it's about money, and being able to profit from weaknesses in your security.
Secondly, how would you know you've been the subject of a cyber attack? In all honesty, this is the difficult bit, as you may not even know you've been the victim of an attack until your clients contact you about the theft of their data, or your records show questionable transactions. So you've been the victim of a cyber attack … so what?
Well, this could be a major issue for your organisation. The whole idea of cyber attacks is to damage your organisation's reputation and balance sheet. Data is a highly valuable commodity and should you lose your clients' data through such an attack, you aren't just looking at upset clients. You could well be facing punitive action from regulators such as the Information Commissioners Office or others. For example, an insurer in this position would also face action from the Financial Conduct Authority. Not only that but you could face a civil action from your client for the loss of their data, especially if they have faced financial losses and brand or reputational damage as a result. Further, your own brand and reputation in the public domain will be tarnished, after all, who wants to be known as the company that lost all of its clients' data?
So, what do you do to protect yourself, your systems and your clients' data? This is the simple bit. You need to make sure that your IT systems are as secure as possible with continually updated firewalls and anti-virus software, you need to implement good password, data, and remote working policies as well as making sure your premises are physically secure. If you do these things, you will have gone some way to reduce the risks to your business but what you need to think of next, and this is what everyone forgets, is to make sure that you have 2 additional extras:
- profile your business activities and acquire a cyber liability insurance policy suitable for your needs, covering your own losses as well as your clients';
- a robust incident response plan which can react to the attack, restore your systems and prevent a further attack, deal with claims either against you on your behalf as a result of an attack, and take action to protect your position. Your response plan must include specialist lawyers with expertise in cyber liability issues.
This is where Weightmans can add value. We can assist you with a review of your policy wordings to identify gaps in cover which you can then provide to your insurance broker to locate a suitable solution. We can also work with your IT suppliers to help create a tried and tested incident response plan from both a claims and legal viewpoint.