A guide to understanding Cyber Crime

Cyber-crime is now the world’s fastest growing category of organised crime and is believed to be worth more than the illegal drugs trade. In the UK alone, cyber-crime is estimated to cost the economy £27 billion a year, according to recent research conducted by the University of Cambridge.

Organisations face a growing number of cyber risks.  Even when adequate security measures are believed to have been taken, it is often not enough to protect from high-profile attacks, as recent high profile victims of hacking and cyber-attacks have shown.

Phishing emails reported in August 2011 to the HMRC rose by nearly 300% for that month alone. The malicious practice involves genuine-looking emails being sent advising taxpayers they are due a tax refund. Those who reply are directed to a fake website, which collects their personal details for fraudulent use.

Google, Facebook, Twitter and PayPal have all been the victims of hackers in recent years, but the highly-publicised Sony PlayStation Network and Qriocity data breach in April 2011 is reportedly one of the largest data thefts in history.

The catastrophic theft of 77 million customers’ accounts – said to include credit card details from UK customers – caught the attention of regulatory and supervisory bodies around the world.  The estimated financial loss to Sony was US$171m – not including the lawsuits that the company defended as a result of class actions being filed by affected customers.

Cyber security issues are not just a concern for large organisations – statistics show that 40% of attacks are directed at firms with fewer than 500 employees.  In a climate of cyber-crime and its costly consequences, it is vital that every organisation understands its exposures.

For examples, companies carrying out processes such as trading, purchasing or managing suppliers online should be concerned by threats to their online connection, while those housing significant client records or employee data will need to manage the risk of inadvertent disclosure of data.

Changes to EU law are set to be introduced to make it harder for organisations to remain silent about data breaches in future.  Once introduced, new EU-wide data privacy legislation will bring punitive measures for firms mishandling data, forcing companies to inform their clients of any data breach, regardless of scale.

In order to protect against a data breach, security software and firewalls should be in place, along with policies and procedures concerning disaster recovery and the protection of data.  Speed and experience being crucial factors, assistance may be needed from the likes of lawyers, IT experts, a PR team, notification networks and credit monitoring services.

Insurance protection should also be considered to truly mitigate the risks, though traditional policies can leave room in the coverage for cyber risks. As an example, business interruption insurance is generally only triggered if there is physical damage and crime policies also largely cover tangible property only. In comparison, cyber risks are largely intangible – caused by human error, or the result of malicious attacks and crimes.

Additionally, general liability policies are intended to cover bodily injury and property damage and do not cover economic loss or professional services, while coverage may not exist for third party losses due to computer viruses or unauthorised access to confidential information.

Lastly, many insurance policies involve geographical limitations, which do not include the internet.

Therefore, for comprehensive coverage, a tailored cyber-risks insurance policy is necessary. Policy wordings may vary, but the key insurers will protect against the following risks:

First Party cover – your own losses:

  1. Costs incurred in connection with the loss of, or inability to access data; the corruption of data as a result of a network security breach; unauthorised use of the computer system; computer virus; human error; accidental damage or destruction of data media. Cover would include the costs of restoration of such data.
  2. Business income and extra expense cover, which helps a company to survive the impact of loss of business income through a failure in the computer systems.
  3. Crisis management and notification costs, with coverage including the cost of hiring expert assistance to mitigate the effect of the incident – plus the costs of notifying relevant parties in the event of a data breach.
  4. Cyber extortion costs – mitigation costs as well as any extortion demand itself.

Third Party Cover – claims against you, including costs liable to pay to others as a result of storing or using data, or trading electronically:

  1. Disparagement, plagiarism and infringement – a company may become inadvertently liable to pay damages or incur costs where it is accused of activities perpetrated through the use of its computer systems and websites
  2. Liabilities arising from breach of privacy or confidentiality.
  3. Transmission of a virus to a third party and as a result triggering a claim for damages.
  4. Denial of service – companies that rely on your computer systems for the continuance of their business can be severely affected should they be unable to access your computer system through a failure or denial of service attack.

Hettle Andrews can help you defend against the effects of cyber-crime with bespoke policies tailored to individual needs. Should you wish to discuss your requirements for Cyber Insurance please contact your designated Account Executive for further guidance.