A cyber insurance policy has important role to play for any company using third-party providers for storing data in the Cloud.
The news in 2021 has been littered with stories about serious cyber attacks on New Zealand businesses. Company networks are being compromised with frightening regularity.
What typically happens is that staff are locked out of their own systems, with cyber criminals then holding return access to ransom, for a hefty price. These cyber criminals are exploiting the value of your 'data', wherever it is stored.
The Insurely team have spoken with many of our clients about how confident they are in the security of their data. We often hear something like - "We are fine, because our data is held in the cloud". This is common way for business owners to think; the cloud does promise superior security protocols, compared to storing data on physical servers locally. However, as is often the case when it comes to digital security, there’s quite a bit more to consider.
This article looks at what business owners should be aware of and also where cyber insurance fits in.
1. The Human Element
a) Your cloud services provider might have solid protection in place, but what happens if your staff are tricked or coerced into providing access through their computer, i.e. Phishing attacks? All it takes is for a staff member to click on a harmful link or attachment and your data could be compromised, even if it’s stored in the cloud.
b) A common cyber attack involves staff members who are manipulated into transferring funds to third parties (hackers). Cyber criminals are skilled at posing as legitimate customers and suppliers, making it even more difficult for staff to spot the danger.
This is sometimes referred to as social engineering cover and is not always provided automatically by insurers. You should always make sure your cyber policy includes this protection.
2. Who Is Responsible For The Data?
The responsibility for keeping your customers’ data safe rests with your organisation, irrespective of where it's stored. If customer data is compromised or lost, firms can be exposed to private legal action and/or breaches in regulations. The Privacy Act 2020 is now in force in NZ, which includes compulsory data breach notification requirements.
Notification Costs can stack up quickly. These expenses include the costs associated with notifying every consumer that their data may have been compromised in a data breach. A cyber policy would typically cover these costs.
3. Account Hijacking
As phishing attempts become more effective and targeted, the risk of an attacker gaining access to highly privileged accounts is significant. Phishing is not the only way an attacker can gain credentials; they can also acquire information by compromising the cloud service itself or stealing them through other means.
Once an attacker can enter the system using a legitimate account, they can cause a great deal of disruption, including theft or destruction of important data, halting service delivery, or financial fraud.
4. Who do you call when your network is breached? - Incident Response
One of the key strengths of a strong cyber policy is how it can help you deal with the fallout of a breach of your network. Consider this question – who would you call if you discovered that you had been hacked? When you have good cyber cover in place, you also get emergency assistance to help you deal with any breach of your systems.
Experts are on hand 24 hours a day to walk you through the process to mitigate the damage and advise what you need to do next. This can incorporate IT forensic support, legal support, PR costs and forensic expenses to investigate, isolate and eliminate the threat.
5. Public Relation expenses
If the worst does happen and your data is compromised via a hack into a third-party provider, you’ll probably need to consider reputational damage and what this means for your brand. Cyber cover can help with advice and costs associated with rebuilding trust with your clients, to ensure damage is kept to a minimum.
6. Hackers can’t get through cloud security, can they?
Even with the best security, no online service claims to be 100% protected from hackers. Earlier in 2021, flaws were exploited in Microsoft’s Exchange Server, leading to data of 30,000 companies being compromised. Microsoft, of all companies!
You will find that most large cloud storage parties will contract out of any responsibility in this regard. Again, cyber insurance can help cover these costs and manage the defence process and costs.
7. Business Interruption
Regardless of where your data is stored, a major breach of your network can result in significant downtime for your organisation. A good cyber policy will include data stored in the cloud as part of your network.
Strong cyber policies will provide coverage for costs incurred due to business interruption as a result of a cyber event, such as an inability to provide services for a period of time, when you’re unable to access your systems or data due to a ransomware attack.
8. Who pays for your legal costs if you have to defend yourself?
A customer or other third-party may bring a lawsuit against your organisation as a result of a data breach. This may be an allegation of negligent security failures or weaknesses that enable malware to spread, denial of service attacks, unintended disclosure and release or loss of third-party data. A cyber policy will typically include defence and settlement costs.
9. Contractual
Third-parties are increasingly making cyber insurance a contractual requirement. Make sure you are meeting these requirements when entering into contracts with all third-parties to ensure you aren't in breach of the agreement.
10. Ransomware and Extortion Demands
How would a cyber policy respond to ransomware and extortion attempts by hackers, if data is held in the cloud? Irrespective of where your data is stored, a cyber criminal can demand a ransom from any party affected. A cyber policy can provide forensic IT expertise and support to negotiate ransom demands and manage this process on your behalf, if this is the only option available.
Summary - Get your Cyber Policy In Place
Cyber insurance provides the ultimate safety net, should your operation experience a data breach. It transfers some of your risks to your insurance provider. However, cyber insurance is still a passive defence. It should always complement a strong cyber security risk-management approach.
Talk with one of the Insurely team about your insurance risks. We combine market-leading insurance broking and risk management advice with a personalised service, built on integrity and trust. Get in touch with us via our website, LinkedIn or Facebook.