Understanding Cyber Crime & Data Loss Risks

Transcription

1 Understanding Cyber Crime & Data Loss Risks

2 Contents Understanding Cyber Crime and Cyber Risks 2 Easy Targets 3 Cyber & Data Risk Insurance 5 Why Specialist Cyber Liability & Data Loss Insurance is Needed 7 Assessing & Managing Your Risks 9 Your Next Step 11 Appendix 12

3 This guide will help you identify and understand the risks, detail why traditional insurance doesn t adequately protect your business, outline the costs involved in rectifying a loss and explain why the purchase of cyber insurance should now be a high priority for your company. If you ever thought Cyber Crime was just something large corporations had to worry about think again. The 2015 Information Security Breaches Survey, carried out for the HM Government by PwC in association with Infosecurity Europe, revealed that there had been a continued increase in security breaches with large organisations increasing from 81% in 2014 to 90% for 2015 and small businesses seeing a dramatic jump from 60% to 74% reporting having experienced a data breach. The report also highlighted the importance of raising staff awareness with three quarters of large businesses suffering a staffrelated security breach and nearly a third of small businesses having similar, up from 22% in Whilst the survey is only based on a breach and did not necessarily result in any loss, it shows the potential for any business in the UK to become a victim of a Cyber Crime or data loss at any time. Where losses did occur statistics show the total cost of a cyber or data loss is now estimated to be between 75k to 311k for a small business and 1.46m to 3.14m for larger companies. This level of loss is likely to have an adverse financial effect on the business performance and in severe cases may result in failure of the business. Simon Hoare Director Later in this guide we will show you how the costs can quickly mount up, even for the small business owner. The need for heightened awareness of the risks and adequate physical and financial protection has therefore never been greater. It s a case of when there is a data breach not if. Cooke & Mason plc Page 1

4 Understanding Cyber Crime and Cyber Risks The term Cyber Crime can be a little misleading in that it is often associated mainly with the hacking of computer systems. Where in reality not only can it be such an attack, but equally it could be the theft of a laptop or smartphone on which sensitive data is stored, or simply the loss of or access to data from your IT systems. It also does not need to involve a crime. We will therefore refer to these as Cyber Risks. There are two main forms of Cyber Risk; the malicious attack or accidental loss of data, some of which are outlined here. Malicious Attacks These can take various forms including: Infection of your system from malware (malicious code or software) including viruses, worms & trojans (see Appendix for more details). Direct Hacking this can be from identifying and exploiting weaknesses in the security of your systems, via brute force attacks or just tricking employees to divulge access information to your systems. (see Appendix for more details) Denial of Service attacks (DoS) also Distributed Denial of Service (DDoS), where your systems i.e. website server is bombarded with a continuous stream of data which prevents genuine users accessing it, or even knocks out your systems altogether. In a Distributed Denial of Service the culprits also make use of other computers that have previously been infected with malware, to all bombard the target system with data at the same time. Usually the payment of a ransom will be sought to cease the attack. Figures from the Prolexic quarterly monitor reports show that globally Distributed Denial of Service attacks are on the increase with a rise of 22% in the 2nd quarter of 2014 compared to It is also estimated that there are in the region of 7,000 Distributed Denial of Service attacks launched on businesses and organisations every day. Accidental/Negligent Loss or Misuse of Data This can occur in a variety of different ways including: Theft or accidental loss of your computer(s) or other devices used to store your data. Theft or accidental loss of storage devices, discs or cards used to store data i.e. DVD, USB Sticks, SD cards etc. Loss of or inappropriate disposal of paper records containing personal data (see example on page 5). Accidental or inappropriate transmission of data i.e. ing/sending personal data to the wrong people. Accidental or inappropriate publishing of personal or sensitive data into the public domain. In April 2014 it was reported that Renfrewshire Council accidentally sent a spreadsheet with an to 5,354 landlords, containing the names, addresses and details of all the other landlords on the list. Some of these addresses would have enabled others to identify the employers of a proportion of those landlords and, in some cases, may have been of a sensitive nature. 50% of the worst breaches in 2015 were caused by inadvertent human error. p Up 31% from the year before Page 2

5 Easy Targets Unfortunately, with larger companies usually having access to greater resources and budgets, it is the small and medium size companies that are increasingly becoming the easier targets for criminals seeking to exploit weaknesses in Cyber Risk defences. These increasingly frequent attacks, although tending to be on the lower end of the financial scale, often involve some form of blocking or restriction of access to your systems. Many involve the threat of significant damage, theft or total wiping of data, which has the potential to put many small and mid-sized companies out of business. This guide aims to provide you with the information and advice to help reduce your exposure to Cyber Crime and data loss as well as understand the financial protection that is available to you. Real Examples of Cyber Risk Crimes and Losses The following examples will hopefully highlight the fact that no business is immune from the impact of Cyber Risks. Change of Bank Details Potential loss of 40,000 A company computer system was hacked into, providing access to the system. s were then sent to suppliers advising of a change of bank details to the hacker s account. For all intent and purpose the recipients would see a genuine from a trusted individual within the client organisation and not necessarily question it, until it was too late. Fortunately, on this occasion the recipient of the had the presence of mind to contact the customer to double check the details, just prior to making a payment of 40,000 to them. The police were informed and further enquiries instigated. Theft of Laptop From Occupied Vehicle Fine of 5,000 (reduced from 70,000) The owner of a transport company was the victim of a theft from the vehicle in which he was stationary at a junction. The thief simply reached through an open window and made off with the owner s briefcase. Unfortunately, the briefcase contained a harddrive with the personal details of 250 clients, including dates of birth and passport numbers. Although the hard-drive was password protected the actual data was not encrypted in anyway. The loss was voluntarily reported to the Information Commissioner s Office (ICO) who considered that the company had failed to take the appropriate measures to protect the data and that the people about whom the information was stored, could potentially suffer substantial distress from this data now being in the hands of unknown person(s). The company were fined 5,000, which was actually reduced from 70,000 on the basis the company had voluntarily notified the Information Commissioner s Office of the incident. Page 3

6 Bakery Business Loses 20,000 in Malware Attack A bakery firm was the victim of a 20,000 loss through malware that was unintentionally installed on a company computer by a member of staff. The staff member had clicked on a link in a fraudulent that looked like it came from their regular bank. On clicking on the link the malware was installed on the computer which then gave the hackers the immediate ability to access to the company bank account, resulting in a loss to the company of 20,000. Wirral Manufacturer Victim of 100,000 Malware Attack A Wirral based manufacturer was targeted by a scam which meant that a malware programme opened up a fake version of the company s online banking system. When the company s financial controller logged into what she thought was the usual online system she was told to enter her Smartcard PIN. Having entered it once, a message came up to say she had entered it incorrectly and requested it again. Within three minutes, two transactions had been made - $30,000 to an account in Ukraine and another 100,000 to an account in Cyprus (equivalent to about 100,000 in total). The company finally managed to argue the case with their bank that they had been victim of cyber fraud, but it took them four months to get the money back into their account. Estate Agent Outed by Information Commissioner s Office for Potential Customer ID Theft from Exposed Paperwork It is not just viruses, hacking and malicious attacks that businesses should be mindful of. The Information Commissioner s Office served a London estate agent with a commitment order which was made public after it was found the company had continually left paperwork containing customer data exposed to others outside of their offices. The paperwork in question had been left in transparent plastic bags outside their premises awaiting collection for disposal on repeated occasions over a 3 month period. Despite being previously warned about the breach it was found staff were still doing the same thing in the following March. The paperwork included copies of customer passports and previous tax payments. This would easily allow someone in the know to be able to commit identify theft from the information that was exposed. The estate agents were publicly named and shamed by the Information Commissioner s Office, which in turn was shared by others through social media channels, with the potential for significant impact on their business. 39 % 27 % of large organisations of small businesses have insurance that would cover them in the event of a breach Page 4

7 Cyber & Data Risk Insurance The first cyber insurance policies were introduced to the insurance market over 10 years ago. These were in response to exposures that were not covered by a traditional computer policy. Computer policies mainly covered physical loss of data as a result of systems failures and it was gradually becoming apparent there were more sinister losses being suffered which needed their own form of cover. Skip forward to today. With technology, the internet and social media forming an integral part of our daily lives and business, cyber insurance is now becoming as much an essential for businesses as those covers for your property, motor risks and other traditional liabilities. Typical Cyber & Data Loss Risks The insurance requirements for Cyber Risks are separated into two distinct types; firstly the loss or damage you incur and secondly the losses others incur as well as any breaches of data regulations. Loss or Damage You Suffer These include what you would recognise as our traditional risk i.e. physical loss of or damage to your systems such as fire, flood, theft etc. Some of the more recent types of risk such as Denial of Service attacks and viral extortion would also be classed as loss or damage you suffer. The costs for such losses can easily mount up, as they do not just include an amount for a physical loss. When thinking about your insurance requirements you should also consider some of the following potential costs: Data recovery The process of restoring damaged or lost data. Forensic data investigation This is something you may need to identify how the loss occurred and the weakness(es) in your systems that allowed it to happen. It may also be needed to establish the full extent of the loss, i.e. experts will be able to take a detailed look at logs and other information on or connected to your systems that will identify fully what data has been lost, over what period and by which methods. Hardware and network replacement If your network has been compromised or damaged in any way you may need to replace it with more reliable systems, which could incur a significant cost. Business interruption and loss of profits - Your standard business interruption policy is unlikely to respond to a distributed Denial of Service attack. Crisis management or public relations support The last thing you want is for your customers to find out about a loss through the media or, if and when the media do get wind of it, not to be prepared. You are therefore likely to incur costs for professionals in crisis management and PR to assist you. Data subject notification In the event of the loss of personal data such as names, addresses, dates of birth and passwords the Information Commissioner s Office may require you to write to each affected individual to inform them of the loss and to provide appropriate advice. Credit/identity theft monitoring for those whose data has been lost or exposed You may be required to purchase an ongoing service for each affected person that will monitor their credit rating and other sources, for activity involving their identity, in an attempt to spot any unexpected or unusual activity and alert them to a possible misuse of their personal information. It is unlikely that as a business you will have the expertise or resources within your organisation to respond quickly to a cyber incident and therefore you will want to rely on expert third party resources, which will need to be paid for, either directly or supplied as a result of inclusion within your cyber insurance. Page 5

8 Losses to Others & Regulatory Data Breaches These types of risks include: Liability for your network security Enabling of malware to travel through your network into other people s or organisations systems or the hijacking of your network for use in Distributed Denial of Service or similar attacks on other people s computers or systems. Loss of, accidental or negligent transmission of general or sensitive personal data breaching Data Protection regulations. Extortion including ransom demands related to threat of revealing sensitive data or threat of Denial of Service/Distributed Denial of Service attacks, etc. Regulatory costs The Information Commissioner s Office has the power to impose fines of up to 500,000 for a breach of regulations. It is generally the case that fines cannot be covered by insurance (since it reduces their impact as a punishment) but in some circumstances there can be cover for civil penalties. It is a complex area but a good cyber liability policy will provide cover where this is permitted by law. It should be noted that the European Commission plans to regulate data protection within the European Union with a single law, the General Data Protection Regulation. Whilst following the 2016 EU Referendum the impact of this on the UK may change it is worth being aware that it contains tough penalties of up to 4% of annual global revenue or 20M, whichever is greater. Defence costs Should an investigation by the Information Commissioner s Office result in a formal prosecution case you are likely to incur further considerable expense in defending the case through the courts. There is also a potential for the receipt of compensation claims to be considered for breach of privacy. With the recent high profile phone hacking case, the public are much more alert to what a breach of their privacy entails. If your business is found to have committed a regulatory data breach you may find yourself on the other end of either a significant number of actions or a class action claim for compensation as a result. You only need to imagine it happening to you, as a private individual, to realise the potential for such actions. Telecoms company TalkTalk has been issued with a record 400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data with ease. The ICO has fined a historical society after a laptop containing sensitive personal data was stolen whilst a member of staff was working away from the office. The laptop, which wasn t encrypted, contained the details of people who had donated artefacts to the society. An ICO investigation found the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law. Page 6

9 Why Specialist Cyber Liability & Data Loss Insurance is Needed You may believe that many of these risks would be covered by your existing Public Liability (PL), Business Interruption (BI) or Directors & Officers (D&O) insurance covers. Unfortunately this is simply not the case. Whilst some of the risks, such as regulatory breaches, could arguably be covered under a wide worded Management Liability Policy (a more extensive form of Directors & Officers cover), many simply would not provide a significant enough level of cover. Public Liability In a nutshell, the basis of your public liability insurance is the provision of cover in the event of BODILY INJURY or PROPERTY DAMAGE as a result of the actions of your business. Taking the bodily injury element first, you should immediately recognise that it would be an absolutely exceptional case for any form of bodily injury to occur, outside of emotional distress, as a result of data being stolen or lost from your company. The person whose data has been lost or stolen may claim to have suffered damage to their reputation or feel vulnerable to ID theft or have been inconvenienced but, as these are not physical bodily injuries,they would not be covered. The next important thing to understand is that data, not having a tangible form, is not legally defined as PROPERTY under English law. Therefore the element of a public liability policy which would provide cover for damage to someone else s property will not apply in the case of loss of or damage to data as it is not legally classed as property. Take the example of the supermarket Morrisons who, in 2014, it was reported lost a copy of all their employees personal data, including details of their bank accounts and other information that would make them personably identifiable. Although it would have undoubtedly caused some of the employees to have sleepless nights, in the knowledge that a copy of their personal information had got into the hands of an outsider, none of them had suffered any kind of actual physical bodily injury. Thus the Morrisons public liability policy would not provide any cover. Business Interruption For a claim to be made on a traditional business interruption policy there has to be some form of material damage that triggers the claim i.e. fire, impact, theft. There will as a result be damage to material property. Unfortunately, as data does not have any physical material substance, a business interruption policy may not provide cover. An additional consideration is that when data is stolen it is frequently the case that only a copy is taken. Property damage insurance struggles with the concept that something has been stolen from you when you still have it! Although it is possible to include extensions under your business interruption policy such as breakdown cover, in many cases the technology storing data that is subject to attack i.e. a Denial of Service or Distributed Denial of Service attack, whilst it may stop working to full capacity for a period, it will not be seen to have broken down and thus not be eligible for a claim under such an extension. Theft of data, does not usually fit the traditional definition given to theft as the data is usually only copied and also traditionally theft relies on persons entering your premises and removing your property. In the cyber world the criminal does not have to physically enter your premises and can be operating from anywhere in the world. This also means there is a vastly increased risk as more people either turn to this type of crime or existing criminals learn and get even more sophisticated. Page 7

10 Best Practice - Incident Management Costs A cyber liability policy will provide cover for legal defence costs, damages awarded to third parties and, in certain circumstances, some insurers will offer cover for payment of civil fines, where this is permitted by law. In addition, it will pay your own reasonable costs in managing the consequences of a loss of the data. For example, writing to your customers and/or providing access to a credit check facility that may highlight the consequences of an identity fraud resulting from the loss of personal data. In these circumstances the cover under a Directors & Officers policy will be limited to defence costs of an individual director or officer for personal wrong-doing and civil damages awarded against that director. Whilst some Directors & Officers policies have an extension of cover to insure the legal entity (the business) such extensions tend to limit cover to employment disputes (such as unfair dismissal) and/or regulatory actions and investigations that arise from some form of breach of health and safety legislation. Where there is wider cover provided for the entity it is limited to legal defence costs and damages, often from a defined list of events, which may or may not include a data breach. Even when this cover is provided such policies routinely limit cover to defence costs and awards. Therefore, using the previous example of Morrisons, the cost of writing to thousands of employees, of answering their questions and purchasing credit checks for the same will not be insured without a suitable cyber liability policy. A large educational organisation in the south east of England suffered the potential loss of unprotected IP as a result of a successful spear-phishing attack by international attackers. It took more than a month to restore business operations back to normal. Although overall this had a minor impact on business operations, the cost to investigate and resolve the incident made it the organisation s worst breach of the year. The organisation was made aware of this breach by a government organisation Source: 2015 INFORMATION SECURITY BREACHES SURVEY conducted by PWC for HM Government (ISBS 2015) of the worst security 28 % breaches were caused partly by senior management giving insufficent priority on security - ISBS 2015 security policy was poorly understood had staff of companies where the 72 % related breaches - ISBS 2015 p up from 7% a year ago Page 8

11 Assessing & Managing Your Risks As part of your overall protection against Cyber Risks, including the purchase of adequate protection you should also seek to assess and mitigate the risks you are exposed to. Some things to consider include: Do you have a documented internet, data and IT security policy for your employees? Do you have a policy on how your employees are allowed to use social media? Do you have a privacy policy in place to which employees must comply when handling customer information, especially that of a sensitive nature? Do you have a plan in place for keeping your business secure from malware or hacking? Have you got a plan in place and access to suitable resources to assist you in the event of a Distributed Denial of Service attack? Do you provide training on the risks and preventative measures for employees? Would all relevant staff be able to spot a malicious phishing ? Do you allow the use of USB and other media storage devices in your business? When disposing of IT equipment do you ensure they are completely wiped of data beforehand? In terms of high level risk management assessment as a minimum you should be assessing your business in the following areas: What information do you collect? How sensitive is it? How do you store and also remove the information? Who has access to the information, when and how? How do you protect your data? What steps are you taking to secure your computers, network, etc? Again, if you do not have the resource or expertise within your business it is recommended to get someone who does. Page 9

12 The Value of Data Whilst many companies and organisations view data they hold as not having any real financial value, in the criminal world most personal data has some value. Figures show that the purchase cost of a valid credit card account number, with the 3 digit security code from the back, could fetch in the region of $5 in Russia and up to $135 in Brazil A gold card with full account data costs those with criminal intent in the region 18 without the actual card or a staggering 150 per number with a counterfeit card. Even without a counterfeit card 10,000 customer records could be worth up to 1.5M to someone! This may give you some idea of the value of information to those who sell it on for misuse and some insight into how hard they will try to obtain it. Whilst the data taken during a cyber attack may not be viewed as having a great degree of financial value businesses can sometimes fail to take in to account the good will gap, this is the value placed on the customer who has let you store this information about them, the loss of their good will can have a dramatic financial inpact on a business. Page 10

13 Your Next Step If you are now considering getting a quote for your own Cyber Risks we would recommend you speak with a broker who can work with you to identify and understand the risks you face. They can then take this information to the market and speak with underwriters who can provide the best range of protection to meet your particular risk profile and budgets. We hope you have found this guide both informative and useful in helping to understand the need and benefits of Cyber Risk insurance. These risks are not likely to reduce or disappear any time soon. Indeed, they are more likely to continue to increase over the next few years. You therefore need to ensure not only have you identified the particular risks your business faces but also the protections you can immediately put in place to protect your data, systems, business and ultimately livelihood of you and your employees. Contacting Cooke & Mason If you would like to discuss your Cyber Risks with one of our insurance specialists or request a quote for Cyber Risks Insurance simply call or cyber@cookeandmason.com. If you are reading this publication online you can also enquire using the following link: Enquire about Cyber Risks Insurance Acknowledgements DACBeachcroft - The Cyber Risk insurance market: an area of growth & structuring a Cyber Programme - Presentation (Kenneth McKenzie, Partner Global Group) RGL Forensics - Business Interruption Resulting from cyber risks - presentation March 2014 Zurich Insurance - Understanding the impact of cyber and information risk Information Commissioners Office AIG Europe Limited Barbican Insurance Group Department for Business Innovation & Skills 2013 Information Security Breaches Survey Prolexic Quarterly Monitor Reports - 2nd Quarter 2014 UK Neustar Distributed Denial of Service Attack Report HM Government 2015 Information Security Breaches Survey Page 11

14 Appendix Types of Malicious Attacks Malware Including Viruses, Worms & Trojans A computer virus is a type of malware that inserts a copy of itself into and becomes part of another program. It spreads from one computer to another, leaving infections as it travels. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until you run or open the host file or program. The most common forms of executable file types you are likely to come across are.exe or.bat. In some instances a payment will be sought by the perpetrators in exchange for removal of the virus, which may or may not happen. A worm is a form of malware that has the ability to replicate and pass through networks and install itself on other machines on that network. Whilst worms do not directly do much damage to your systems some have the ability to pull in additional viruses or forms of malware that can directly read, change and damage your files and systems. A trojan, whilst not generally being able to replicate itself, is a type of malware program containing code that, when executed, typically carries out actions on your device or systems that cause loss or theft of data as well as possible system harm. A trojan often acts as a backdoor to your systems and data by contacting the controller of the trojan and giving them unauthorised access to your affected computer. Ransomware is a malicious software attack that prevents access to either data or systems until a sum of money is paid to the perpetrator. Page 12

15 Direct Attacks Vulnerability and Port Scanners - tools that check computers on your network for known weaknesses or to see which ports on a specified computer are open or available to access the computer. Brute Force Attack - bombarding your system with a rapid and continual stream of user and password data in the hope one or more of the combinations will be correct. Packet Sniffer - is an application that captures what are known as packets of data in transit over the network and which may contain passwords and user details. Social Engineering Attacks These include Phishing, Spear phishing, Whaling and Scareware This is where someone will attempt to obtain information or get an individual to carry out an action relying heavily on human interaction. This is typically achieved by sending an or making a telephone call and pretending to be a trustworthy entity, for example, another member of the organisation, a supplier or their bank. Examples can be where a member of an accounts department will receive an appearing to come from the CEO reporting that they are having difficulty transferring funds between accounts from their computer, they will request that the member of the accounts team complete this action as soon as possible by transferring a certain figure to a certain account as it is preventing a vital operation. Another Social Engineering example would be when someone contacts a member of staff reporting to be from the IT team following a report from the MD that the user s PC has been sending s to them and there is a concern the user may be infected by a virus. The member of staff may then be asked to allow the IT team to connect to their PC or to click on a link to install the latest anti-virus software that the IT Team will now send them giving the individual perpetrating the attack access to their machine or installing malicious software. Page 13

16 About Cooke & Mason Cooke & Mason are one of the UK s leading Chartered Insurance Brokers, ranked in the country s top 75 and employing over 120 insurance, claims and risk management specialists along with customer service and support staff. Passionate about what we do, and proudly independent, we have a unique approach which is uncompromisingly focused on supporting and protecting our clients. Underlining our commitment to providing the best possible advice, service and support Cooke & Mason are proud to have been awarded the prestigious Chartered Insurance Brokers designation by the Chartered Insurance Institute (CII), the world s largest Professional body dedicated to the insurance and financial services sector. Cooke&Masonplc Rossington s Business Park West Carr Road Retford Nottinghamshire DN22 7SW Tel: cyber@cookeandmason.com Cooke & Mason plc are authorised and regulated by the Financial Conduct Authority (FCA). FCA Registered No Registered in England No VAT No Calls may be recorded Cooke & Mason plc All Rights Reserved