Airmic

Practical steps to limit cyber damage - before and after an attack

Benedict McKenna - vice president and operations claims manager, FM Global
Benedict McKenna - vice president and operations claims manager, FM Global

Benedict McKenna of FM Global offers advice for risk managers trying to keep pace with the fastest evolving threat of our day

Cybercrime currently costs the UK an estimated £27 billion a year. What's more, it is one of the most rapidly evolving risks facing businesses today. According to a recent survey by Lieberman software, 76% of organisations surveyed believe that cyber attacks are evolving too fast for their IT security personnel to keep pace.

Despite this, there is still plenty that organisations can do to reduce the threat, as well as mitigate the impact when an attack does occur. One thing that is certain - a lack of preparation in managing the threat of cyber can lead to devastating consequences to a company's reputation, market share and bottom line.

So, what are the key steps to take?

Loss prevention

While predictions around the frequency and financial impact of data breaches make stark reading, it's possible for organisations to build cyber-resilience into their corporate culture. This starts with a thorough assessment of the risk and the development of a Corporate Data Security Policy. This should include:

  • A review of physical security to prevent unauthorised access to the facility and critical areas (server rooms);
  • A tidy desk policy and locked shredding bins so sensitive data in paper form is properly handled;
  • Restricting employee contractors' systems and data access. Access to shared drives should be restricted and approval controlled by an information security office;
  • Using encryption where possible, including for file sharing;
  • Keeping personal data for 3rd parties to a minimum;
  • Conducting Breach Response Planning and stress testing. This includes identifying consultants/experts, role playing scenarios and testing existing cyber security;
  • Employee education/awareness (do's and don'ts and strict policy enforcement) including ensuring all security software is kept up to date and all software patches are downloaded promptly;
  • Ongoing security monitoring. It is important that the Chief Information Officer is fully versed in the company's ongoing business ventures to ensure the security measures put in place are fit for purpose;
  • Ensure a thorough understanding of cyber covers available in both first and third-party specialty markets. This should include stand-alone cyber policies and the extent of cyber covers (and exclusions) in existing property and third-party policies to ensure adequate cover.

Auditing your suppliers and partners

Cyber risk is also a supply chain issue for organisations today. No matter how well you've secured your own organisation against cyber threats, you could still be exposed to risk through your partners and suppliers. Let's say you're a manufacturer: what if one of your key suppliers is attacked, disrupting that supplier's ability to supply and your operations are also affected?

BBC News recently reported that over half of UK businesses admitted to being the target of hackers last year, with a manufacturing company having a one in three chance of being attacked. With manufacturing companies increasingly relying on software to automate processes, manage partners and facilitate R&D, targeting of their supply chains by cybercriminals is becoming an increasing threat to businesses.

Supply chains therefore need to be audited, back up suppliers and partners identified (preferably in separate supply chains to the primary suppliers) so that in the event of one supply chain being compromised, alternative suppliers can step in and fill the gaps.

Have a plan in place to ensure a quick recovery after a cyber attack

Unfortunately, it is not possible to fully eliminate the risk of a cyber-attack; hackers will continue to evolve new and sophisticated methods to get around even the tightest of security. Therefore, a recovery plan needs to be in place, to deal with the effects of a cyber-attack.

The plan should cover areas such as:

  • How to identify and isolate a security breach in an acceptable recovery time to minimise impact on the business;
  • Identifying a dedicated response team, to mobilise in the case of an attack;
  • Requirements to notify regulators of any breach involving public/third party data;
  • Options to engage PR consultants to manage the various lines of communication and reassure the wider public.

The presence of a recovery plan can help to reduce the long-term reputational damage that businesses can suffer after the public is made aware that they have suffered a significant cyber attack or data breach. The recovery plan will ensure that a business is resilient - and a resilient business will be at a competitive advantage to its non-resilient competitors.

How can insurers help?

In a previous article in Airmic News [https://www.airmic.com/news/how-well-do-you-understand-your-cyber-cover], we talked about first and third party cyber covers as well as stand-alone cyber policies available in the market today. While there is a vast array of offerings out there, ultimately in the event of a data breach, companies want to be safe in the knowledge that their insurance cover is robust enough to respond.

It is important therefore that organisations continue to challenge their insurance carriers to offer the kind of cyber/data covers they need. And in the event of a loss companies need to rely on their insurers to quickly assess and process claims, ensuring that policyholders have the capital needed to recover from the breach - something that can be even more important when the cyber attack has caused property damage and resultant business interruption.

When taken together with the prevention and response measurers discussed earlier, this will help ensure they remain resilient in the face of such threats.

Benedict McKenna is operations vice president and operations claims manager, at FM Global.