The GDPR comes into force in May 2018 and will replace the Data Protection Act 1998 in the UK. With organisations facing increased data responsibilities and potentially higher fines, how they respond to and manage a cyber breach will become increasingly important.
Spotlight on Cyber Insurance
The General Data Protection Regulation (GDPR) creates a significant opportunity for Cyber insurance. If it’s not already, the GDPR will make data protection a boardroom level issue and will force organisations to closely examine how they intend to respond data breaches.
GDPR: Increased Fines and Potential Liabilities
Organisations will face the prospect of significantly increased fines for non-compliance, up from their current maximum of £500,000 to €20m or 4% of annual global turnover. In addition, mandatory notification requirements will require organisations to inform the regulator of data breaches within 72 hours. This notification requirement in turn has the potential to create an increase in third party liability claims.
CyberEdge can assist clients to quickly respond to an incident and manage the event from breach through to resolution. As soon as a cybersecurity incident is detected or suspected, clients can call the 24/7 CyberEdge hotline to be connected to response consultants.
Access to Experts
Clients are advised by Legal and I.T. consultants who are experts in cybersecurity incidents and data breaches. How a company responds to and manages an incident can influence the outcome of a regulatory investigation and therefore being guided by experienced specialists is critical.
CyberEdge’s response and event management is led by legal advisers at top UK law firms who also have global footprints. This legal guidance is crucial to ensure a coordinated response and to minimise potential liabilities faced by the business.
In a rapidly changing world, CyberEdge provides clients with an end-to-end risk management solution to stay ahead of the cyber risk curve.
Cyber cover. Evolved.
To reflect this ever changing landscape, we’ve updated CyberEdge and enhanced its cover. The new CyberEdge not only offers protection against cybersecurity breaches and their financial impacts, but also addresses the evolving manner in which criminals are exploiting technology and the greater effect these are having on organisations.
With thirteen cover modules and one endorsement, CyberEdge’s new modular wording offers clients a tailored solution for the unique risks they face.
CyberEdge recognises the extreme importance of an early, expert and effective response to the successful resolution of the attack and to the safety of the business, and for this reason no policy retention applies to the First Response coverage for the first 48 hours.
CyberEdge clients can select our First Response coverage to provide 24/7 response after a security breach or denial of service attack. (Note the importance of 24/7 response as many cyber attacks occur in “down times” such as Friday afternoons or bank holiday weekends).
IT departments exposed
This rapid specialist support is key as the client’s IT dept may not be cyber attack experts and under great pressure from their business to resume systems ASAP. This can be dangerous: data may still be leaving the system or a hacker may still be inside. Sometimes a denial of service attack can mask a deeper attack.)
First response delivery
First Response cover delivers rapid technical expertise to identify and fix the immediate issues to safeguard the business. Often involves coordinating the clients’ various suppliers quickly (IT providers, web application companies, hosting companies) to establish the facts and apply controls to shore up the clients’ defences or stop data loss depending on the attack.
Vulnerabilities may have been in the website or the system infrastructure for some time and it is essential that they are identified and repaired by specialists, as hackers are known to repeatedly exploit these weaknesses again and again.
Investigation and defence
After the critical First Response period of 48 hours CyberEdge covers the IT services to thoroughly investigate the clients’ system vulnerabilities that were exploited by the Cyber attack eg looking for logic flaws, identifying and removing malicious code and software, implementing strong denial of service defences.
CyberEdge also covers the costs of identifying and recreating data that was held by the business (eg customer information) and lost or corrupted in an attack as well as software that has been lost or corrupted.
Clients often value this independent expertise. The forensic and IT specialists available through CyberEdge have assisted with numerous large and sophisticated cyber incidents and are on call to bring this expertise into an organisation 24/7.
The numbers of customers to communicate with will depend on the data breached, and could potentially be very large. Communication to customers has to be made without “undue delay”. CyberEdge pays for the necessary costs of doing this (for instance setting up call centres to handle the notification to customers).
CyberEdge covers the costs of following the right procedures to notify people (such as customers) whose data has been breached. This is an area where businesses will certainly need specialist legal advice and possibly additional business resources to follow the notification process properly.
The ICO (the UK cyber data regulator) says that businesses have to tell their customers if the breach is likely to adversely affect them. There are several things the businesses have to consider when deciding this, including the nature and content of the data, the harm, embarrassment or danger it could cause if misused. CyberEdge pays for specialist legal advice in this area.
There are detailed requirements about what the business has to tell its customers including: the nature and content of the breached data, the likely consequences of the breach, measures taken by the business after the breach, recommended actions for individuals. Again this is an area where the business would benefit from specialist guidance which CyberEdge pays for.
CyberEdge ensures businesses get expert help navigating the legal landscape after a cyber attack and also covers their legal liabilities (e.g. to customers) resulting from an attack. Can businesses get this specialist guidance from their existing legal suppliers? Have they considered the potential cost of this advice and the potential liabilities?
Information security requirements
Under the Data Protection Act clients need to have adequate information security in place. This will depend on the size of the client, the type of information they hold and the harm it could do if the information was misused. Clients may need clear guidance and advice about their position after an attack – which CyberEdge covers.
Third party liabilities
Clients may face liabilities to others (like customers or staff) for losing or corrupting data. For instance they may be liable for negligence, conversion, trespass, or for breach of contract. Again Clients may need expert advice about their position after an attack – which is covered by CyberEdge, as are the financial liabilities.
Dealing with the ICO
The ICO is the UK’s cyber data regulator and clients should tell it about serious breaches. The ICO may investigate and recommend changes in security measures. In extreme cases (eg deliberate breaches) it can fine the company up to £500,000. Clients may need clear expert legal guidance in their dealings with the ICO – which CyberEdge covers. This type of cover will only become more important when the GDPR comes into force in 2018.
Optional network interruption and cyber extortion coverages
CyberEdge can be optionally extended to cover Network Interruption to the client’s operations caused by a security failure. Cover includes the loss of net profit caused by the attack and additional costs (such as overtime or additional staff) necessary to minimise the impact of the loss.
OSPs and System Failures
CyberEdge also offers extensions for Network Interruption losses from Outsourced Service Providers (OSPs) and more general System Failures not related to a cybersecurity breach.
Cyber extortion triggers
CyberEdge can also be extended to cover cyber extortion. This includes the costs of specialist response to extortion threats (e.g. threats to release confidential information held by the company to the outside world, threats to disrupt the company’s system with a virus, or threats to bring down the company’s website with a denial of service attack.)
Cyber extortion cover
CyberEdge funds professional extortion consultants to advise the company e.g. assessing the threat and credibility of the perpetrators, analysing the clients’ options evaluating the pros and cons of entering into negotiations, what should be communicated, how and when should it be communicated, should the authorities be involved, does it involve authorities from different countries etc.
CyberEdge includes a range of complimentary and discounted loss-prevention services to help reduce the risk of a cyber attack in the first place.
The CyberEdge Mobile App for phones and tablets, delivers the latest cyber breach information, news, opinion, and risk analysis. It includes a data breach threat map displaying breaches around the world, claims examples of cyber breaches covered by CyberEdge and a breach calculator for businesses to calculate their potential costs of a data breach.
Clients with cyber premiums over £5,000 are entitled to Infrastructure Vulnerability Scanning. A complimentary external scan for up to 49 of an insured’s public facing IP addresses detects vulnerabilities across network devices, servers, web applications, and databases to help reduce risk and better manage compliance requirements.
IP Blocking, Domain Protection, and Employee Cybersecurity eLearning
Enables organisations to control their exposure to criminal activity by leveraging vast threat intelligence repositories, precision geo-blocking, and black-list automation – proactively reducing the attack surface up to 90% ahead of the firewall. Employee eLearning references and reinforces clients’ security policies based on their employees’ individual roles – with more than 40 modules available in 11 languages.
AIG Risk Consulting Services
In addition to the complimentary services outlined above, AIG’s team of cyber risk consultants brings over 50 years combined experience in IT security to help our clients stay ahead of their cyber risk. Our team can work directly with CyberEdge insureds to provide detailed, technical expertise and consulting services.
Preferred Vendor Partner Services
We have also partnered with experts in cyber risk to bring our clients additional options to add to their line of defence. These services have been specifically selected based on our nearly 20 years of experience and how well they can help strengthen the cybersecurity maturity of an organisation. All CyberEdge clients have access to these services at preferred rates.