Cyber Q&A with Neon Mavromatis, Managing Director – Construction, Kerry London

Q: What’s the current state of the cyber market? Has demand for this kind of protection increased over the last few years?

A: Many businesses still don’t have cyber cover in place, despite the massive growth of cyber-attacks. Increased connectivity has significant financial benefits for businesses, but it also brings greater exposure to various cyber risks. Smartphones, tablets, and cloud storage are widely used to store information, exposing firms to greater risk of an attack.

The Government’s Cyber Security Breaches Survey 2022 confirms that many companies are still not investing enough in their cyber defences, with only 34% having business continuity plans covering cybersecurity. Of the 39% of UK businesses who identified an attack, the most common threat was email phishing attempts (83%). One in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.

Q: What kind of scenarios are covered?

A: Cyber insurance is designed to protect businesses against the financial loss caused by cyberattacks, such as data breaches and system interruption. Two critical aspects of cover protect against ransomware and phishing attacks, which are amongst the most common issues we see. With ransomware, company data is held to ransom. The hacker gets inside a company’s systems, locks them down, and the criminals demand payment for the release of that information. Phishing emails involve a person or organisation pretending to be someone they’re not. Their approach is to illegally scam money via a fictitious bank account or company.

There’s a wide range of cyber insurance policies to suit the needs of different size businesses. Cover can typically include cyber incident response costs, system damage and business interruption, network security, and privacy liability, including liabilities arising from regulatory fines to court attendance costs. We include cyber security consultancy services and risk management as part of the policy. These services and the expertise that comes with them, are particularly valuable to businesses that don’t have these skills in-house.

We advise our clients to take a policy that includes forensics because it ensures the removal of things like hidden spyware which could trigger another incident in six months. Some hackers are secretly monitoring firms for months before they launch an attack. They get into the system and silently observe business activities to enable them to strike when they believe a business is vulnerable.

Q: What kind of claims are you seeing, and is this affecting the cost of cyber insurance?

A: Our experience has shown the number of cyber claims has increased significantly. A few years ago, many of our clients didn’t perceive cyber as a significant risk, but this attitude has changed dramatically. The last few years have also enabled insurers to build up better claims experience in this area, and the exponential growth of cyber risk has resulted in premium increases. Companies that have good IT security measures in place will see lower premiums than those that do not. Overall, premiums are still very affordable because they were reasonably priced to begin with.

The message we’re trying to get across to our customers is that the cost of not addressing the risk of cybercrime can seriously affect their balance sheets. One of our clients recently suffered a very expensive phishing attack, which demonstrates the scale of the problem. The client received a valid email providing bank details to pay one of their providers. Shortly after receiving the first email, they received a second updated email that looked identical to the first but claiming the first was sent in error and provided a second set of “updated” bank details. The second email was a phishing email that looked exactly like the first, but with minor differences in the email address that went unnoticed, so the client proceeded to pay using the “updated” bank details. This simple, single, incident resulted in the client paying £72k to cybercriminals.

Unsurprisingly, cybercriminals are very organised, and their intention is to make a profession out of cyber-attacks. The increase in remote working following previous Covid lockdowns has unfortunately increased exposure to this risk. Employees have been using their home routers to dial-in to their employer’s network, and the security of those connections isn’t as robust as it would be in an office environment.

Q: What advice would you give to businesses looking for a good cyber policy?

A: We advise our customers that insurers require a thorough understanding of their businesses’ approach to IT security. Many companies with in-house IT departments are usually, but smaller firms that don’t have an in-house IT function may need to outsource this work. Either way, multi-factor authentication is a minimum requirement for most insurers, and without that, they may struggle to provide cover. Most of the customers we deal with have multi-factor authentication in place, and those that don’t are working on it, so I don’t think this will shock them and t’s essential for those with remote working employees.

Insurers are also particularly interested in solid cyber risk management measures around the processes that distribute money out of the business and protection of third-party data. The EU General Data Protection Regulation (GDPR) is one of the strictest data protection laws in the world, and there are severe penalties for breaching these regulations. Organisations that experience a cyber-attack must demonstrate they are protecting the data they hold on individuals. All businesses must report an attack to the Information Commissioner’s Office (ICO) within 72 hours of discovering the breach or face severe penalties.

Employee training can help pick up some of the most frequent problems, such as checking for the little nuances in phishing email addresses. Simple measures such as this can make a huge difference.

On reflection, one positive regarding lockdown is that it mobilised many businesses to implement more robust IT security strategies quicker than initially planned [to facilitate remote working] and this has had a positive impact.

Kerry London is authorised and regulated by the Financial Conduct Authority. The company is a leading UK independent and Lloyd’s accredited broker, which means that we work with a wide range of niche and major insurers.

This note is not intended to give legal or financial advice, and, accordingly, it should not be relied upon for such or regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this note, we have relied on information sourced from third parties, and we make no claims as to the completeness or accuracy of the information contained herein. You should not act upon information in this bulletin nor determine not to act without first seeking specific legal and/or specialist advice. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide herein and exclude liability for the content to the fullest extent permitted by law.

Categories: Cyber,