Cyber breaches are not acts of God. They are preventable, provided you have taken the right steps to protect your firm from attack. Professional Passport’s cyber risk management supply partner Mitigo writes that the only way to prove to yourself and your senior leadership team that you have put the right defences in place, is to obtain independent assurance.
Why cyber insurance isn’t a substitute for cyber risk management.
So you think buying cyber insurance means your business will avoid a major nightmare?
You’ve bought a cyber insurance policy to help protect your company against devastating cyber-attacks. It looks comprehensive so you can finally sleep at night. But before you get too carried away, is that really the case? Many companies which have been victims of a cyber-attack held cyber insurance policies. That cyber insurance did not prevent them from being the next victim. Of course, you will be glad you had the policy if the worst does happen, but it is essential to understand the difference between cyber risk management and cyber insurance. Simply put, cyber insurance is the transfer of residual risk once you have taken the right steps to manage your cyber risks in the first place. That includes carrying out proper cyber risk assessments and implementing robust cyber security controls.
What is not covered by cyber insurance?
There is no substitute for having proper cyber risk management in place. Cyber insurance may allow some costs to be recouped, provide cyber specialists to help deal with the immediate crisis and may even allow payment of a ransom demand in some cases, but there is a range of issues that cannot be resolved by simply putting insurance in place.
Difficulties that we have seen companies trying to manage after a cyberattack include:
- Senior management working through the night trying to work out how they are going to continue to run the business with no functioning systems
- Colleagues unable to work while locked out of their systems
- Having difficult conversations with customers and other third parties explaining how and why their confidential information has been breached and the fact that you cannot progress their orders or transactions
- The hit to cashflow and having to explain and navigate the situation as regards investors and bankers
- The requirement to communicate the problem to customers, staff, other third parties and the press, again without being able to use the firm’s usual methods of communication
- The need to report the incident to the ICO, any relevant regulator and law enforcement agencies
- Internal disruption, as well as blame and condemnation among personnel
- Extensive lost time
- The arguments over fault and liability in cases of diverted payments
- Trying to negotiate with criminals over their ransom demands for the return of confidential data or decryption of systems
- The fact that the underlying weaknesses that allowed the cyberattack to happen will still need to be identified and eliminated
The National Cyber Security Centre (NCSC) notes that:
“Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”
Why is cyber risk management essential for all businesses?
Every business is at risk when it comes to cyber security. Criminals have found a variety of methods, including email account takeover and ransomware attacks to be profitable in any business where data protection, client and proprietary confidentiality or secure operational systems are important.
The reality is that almost every business now relies upon information technology and operational technology. When criminals attack, they can look to divert payments, steal data, and encrypt systems, bringing business to a halt.
Risks of failing to proactively implement strong cyber security measures that cyber insurance will not help with include:
Breach of legal (and any regulatory) obligations
All businesses are required, as a minimum, to comply with legislation. Any relevant regulator will require this too. This includes compliance with UK GDPR for the protection of personal data. Basic requirements include:
- Carrying out regular risk assessments for the security of data
- Putting effective controls in place, including:
- Providing relevant training to personnel and having policies in place outlining expected behaviour
- Having secure technology
- Having the right policies and framework in place in respect of governance
- Regularly testing, assessing and evaluating the controls
- Being able to provide evidence of compliance with the above
Failure to comply with legal (and any regulatory) requirements can result in substantial fines – fines by the way, that your cyber insurance policy won’t cover.
Data breaches
In the case of Interserve, the ICO fined the construction company £4.4m over its failure to protect its employees’ data from cyber-attacks. The Information Commissioner said companies should “expect a similar fine from my office” if they fail to put proper protections in place. The ICO made it clear it will have regard to “relevant industry standards of good practice” such as ISO 27001; the National Institutes of Standards and Technology; the various guidance from the ICO itself; from NCSC and from any sector regulator.
Business disruption
Business disruption will result in substantial losses. The initial difficulties can be crippling, and the long-term issues can last for many weeks or months whilst those involved scramble to restore systems and databases.
The importance of dealing with cyber security at board or partner level
Given that cyber security failures have the potential to devastate a business, it must be understood that this is a matter for the senior leadership team in the company. It is the directors or partners who will have to face the consequences, answer to shareholders, the ICO, customers, other affected third parties and their own colleagues. The senior leadership team need to have the appropriate management information in place that is discussed regularly at board meetings.
The Government’s draft Cyber Governance Code of Practice, aimed at executive and non-executive directors and other senior leaders, highlights the fact that cyber risk should have the same prominence as financial or legal risks and that responsibility and ownership of cyber resilience is a Board level matter.
The importance of independent assurance
It should also be recognised that proper cyber risk management requires some independent assurance carried out by genuine cyber security specialists with in-depth knowledge of the latest security risks and experience of the attacks taking place in your sector. They should be independent of your IT provider, because having your IT mark their own homework is a non-starter from a compliance perspective.
Who are Mitigo and how can we help?
At Mitigo, we offer specialist advice and cyber security services (we are not an IT company). We know that you are a prime target for cyber criminals and our experts have the understanding needed of both your business and potential cyber risks to give you the protection you need.
We can work with your business (and your IT partners) to identify potential risks and eliminate them without delay. So don’t rely on your cyber insurance to save the day. The only way of effectively protecting your organisation is to ensure that your security protocols and systems are as strong as possible.
Contact us today for a vulnerability risk assessment
If you would like a cyber security overview carried out by our cyber security experts, fill out our contact form, or see below. We will identify any issues that need attention and work with your business to ensure that you have the optimal cyber security protection for your organisation.
Mitigo is offering Professional Passport members a free no-obligation consultation to help you understand the areas of your business that are most vulnerable to attack.