Cyber security: a changing threat

In the difficult times that face us all currently, we shouldn’t lose sight of the increasing threat of cyber attacks.
Funeral directors have always been considered one of the lower risk professions, but the scammers and cyber criminals have become ever broader in their targeted ‘market’ and methods of attack.
This challenging time has meant that the workplace is changing for all businesses and in some cases probably on a permanent basis with more and more people working from home and, consequently, it’s important to ensure that your business is protected wherever this broader workplace may be.
Technology
- You should ensure you have a virtual private network (VPN) which ensures that you have a protected private network connection. This provides a number of security features, such as hiding IP addresses, encrypting data transfer and masking locations. You should also ensure that if you’re utilising an employee’s device then additional encryption is in place should this be stolen. If you do have this that is an excellent start, but do remember to ensure that it’s fully patched and also remember to ensure that the correct number of licences, capacity and bandwidth may need to be looked at if the number of remote workers has increased.
- Ensure that all remote work technology has the same account access restriction that your on-site software has and ensure that only trusted, competent staff have access to it.
- Antivirus and malware protection should be installed and maintained to ensure that your security is up to date.
We at SAIFInsure incorporated a small level of Cyber Insurance cover into our standard commercial policy to protect against basic third party losses and while we would like to go further as standard, this would increase the costs of the general package policy substantially and unnecessarily in most cases.
We appreciate that some have a large number of offices with more sophisticated systems holding sensitive data, such as payroll and payment details, whereas others will be smaller operations holding very little as they may sub-contract payroll and HR matters.
There has been an increase in the number of phishing and malware attacks and an increase in the number of funeral directors contacting us asking for a quotation to increase their coverage accordingly, including first party cover (cover for yourselves and not just third parties).
The argument has traditionally been whether this is something that only really affects large companies, and in the financial services and media world. This takes us neatly into the area of what a cyber attack could really look like, its impact and what needs to be done to remedy the situation. Below and opposite we have three scenarios which affected small to medium size businesses and were paid under a cyber policy.
Claims examples
Scenario 1: Employee Error
An HR recruiter sending out an incorrect file attachment to four job applicants which contained various former employee names, addresses and National Insurance details
Outcome under Privacy Liability
Defence expenses from regulatory investigation: £55,000
Defence and settlement costs for claims employees had their ID stolen: £100,000
Incident Response Expenses
Managers’ fees: £5,000
Notification to affected individuals: £3,000
ID theft monitoring services for affected individuals: £13,000
Legal consultation fees: £10,000
The overall cost of a simple human error was £186,000.
Scenario 2: Ransomware Attack
An employee of a manufacturer clicked on a malicious link in an email which then caused malware to be downloaded onto the company server encrypting all of the information. A message then was received demanding £10,000 Bitcoin within 48 hours.
Outcome under Network Security Liability cover and Cyber Extortion
Cyber extortion costs – IT consultant fees to assess back up options: £14,000
Incident Response Expenses
Forensic investigation to locate malware, its impact & containment: £18,000
Legal consultation fees: £7,000
Incident response manager fees: £6,000
Data asset loss – replacing lost/corrupted data: £15,000
The overall cost was £60,000 and more than the demand, but ransom payments are discouraged by law enforcement agencies and it still leaves weaknesses within the company for future occurrences.
Scenario 3: Media – Disparagement via Email
An employee sent an internal email containing negative comments about a service provider. This was forwarded and eventually found its way outside the business and to the service provider ultimately. A lawsuit was then brought against the company for damaging its reputation.
Outcome under Media Liability
Defence and settlement costs for claims from third party: £150,000
Incident Response Expenses
Crisis communication services: £12,000
PR relations for reducing reputational impact: £16,000
Incident response manager fees: £3,000
The overall costs were £181,000 for an internal email with negative comments.