SlideShare a Scribd company logo

Cyber liability and cyber security

Helen Carpenter, profile picture
Helen Carpenter

This document discusses the importance of having a cyber liability insurance policy and developing policies to manage cyber risks for a business. It notes that as technology becomes more important, cyber liability insurance will also grow in importance. It provides examples of exposures that could be covered by a cyber policy, such as data breaches, business interruptions, intellectual property issues, and system failures. The document also provides suggestions for developing policies around security roles, privacy, internet usage, social media, and reputation risks. It stresses analyzing your specific risks and working with an expert to ensure you have the proper insurance coverage.

Technology
Related topics:
Small Business Strategies Cyber-Security
1 of 8
Download to read offline
1
2
3
4
5
6
7
8
Provided by Hayes Parsons Risk The content of this Cover Overview is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2011-2013 Zywave, Inc. All rights reserved. Cyber Liability Insurance As technology becomes increasingly important for successful business operations, the value of a strong Cyber Liability Insurance policy will only continue to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses. Regulations, such as the Data Protection Act must also be considered, because a loss of sensitive personal information may subject you to fines and sanctions from the Information Commissioner. In an age where a stolen laptop or hacked account can instantly compromise the personal data of thousands of customers or an ill-advised post on a social media site can be read by hundreds in a matter of minutes, protecting yourself from cyber liabilities is just as important as some of the more traditional exposures businesses account for in their general commercial liability policies. Why Cyber Liability Insurance? A traditional commercial insurance policy is extremely unlikely to protect against most cyber exposures. Standard commercial policies are written to insure against injury or physical loss and will do little, if anything, to shield you from electronic damages and the associated costs they may incur. Exposures are vast, ranging from the content you put on your website to stored customer data. Awareness of the potential cyber exposures your company faces is essential to managing risk through proper cover. Possible exposures covered by a typical cyber policy may include: Data breaches – Increased online consumer spending has placed more responsibility on companies to protect clients’ personal information. Business/Network Interruption – If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day to day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organisations server. Intellectual property rights – Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things. Damages to a third-party system – If an email sent from your server has a virus that crashes the system of a customer or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages. System Failure – A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss.
Cyber Liability Insurance Cyber Extortion – Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done. Cyber Liability Insurance is specifically designed to address the risks that come with using modern technology; risks that other types of business liability cover simply won’t. The level of cover your business needs is based on your individual operations and can vary depending on your range of exposure. It is extremely important to work with a broker that can identify your areas of risk so a policy can be tailored to fit your unique situation. Hayes Parsons Risk: Your Cover Expert As reliance on technology continues to increase, new exposures continue to emerge. As your business grows, make sure your cyber liability cover grows with it. Hayes Parsons Risk is here to help you analyse your needs and make the right cover decisions to protect your operations from unnecessary risk. Contact us today at 0117 929 9381.
This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. © 2012 Zywave, Inc. All rights reserved. Cyber Security Tips for Small Businesses High-profile cyber-attacks on companies such as Sony have raised awareness of the growing threat of cyber crime. Recent surveys conducted by Symantec and other cyber-security organisations suggest that many small business owners are still operating under a false sense of security. The statistics of these studies are grim: The vast majority of small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40 per cent do not have their data backed up in more than one location. Don’t Equate Small with Safe Despite significant cyber security exposures, 85 per cent of small business owners believe their company is safe from hackers, viruses, malware and data breaches. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks. In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 40 per cent of attacks are against organisations with fewer than 500 employees. Where is the Attack Coming From? Outside sources like hackers aren’t the only way your company can be attacked—often, smaller companies have a family-like atmosphere and put too much trust in their employees. This can lead to complacency, which is exactly what a disgruntled or recently sacked employee needs to execute an attack on the business. Other attacks could come from failures in technology and processes. According to the 2013 Information Security Breaches Survey released by the Department for Business, Innovation and Skills (BIS), 65 per cent of small businesses were attacked by an unauthorised outsider in the past year. The survey also found that nearly 50 per cent of the worst breaches were caused by inadvertent human error. Attacks Could Destroy Your Business As large companies continue to get serious about data security, small businesses are becoming increasingly attractive targets—and the results are often devastating for small business owners. The cost of an individual security breach can vary, depending on the type of data compromised and the amount of data taken. However, cyber attacks can cost hundreds of thousands of pounds, and most small businesses don’t have that kind of money lying around. Businesses are required to keep personal and sensitive data safe in order to comply with the Data Protection Act, and violations of the Act can result in substantial sanctions from the Information Commissioner. However, many businesses continue to put off making necessary improvements to their cyber security protocols until it is too late because they fear the costs of security would be prohibitive. 10 Ways to Prevent Cyber Attacks The BIS survey found that 83 per cent of small businesses believe security is a high priority, but that many find it difficult to keep up with the constantly changing risks and to know what actions to take to mitigate those risks. Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber attack. 1. Train employees in cyber security principles. 2. Install, use and regularly update antivirus and antispyware software on every computer used in Courtesy of Hayes Parsons Risk
your business. 3. Use a firewall for your Internet connection. 4. Download and install software updates for your operating systems and applications as they become available. 5. Make back-up copies of important business data and information. 6. Control physical access to your computers and network components. 7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure and hidden. 8. Require password-protected individual user accounts for each employee. 9. Limit employee access to data and information, and limit authority to install software. 10. Regularly change passwords. Your Emerging Technology Partner A data breach could cripple your small business, costing you thousands or millions of pounds in lost sales, damages or sanctions. Contact Hayes Parsons Risk today. We have the tools necessary to ensure you have the proper cover to protect your company against losses from cyber attacks.
This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. Design © 2014 Zywave, Inc. All rights reserved. Policies to Manage Cyber Risk All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputations and discouraging inappropriate behaviour by employees. Many companies already have these types of policies in place, but they may need to be tailored to reflect the increasing impact of cyber risks on everyday transactions, both professional and personal. As with any other business document, cyber security policies should follow good design and governance practices— not so long that they become unusable, not so vague that they become meaningless, and reviewed regularly to ensure that they stay pertinent as your business’ needs change. Establish security roles and responsibilities. One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong role-based access control (RBAC), but this tool is of little use without well- defined procedures and policies to govern the assignment of roles and their associated constraints. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges, including:  Necessary roles, and the privileges and constraints accorded to those roles  The types of employees who should be allowed to assume the various roles  How long an employee may hold a role before access rights must be reviewed  If employees may hold multiple roles, the circumstances defining when to adopt one role over another Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personal information from its customers may benefit from identifying a sole manager for customers’ private information. The manager could serve not only as a subject matter expert on all matters of privacy, but also as the champion for process and technical improvements to handling of personal information. Develop a privacy policy. Privacy is important for your business and your customers. Continued trust in your business practices, products and secure handling of your clients’ unique information impacts your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations. Your policy should start with a simple, clear statement describing the information you collect about your customers (physical addresses, email addresses, browsing history, etc), and what you do with it. There are a growing number of regulations protecting customer and employee privacy, such as the Data Protection Act, which often carry costly penalties for privacy breaches. That’s why it’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules and expectations with all employees and partners who may come into contact with that information. Your employees need to be familiar with your privacy policy and what it means for their daily work routines. Establish an employee Internet usage policy. The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines should allow employees the maximum degree of freedom they require to be productive (for Courtesy of Hayes Parsons Risk
example, short breaks to surf the Web or perform personal tasks online have been shown to increase productivity). At the same time, rules of behaviour are necessary to ensure that all employees are aware of boundaries, both to keep themselves safe and to keep your company successful. Some guidelines to consider:  Personal breaks to surf the Web should be limited to a reasonable amount of time and to certain types of activities.  If you use a Web filtering system, employees should have clear knowledge of how and why their Web activities will be monitored, and what types of sites are deemed unacceptable by your policy.  Workplace rules of behaviour should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgement calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises employees about the company’s Internet usage policy so that all employees are on notice. Establish a social media policy. Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:  Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum  Additional rules of behaviour for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company  Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites  Guidance on selecting strong passwords for social networking accounts All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use may be the most beneficial social networking security practice of all. Identify potential reputation risks. All organisations should take the time to identify potential risks to their reputations and develop a strategy to mitigate those risks with policies or other measures as available. Specific types of reputation risks include:  Being impersonated online by a criminal organisation (such as an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other methods)  Having sensitive company or customer information leaked to the public via the Web  Having sensitive or inappropriate employee actions made public via the Web or social media sites All businesses should set a policy for managing these types of risks and plan to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyber space, practical measures to prevent those risks from materialising and plans to respond to and recover from incidents as soon as they occur. Hayes Parsons Risk has numerous sample policies available to our clients upon request. These policies are a great starting point for your policy-creation efforts and can be modified to fit the unique needs of your business.
This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. © 2012 Zywave, Inc. All rights reserved. Understanding and Responding to a Data Breach No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker. Yet studies have shown the opposite is true—in fact, nearly 3 out of 4 of data breaches were at companies with 100 or fewer employees. Data breach response policies are essential for organisations of any size. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur. Defining a Data Breach A data breach is an incident where personal data is accessed and/or stolen by an unauthorised individual. Examples of personal data include:  National insurance numbers.  Credit card information (credit card numbers— whole or part, credit card expiry dates, cardholder names, cardholder addresses).  Business identification numbers and employer identification numbers.  Biometric records (fingerprints, DNA, or retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals).  Payroll information.  Medical information for any employee or customer (doctor names and claims, insurance claims, prescriptions, any related personal medical information).  Other personal information of a customer, employee or contractor (dates of birth, addresses, phone numbers, maiden names, race, religious belief, sexual orientation, commission or alleged commission of an offence, etc). Responsibilities upon Learning of a Breach The Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and subsequent amendments establish requirements that organisations must follow concerning data protection. A breach or a suspected breach of personal information must be immediately investigated. Since all personal information is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following four elements should be included in any breach management plan: 1. Containment and Recovery Establish procedures to isolate and contain the breach in order to limit the damage. Consider whether there is anything you can do to recover any of the breached data or equipment. Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred. 2. Assessment of the Risks Once a breach has been verified and contained, perform a risk assessment that rates the:  Sensitivity of the personal information lost (customer contact information alone may present a smaller threat than financial information).  Amount of personal information lost and number of individuals affected.  Likelihood personal information is usable or may Courtesy of Hayes Parsons Risk
cause harm.  Likelihood the personal information was intentionally targeted (increases chance for fraudulent use).  Strength and effectiveness of security technologies protecting personal information (eg encrypted personal information on a stolen laptop, which is technically stolen personal information, will be much more difficult for a criminal to access).  Ability of your company to mitigate the risk of harm. 3. Notification of the Breach Responsibility to notify individuals, the Information Commissioner’s Office (ICO) or appropriate regulatory body depends on the sector your organisation is in, type of data accessed, and the individual circumstances of the data breach. Any information found in the initial risk assessment should be turned over to the appropriate legal professional of your company who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification should be made in a timely manner, but make sure the facts of the breach are well established before proceeding. In the case that notification must be made:  Only those that are legally required to be notified should be informed of the breach. Notifying a broad base when it is not required could raise unnecessary concern in those who have not been affected.  A physical copy should always be mailed to the affected parties no matter what other notification methods are used (eg phone or email).  A help line should be established as a resource for those who have additional questions about how the breach will affect them. The notification letter should include:  A brief description of the incident, the nature of the breach and the approximate date it occurred.  A description of the type(s) of personal information that were involved in the breach (the general types of personal information, not an individual’s specific information).  Explanation of what your company is doing to investigate the breach, mitigate its negative effects and prevent future incidences.  Steps the individual can take to mitigate any potential side effects from the breach.  Contact information for a representative from your company who can answer additional questions. 4. Evaluation and Response It is important for you to investigate the causes of the breach and the effectiveness of your response to it. Identify and review your existing policies and procedures to see where improvements can be made to prevent future data breaches. For more information on how to respond to a data breach, please visit the Information Commissioner’s Office at www.ico.gov.uk. Insurance is Important Chances are your company doesn’t have funds saved to pay for data breach remediation. Fortunately, there are insurance options available to make recovery easier. Cyber liability insurance policies can cover the cost of notifying customers and replace lost income as a result of a data breach. In addition, policies can cover legal expenses a business may be required to pay as a result of the breach. We’re Here to Help A data breach can be very costly and even has the ability to shut a business down. Contact Hayes Parsons Risk today for resources to help support your cyber security efforts. We have the know-how to ensure you have the right cover in place to protect your business from a data breach.

More Related Content

PDF
Cyber Risks & Liabilities - Cyber Security for Small Businesses
ntoscano50
 
PDF
Cybersecurity report
Kevin Leffew
 
PDF
InformationSecurity_11141
sraina2
 
PPTX
Data Security and Regulatory Compliance
Lifeline Data Centers
 
PDF
beyond_the_firewall_0103
Jack McCullough
 
PDF
A Guide To Cyber Insurance
John Ryan
 
PDF
10 Reasons to buy Cyber Liability Insurance
Hubbard Insurance Group
 
PPTX
Cyber Security Lessons from the NSA
CipherCloud
 
Cyber Risks & Liabilities - Cyber Security for Small Businesses
ntoscano50
 
Cybersecurity report
Kevin Leffew
 
InformationSecurity_11141
sraina2
 
Data Security and Regulatory Compliance
Lifeline Data Centers
 
beyond_the_firewall_0103
Jack McCullough
 
A Guide To Cyber Insurance
John Ryan
 
10 Reasons to buy Cyber Liability Insurance
Hubbard Insurance Group
 
Cyber Security Lessons from the NSA
CipherCloud
 

What's hot (20)

PDF
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
PDF
Cyber Liability Risk
Christopher Rieser
 
PDF
ZSAH Security - Web
Fahd Khan
 
PPTX
Ci2 cyber insurance presentation
Ethan S. Burger
 
PDF
Cybersecurity and The Board
Paul Melson
 
PDF
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
PPTX
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 
PPTX
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
PPT
Cyber Insurance Temp
Rohan Sehgal
 
PDF
Cyber security guide
Mark Bennett
 
PPTX
The Basics of Cyber Insurance
HB Litigation Conferences
 
PDF
Information and Cyber Warfare
Swapnil Jagtap
 
PDF
Data Breach Guide 2013
- Mark - Fullbright
 
PPTX
Banks and cybersecurity v2
Semir Ibrahimovic
 
PPTX
Cybersecurity: How Safe Is Your Organization?
CBIZ, Inc.
 
PDF
Top 3 security concerns for enterprises
Taranggg11
 
DOCX
What you need to know about cyber security
Carol Meng-Shih Wang
 
PDF
Cybersecurity in the Boardroom
Marko Suswanto
 
PDF
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
PDF
BEA Presentation
Glenn E. Davis
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Cyber Liability Risk
Christopher Rieser
 
ZSAH Security - Web
Fahd Khan
 
Ci2 cyber insurance presentation
Ethan S. Burger
 
Cybersecurity and The Board
Paul Melson
 
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Don Grauel
 
Cybersecurity & the Board of Directors
Abdul-Hakeem Ajijola
 
Cyber Insurance Temp
Rohan Sehgal
 
Cyber security guide
Mark Bennett
 
The Basics of Cyber Insurance
HB Litigation Conferences
 
Information and Cyber Warfare
Swapnil Jagtap
 
Data Breach Guide 2013
- Mark - Fullbright
 
Banks and cybersecurity v2
Semir Ibrahimovic
 
Cybersecurity: How Safe Is Your Organization?
CBIZ, Inc.
 
Top 3 security concerns for enterprises
Taranggg11
 
What you need to know about cyber security
Carol Meng-Shih Wang
 
Cybersecurity in the Boardroom
Marko Suswanto
 
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
BEA Presentation
Glenn E. Davis
 
Ad

Similar to Cyber liability and cyber security (20)

PDF
Ri cyber-security-for-your-small-business
Meg Weber
 
PDF
Cybersecurity- What Retailers Need To Know
Shantam Goel
 
PDF
Cyber Security and Data Protection
Strategic Insurance Software
 
PDF
4 Reasons Why Your Business Needs A Cyber Security Consultant.pdf
Sania Baker
 
DOCX
The Importance of Cybersecurity to Secure Business Operations.docx
Onesimo Patricio Matimbe
 
PDF
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
PDF
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
TheEntrepreneurRevie
 
DOC
Data security
Laura Breese
 
PPTX
Ways To Protect Your Company From Cybercrime
thinkwithniche
 
PDF
The Impact of Cyber Threats: Protecting Your Business in the Digital Age
Future Education Magazine
 
DOCX
How Portland Cybersecurity Services Can Safeguard Your Company.docx
Assured Technology Solutions
 
PDF
The Need for Internet Security for Small Businesses - 10 Best Practices | The...
TheEntrepreneurRevie
 
PDF
Cyber Security Threats For Small Business- Detox Technologies.pdf
Cyber security professional services- Detox techno
 
PDF
Data Safety And Security
Constantine Karbaliotis
 
PDF
Cyber Risks & Liabilities - Sept/Oct 2017
Gary Chambers
 
PDF
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
PDF
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
PPT
Online Security Breach Compromises 77 Million Client Accounts
corelink11
 
PDF
Business Security Check Reducing Risks Your Computer Systems
- Mark - Fullbright
 
PDF
Cyber Security in Saudi Arabia – Top 10 Business Risks in 2025–26.pdf
Bluechip Advanced Technologies
 
Ri cyber-security-for-your-small-business
Meg Weber
 
Cybersecurity- What Retailers Need To Know
Shantam Goel
 
Cyber Security and Data Protection
Strategic Insurance Software
 
4 Reasons Why Your Business Needs A Cyber Security Consultant.pdf
Sania Baker
 
The Importance of Cybersecurity to Secure Business Operations.docx
Onesimo Patricio Matimbe
 
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
TheEntrepreneurRevie
 
Data security
Laura Breese
 
Ways To Protect Your Company From Cybercrime
thinkwithniche
 
The Impact of Cyber Threats: Protecting Your Business in the Digital Age
Future Education Magazine
 
How Portland Cybersecurity Services Can Safeguard Your Company.docx
Assured Technology Solutions
 
The Need for Internet Security for Small Businesses - 10 Best Practices | The...
TheEntrepreneurRevie
 
Cyber Security Threats For Small Business- Detox Technologies.pdf
Cyber security professional services- Detox techno
 
Data Safety And Security
Constantine Karbaliotis
 
Cyber Risks & Liabilities - Sept/Oct 2017
Gary Chambers
 
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
Online Security Breach Compromises 77 Million Client Accounts
corelink11
 
Business Security Check Reducing Risks Your Computer Systems
- Mark - Fullbright
 
Cyber Security in Saudi Arabia – Top 10 Business Risks in 2025–26.pdf
Bluechip Advanced Technologies
 
Ad

Recently uploaded (20)

PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
project resource management chapter-09.pdf
ssuser00e6e21
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
A Presentation on Artificial Intelligence
memembruh336
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
A Presentation on Touch Screen Technology
memembruh336
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 

Cyber liability and cyber security

  • 1. Provided by Hayes Parsons Risk The content of this Cover Overview is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2011-2013 Zywave, Inc. All rights reserved. Cyber Liability Insurance As technology becomes increasingly important for successful business operations, the value of a strong Cyber Liability Insurance policy will only continue to grow. The continued rise in the amount of information stored and transferred electronically has resulted in a remarkable increase in the potential exposures facing businesses. Regulations, such as the Data Protection Act must also be considered, because a loss of sensitive personal information may subject you to fines and sanctions from the Information Commissioner. In an age where a stolen laptop or hacked account can instantly compromise the personal data of thousands of customers or an ill-advised post on a social media site can be read by hundreds in a matter of minutes, protecting yourself from cyber liabilities is just as important as some of the more traditional exposures businesses account for in their general commercial liability policies. Why Cyber Liability Insurance? A traditional commercial insurance policy is extremely unlikely to protect against most cyber exposures. Standard commercial policies are written to insure against injury or physical loss and will do little, if anything, to shield you from electronic damages and the associated costs they may incur. Exposures are vast, ranging from the content you put on your website to stored customer data. Awareness of the potential cyber exposures your company faces is essential to managing risk through proper cover. Possible exposures covered by a typical cyber policy may include: Data breaches – Increased online consumer spending has placed more responsibility on companies to protect clients’ personal information. Business/Network Interruption – If your primary business operations require the use of computer systems, a disaster that cripples your ability to transmit data could cause you or a third party that depends on your services, to lose potential revenue. From a server failure to a data breach, such an incident can affect your day to day operations. Time and resources that normally would have gone elsewhere will need to be directed towards the problem which could result in further losses. This is especially important as denial of service attacks by hackers have been on the rise. Such attacks block access to certain websites by either rerouting traffic to a different site or overloading an organisations server. Intellectual property rights – Your company’s online presence, whether it be through a corporate website, blogs or social media, opens you up to some of the same exposures faced by publishers. This can include libel, copyright or trademark infringement and defamation, among other things. Damages to a third-party system – If an email sent from your server has a virus that crashes the system of a customer or the software your company distributes fails, resulting in a loss for a third party, you could be held liable for the damages. System Failure – A natural disaster, malicious activity or fire could all cause physical damages that could result in data or code loss.
  • 2. Cyber Liability Insurance Cyber Extortion – Hackers can hijack websites, networks and stored data, denying access to you or your customers. They often demand money to restore your systems to working order. This can cause a temporary loss of revenue plus generate costs associated with paying the hacker’s demands or rebuilding if damage is done. Cyber Liability Insurance is specifically designed to address the risks that come with using modern technology; risks that other types of business liability cover simply won’t. The level of cover your business needs is based on your individual operations and can vary depending on your range of exposure. It is extremely important to work with a broker that can identify your areas of risk so a policy can be tailored to fit your unique situation. Hayes Parsons Risk: Your Cover Expert As reliance on technology continues to increase, new exposures continue to emerge. As your business grows, make sure your cyber liability cover grows with it. Hayes Parsons Risk is here to help you analyse your needs and make the right cover decisions to protect your operations from unnecessary risk. Contact us today at 0117 929 9381.
  • 3. This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. © 2012 Zywave, Inc. All rights reserved. Cyber Security Tips for Small Businesses High-profile cyber-attacks on companies such as Sony have raised awareness of the growing threat of cyber crime. Recent surveys conducted by Symantec and other cyber-security organisations suggest that many small business owners are still operating under a false sense of security. The statistics of these studies are grim: The vast majority of small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Furthermore, only about a quarter of small business owners have had an outside party test their computer systems to ensure they are hacker proof, and nearly 40 per cent do not have their data backed up in more than one location. Don’t Equate Small with Safe Despite significant cyber security exposures, 85 per cent of small business owners believe their company is safe from hackers, viruses, malware and data breaches. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks. In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 40 per cent of attacks are against organisations with fewer than 500 employees. Where is the Attack Coming From? Outside sources like hackers aren’t the only way your company can be attacked—often, smaller companies have a family-like atmosphere and put too much trust in their employees. This can lead to complacency, which is exactly what a disgruntled or recently sacked employee needs to execute an attack on the business. Other attacks could come from failures in technology and processes. According to the 2013 Information Security Breaches Survey released by the Department for Business, Innovation and Skills (BIS), 65 per cent of small businesses were attacked by an unauthorised outsider in the past year. The survey also found that nearly 50 per cent of the worst breaches were caused by inadvertent human error. Attacks Could Destroy Your Business As large companies continue to get serious about data security, small businesses are becoming increasingly attractive targets—and the results are often devastating for small business owners. The cost of an individual security breach can vary, depending on the type of data compromised and the amount of data taken. However, cyber attacks can cost hundreds of thousands of pounds, and most small businesses don’t have that kind of money lying around. Businesses are required to keep personal and sensitive data safe in order to comply with the Data Protection Act, and violations of the Act can result in substantial sanctions from the Information Commissioner. However, many businesses continue to put off making necessary improvements to their cyber security protocols until it is too late because they fear the costs of security would be prohibitive. 10 Ways to Prevent Cyber Attacks The BIS survey found that 83 per cent of small businesses believe security is a high priority, but that many find it difficult to keep up with the constantly changing risks and to know what actions to take to mitigate those risks. Even if you don’t currently have the resources to bring in an outside expert to test your computer systems and make security recommendations, there are simple, economical steps you can take to reduce your risk of falling victim to a costly cyber attack. 1. Train employees in cyber security principles. 2. Install, use and regularly update antivirus and antispyware software on every computer used in Courtesy of Hayes Parsons Risk
  • 4. your business. 3. Use a firewall for your Internet connection. 4. Download and install software updates for your operating systems and applications as they become available. 5. Make back-up copies of important business data and information. 6. Control physical access to your computers and network components. 7. Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure and hidden. 8. Require password-protected individual user accounts for each employee. 9. Limit employee access to data and information, and limit authority to install software. 10. Regularly change passwords. Your Emerging Technology Partner A data breach could cripple your small business, costing you thousands or millions of pounds in lost sales, damages or sanctions. Contact Hayes Parsons Risk today. We have the tools necessary to ensure you have the proper cover to protect your company against losses from cyber attacks.
  • 5. This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. Design © 2014 Zywave, Inc. All rights reserved. Policies to Manage Cyber Risk All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputations and discouraging inappropriate behaviour by employees. Many companies already have these types of policies in place, but they may need to be tailored to reflect the increasing impact of cyber risks on everyday transactions, both professional and personal. As with any other business document, cyber security policies should follow good design and governance practices— not so long that they become unusable, not so vague that they become meaningless, and reviewed regularly to ensure that they stay pertinent as your business’ needs change. Establish security roles and responsibilities. One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong role-based access control (RBAC), but this tool is of little use without well- defined procedures and policies to govern the assignment of roles and their associated constraints. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges, including:  Necessary roles, and the privileges and constraints accorded to those roles  The types of employees who should be allowed to assume the various roles  How long an employee may hold a role before access rights must be reviewed  If employees may hold multiple roles, the circumstances defining when to adopt one role over another Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personal information from its customers may benefit from identifying a sole manager for customers’ private information. The manager could serve not only as a subject matter expert on all matters of privacy, but also as the champion for process and technical improvements to handling of personal information. Develop a privacy policy. Privacy is important for your business and your customers. Continued trust in your business practices, products and secure handling of your clients’ unique information impacts your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations. Your policy should start with a simple, clear statement describing the information you collect about your customers (physical addresses, email addresses, browsing history, etc), and what you do with it. There are a growing number of regulations protecting customer and employee privacy, such as the Data Protection Act, which often carry costly penalties for privacy breaches. That’s why it’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules and expectations with all employees and partners who may come into contact with that information. Your employees need to be familiar with your privacy policy and what it means for their daily work routines. Establish an employee Internet usage policy. The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines should allow employees the maximum degree of freedom they require to be productive (for Courtesy of Hayes Parsons Risk
  • 6. example, short breaks to surf the Web or perform personal tasks online have been shown to increase productivity). At the same time, rules of behaviour are necessary to ensure that all employees are aware of boundaries, both to keep themselves safe and to keep your company successful. Some guidelines to consider:  Personal breaks to surf the Web should be limited to a reasonable amount of time and to certain types of activities.  If you use a Web filtering system, employees should have clear knowledge of how and why their Web activities will be monitored, and what types of sites are deemed unacceptable by your policy.  Workplace rules of behaviour should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgement calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises employees about the company’s Internet usage policy so that all employees are on notice. Establish a social media policy. Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:  Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum  Additional rules of behaviour for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company  Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites  Guidance on selecting strong passwords for social networking accounts All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use may be the most beneficial social networking security practice of all. Identify potential reputation risks. All organisations should take the time to identify potential risks to their reputations and develop a strategy to mitigate those risks with policies or other measures as available. Specific types of reputation risks include:  Being impersonated online by a criminal organisation (such as an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other methods)  Having sensitive company or customer information leaked to the public via the Web  Having sensitive or inappropriate employee actions made public via the Web or social media sites All businesses should set a policy for managing these types of risks and plan to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyber space, practical measures to prevent those risks from materialising and plans to respond to and recover from incidents as soon as they occur. Hayes Parsons Risk has numerous sample policies available to our clients upon request. These policies are a great starting point for your policy-creation efforts and can be modified to fit the unique needs of your business.
  • 7. This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact a legal or insurance professional for appropriate advice. © 2012 Zywave, Inc. All rights reserved. Understanding and Responding to a Data Breach No company, big or small, is immune to a data breach. Many small employers falsely believe they can elude the attention of a hacker. Yet studies have shown the opposite is true—in fact, nearly 3 out of 4 of data breaches were at companies with 100 or fewer employees. Data breach response policies are essential for organisations of any size. A response policy should outline how your company will respond in the event of a data breach, and lay out an action plan that will be used to investigate potential breaches to mitigate damage should a breach occur. Defining a Data Breach A data breach is an incident where personal data is accessed and/or stolen by an unauthorised individual. Examples of personal data include:  National insurance numbers.  Credit card information (credit card numbers— whole or part, credit card expiry dates, cardholder names, cardholder addresses).  Business identification numbers and employer identification numbers.  Biometric records (fingerprints, DNA, or retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals).  Payroll information.  Medical information for any employee or customer (doctor names and claims, insurance claims, prescriptions, any related personal medical information).  Other personal information of a customer, employee or contractor (dates of birth, addresses, phone numbers, maiden names, race, religious belief, sexual orientation, commission or alleged commission of an offence, etc). Responsibilities upon Learning of a Breach The Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and subsequent amendments establish requirements that organisations must follow concerning data protection. A breach or a suspected breach of personal information must be immediately investigated. Since all personal information is of a highly confidential nature, only personnel necessary for the data breach investigation should be informed of the breach. The following four elements should be included in any breach management plan: 1. Containment and Recovery Establish procedures to isolate and contain the breach in order to limit the damage. Consider whether there is anything you can do to recover any of the breached data or equipment. Once basic information about the breach has been established, management should make a record of events and people involved, as well as any discoveries made over the course of the investigation to determine whether or not a breach has occurred. 2. Assessment of the Risks Once a breach has been verified and contained, perform a risk assessment that rates the:  Sensitivity of the personal information lost (customer contact information alone may present a smaller threat than financial information).  Amount of personal information lost and number of individuals affected.  Likelihood personal information is usable or may Courtesy of Hayes Parsons Risk
  • 8. cause harm.  Likelihood the personal information was intentionally targeted (increases chance for fraudulent use).  Strength and effectiveness of security technologies protecting personal information (eg encrypted personal information on a stolen laptop, which is technically stolen personal information, will be much more difficult for a criminal to access).  Ability of your company to mitigate the risk of harm. 3. Notification of the Breach Responsibility to notify individuals, the Information Commissioner’s Office (ICO) or appropriate regulatory body depends on the sector your organisation is in, type of data accessed, and the individual circumstances of the data breach. Any information found in the initial risk assessment should be turned over to the appropriate legal professional of your company who will review the situation to determine if, and to what extent, notification is required. Notification should occur in a manner that ensures the affected individuals will receive actual notice of the incident. Notification should be made in a timely manner, but make sure the facts of the breach are well established before proceeding. In the case that notification must be made:  Only those that are legally required to be notified should be informed of the breach. Notifying a broad base when it is not required could raise unnecessary concern in those who have not been affected.  A physical copy should always be mailed to the affected parties no matter what other notification methods are used (eg phone or email).  A help line should be established as a resource for those who have additional questions about how the breach will affect them. The notification letter should include:  A brief description of the incident, the nature of the breach and the approximate date it occurred.  A description of the type(s) of personal information that were involved in the breach (the general types of personal information, not an individual’s specific information).  Explanation of what your company is doing to investigate the breach, mitigate its negative effects and prevent future incidences.  Steps the individual can take to mitigate any potential side effects from the breach.  Contact information for a representative from your company who can answer additional questions. 4. Evaluation and Response It is important for you to investigate the causes of the breach and the effectiveness of your response to it. Identify and review your existing policies and procedures to see where improvements can be made to prevent future data breaches. For more information on how to respond to a data breach, please visit the Information Commissioner’s Office at www.ico.gov.uk. Insurance is Important Chances are your company doesn’t have funds saved to pay for data breach remediation. Fortunately, there are insurance options available to make recovery easier. Cyber liability insurance policies can cover the cost of notifying customers and replace lost income as a result of a data breach. In addition, policies can cover legal expenses a business may be required to pay as a result of the breach. We’re Here to Help A data breach can be very costly and even has the ability to shut a business down. Contact Hayes Parsons Risk today for resources to help support your cyber security efforts. We have the know-how to ensure you have the right cover in place to protect your business from a data breach.