We are here to help you get the best value from your insurance
0121 321 4600
Newsletter Signup
One in three companies have experienced a cyber incident in the past 12-months, according to Bridging the Cyber Risk Gap, the latest research from insurer Chubb.

As a direct consequence of this, a significant majority realised they were less prepared than they had hoped. In many cases, that lack of preparation will not have been around companies’ digital defences, instead the problem will have been with their own people.

Few firms in the UK understand or address effectively the human element of their cyber risk. Around 70% of cyber security breaches result from phishing attacks, and a growing number from broader social engineering by criminals.

This does not include the number of cyber breaches that result from simple human error, without malicious intent. Here are a few easily recognisable scenarios:
  • Cyber_Risks_from_employeesthe employee who emails important data to someone they did not intend;
  • the employee who falls for a scam email;
  • the employee who opens a link in an email without verifying the sender’s address;
  • the employee who goes online and inadvertently downloads malware onto a company computer;
  • and the employee who accesses company information from their own device and introduces malware.
The above are a combination of simple human error, ignorance or – more worryingly – sophisticated attacks known as ‘spear-phishing’ in which information gleaned from social media or a company’s own website is used to dupe an employee into doing something or following a link which exposes the company to risk.

All firms should undertake a holistic audit of their cyber exposure. In each area, pre-loss planning can minimise the likelihood or effect of an attack. The areas are: awareness, protection, detection, response, and resilience.

Awareness involves understanding in detail the business environment, what risks exist and what regulation applies to a firm in the event of a cyber breach.

For protection, companies need to implement a ‘best-in-class’ cyber hygiene, including proper datahandling protocols, identifying a responsible information security officer, implementing technology or buying protection against identified risks.

Detecting intruders as quickly as possible is key to limit the damage attackers can do. This includes both technology-led solutions and offering incentives to staff to raise the alarm quickly if they see or do something unusual.

Companies need a 24-hour response system that allows rapid action, including notification of those affected after an attack, as well as cleansing the system of malware.

Often referred to as business continuity, resilience is about the long-term protection of revenue, and includes communication to clients about resumption of business, rapid restart planning, and pre-planning to find alternative routes to market in the event of a complete shutdown.

Cyber-crime and fraud prevention can seem complicated, but they needn’t be. Start by putting simple, everyday steps in place to ensure you and your customers are well protected.

If you are uncertain about how to protect your business from cyber-crime, contact us on 0121 321 4600 or send your enquiry to info@clarisksolutions.co.uk

Thanks to Post Magazine; Lauren Webb, London cyber underwriting managerand Nick Bellamy, principal cyber risk engineer and technology industry practitioner at Chubb.
16th October 2017

GDPR - are you covered?

Cyber_Security_and_GDPRCyber crime is evolving so rapidly that the law is scrambling to keep up. The General Data Protection Regulation (GDPR) harmonises all the data protection laws across Europe.

The EU has finalised its new data protection legislation to close some of the loopholes that have allowed so much cyber crime to go unreported.

The new directive comes into effect from 25th May 2018. It applies to any business that holds personal data or processes data for a client firm.

It requires your firm to demonstrate you have appropriate data-processing controls in place, to notify the authorities if you have a breach and make sure you have consent for all the data you hold.
Your business can be fined up to 4% of annual global turnover or €20 Million for breaching the regulation.

All companies and firms like yours will need cover. This is already leading to increased interest in cyber insurance and without GDPR compliance, your cover may not be valid.

Key points
One of the main points in the GDPR is the way companies collect and gain consent to use a person’s information such as name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.

“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”

*Taken directly from the GDPR website.

Cyber risk insurance
Any company storing information electronically faces the very real prospect of a hacker or even an employee gaining unauthorised access to their data.

Whether information is stored on a company server, individual PC, in the cloud, or on your company website, if a breach occurs, you will need the protection that cyber security insurance can offer to counter the impact this can have on your business.

You can mitigate the risks by taking out cyber insurance. However, you would be wise to improve risk management and comply with the GDPR to keep premiums as low as possible and ensure your cover remains valid.

CLA have also teamed up with Ilicomm who can provide a complete vulnerability assessment that can reveal as yet undiagnosed problems and highlight any weaknesses. They provide a free scan, subject to qualification, so that you can test drive their service for yourself.

What does cyber insurance cover?
Cyber insurance is designed to provide the support and protection you will need from some of the financial consequences of a cyber attack and includes:
  • Mitigation of the financial impact of data leaks
  • Advice and support for your IT department
  • Managing the risk of any adverse publicity
  • Protection from third party claims against the company
  • Regulatory fines for data breaches
  • Loss of profits while recovery is taking place
  • Professional fees
  • Breach coaching
The support is provided by a cyber incident response team and policy holders can also benefit from assistance after a data breach, to help restore systems and firewalls.

If you would like to arrange a free scan from Ilicomm, please contact one of our team on 0121 321 4600.
Cyber-securityCyber security may sound like a technical problem, but as we saw recently with the NHS attacks, preventing it is a management challenge.

It starts with carrying out a risk assessment and answering, ‘how would our business cope if we came in one morning and our computers didn’t operate?’ ‘What is our backup plan and who could we rely on to help us fix it if we had an attack?’

When you have a grip on your operations, remember your business has a responsibility to staff and customers to secure the data they use in the organisation too. The Data Protection Act requires personal data is secured and used appropriately.

Why should you do this? Because the threats from cyber criminals, hackers and identity theft are very real. When you understand the extent to which your business will be affected and what it could cost you, it becomes easier to justify the resources you’ll need to put in place now to prevent it.

Computer security for small businesses should be multi-layered, using desktop security products such as anti-virus, anti-spam and firewalls, and network intrusion detection, and hardware technologies such as security tokens, disk encryption and biometric fingerprint recognition.

But above all, it is about management. Define and train your staff on a security policy, including using strong passwords that include numbers and letters; not sharing or displaying passwords; and only opening email attachments from reliable sources. Encourage your staff to use the web responsibly, and stay vigilant when outsiders are in the office. Monitor access to the network, including memory sticks and other plug-in devices, which can be used to steal company information.

Protecting your business against phishing, vishing and smishing
  • Be cautious of how much information you reveal about your company via social media platforms
  • Do not assume a caller is genuine because they know information about you or your company – fraudsters are skilled in collecting enough information to sound convincing
  • Do not open emails that you suspect could be spam
  • Never enter any personal or security information on a site accessed through a link in an email
  • Never open attachments from senders you are unsure of
  • Be cautious of callers who attempt to gain information from you – “I want to check a payment you made today”. Rather than, “I want to check a payment of £5,000 you made today in favour of XYZ Ltd”. The former may be trying to get you to divulge information that can be used against you later.
  • If you are suspicious, terminate the call
  • When ringing back to verify the contact, use your usual contact number, not one provided in the suspect correspondence
  • On sites that require you to input sensitive information, look for “https” in the website address – the “S” stands for “secure”
  • Ensure there is a padlock symbol in the URL address bar – this shows that your selection is secure
  • Remember that your bank may ask you for some information, but will never ask for your full password or PIN, provide you with details to make a payment, or request that you grant them access to your systems or PC
  • Familiarise yourself with what your bank will and won’t ask you if they wish to verify payments
Protecting your business against invoice fraud
  • Make your staff aware of this threat
  • Check notifications and invoices received carefully to see if the document looks like a counterfeit
  • Check that the email address the message comes from does not look odd, such as by ending in”.org” when it should end in “.com”.
  • Always call your supplier, using contact details you have on file (not those supplied in the message – that will be the fraudster) to confirm any changes before effecting them. Ensure that you validate the exact bank detail changes you should be making, in full
  • Consider setting up single points of contact with the companies you pay regularly
  • Consider adopting dual control procedures for any changes in payment information
  • Use leveraging technology that ensures invoices are matched with purchase orders, flagging any rogue invoices
  • Regularly conduct audits on your accounts
Cyber risk insurance
Insurance is an essential part of your cyber security strategy to help you to recover quickly after a breach and cover the costs involved such as:
  • Bringing in experts to support your team
  • Managing any negative press coverage and crisis containment
  • Third party liability
  • Repairing and restoring systems following an attack
  • Extortion costs you may have to pay following a ransomware demand
  • Legal advice
  • Business interruption costs
Vulnerability assessment – preventing an attack before it happens
CLA have partnered with cyber security specialists Ilicomm, who can offer a vulnerability assessment.

Their vulnerability assessment programme will not only reveal as yet undiagnosed problems, but will highlight weaknesses and recommend the explicit technical controls required to mitigate the risk to an acceptable level.

To find out more about cyber security and how to protect your business please call, or request a call back and one of our account executives will contact you.
21st August 2014

Cyber risk insurance

You_have_been_hacked_messageMost information is stored digitally these days on a variety of devices. The financial repercussions of recovering from a security breach can soon mount up. For example, your IT support team will be working overtime to control the damage and fix the breach. Clients may be making claims for damages. You may need legal advice and there may be costs involved in managing adverse publicity.

Taking out insurance to cover these risks will not only mitigate your financial losses but with the right insurance cover in place, you will also have access to the support needed to get your business up and running again as quickly as possible. Following a cyber attack, you will be able to call on professional advice for IT, media and legal issues that may arise.

Globally cyber crime is on the increase, not only from external sources but from within a company’s own employees. Virus attacks on companies computers soared in the last year from 11,523 to 22,315 according to Detective Superintendent Pete O’Doherty, head of the National Fraud Intelligence Bureau. There were 494 cases of companies saying that their computer servers had been hacked.

Research from the FSB (Federation of Small Businesses, The Voice July/August 2014) concluded that 60% of small firms experienced a security breach in 2013, compared to 64% in 2012. However, costs have increased from previous years. In 2012, the worst security breaches cost between £35,000 and £65,000 whereas in 2013 costs were between £65,000 and £115,000.

These costs could be catastrophic for a business. For ultimate peace of mind, taking out a cyber risk insurance policy will cover you for a wide range of costs and provide the support you need to minimise the damage to the company and its reputation.