Cyber attacks are coming thick and fast and becoming almost an inevitability for UK business. It is as FBI Director Robert Mueller foresaw when speaking in March 2012. Ignorance is no longer bliss. It is essential fintech firms proactively manage their cyber risks, which means making a decision whether to purchase a cyber insurance policy.
“There are only two types of companies: those that have been hacked and those that will be. Even that is merging into one category: those that have been hacked and will be again.”
Ashley Maddison, the US Office of Personal Management, Carphone Warehouse, Lloyds Bank, TalkTalk, M&S, and most recently Vodafone are just some of the cyber security breaches that have occurred during 2015. UK businesses in the fintech industry will be feeling particularly vulnerable wondering if they will be next. Recent events serve as a strong reminder as to the importance of regularly reviewing cyber security arrangements. The board of directors must ensure they understand the most recent threats and are suitably prepared in the event of an attack, or shareholders may hold them accountable.
CYBER INSURANCE EXPLAINED
Typically, the cyber insurance industry breaks a cyber event into three parts: Event Management, Financial Loss and Liability. Event Management involves the internal and external expenses of managing the response to a cyber event. Cyber insurers vary in the extent of cover provided in Event Management, but in general they recognise that providing access to third party cyber security experts can mitigate the consequences of a catastrophic event. This is sometimes spearheaded by a cyber response coach, an industry expert responsible for advising a business on how to handle and manage a cyber event. Typically this will start with an investigation by third parties to establish the extent of the issue. If card data is compromised then insurers can indemnify the costs arising from a specialist PCI Forensic Investigator (PFI) investigation. Consultation on how to manage legal and regulatory issues will also be covered as well as a crisis communication strategy. Establishing a call centre to eld queries and providing credit monitoring are the last elements of cover.
Financial Loss takes into account the increased operational costs and reduction in pro ts as a result of the attack. This is known as non- physical damage business interruption, and is typically excluded from property insurance. Should any nes and penalties be issued by regulators (Information Commissioner’s Of ce) and industry associations (for the loss of sensitive card payment data), then cyber insurers will cover this with the proviso that these are insurable by law. Costs in managing a cyber-extortion situation — and the ransom itself — can also be covered.
Liability tends to impact some months later. Affected individuals or businesses may bring claims or written demands for failing to protect their information. They may seek compensation for financial losses from hacking, or damages from identity theft. In cases where customers are claiming from multiple jurisdictions, cyber insurers can contribute towards defence costs and any resulting damages from multi-jurisdictional claims.
THE RISK OF GOING UNINSURED
Many fintechs are running a great deal of cyber risk on their balance sheets. By effecting suitable cyber risk management, such as a robust cyber security framework, including penetration testing and effective threat detection through multi-layer monitoring, many cyber attacks can be stemmed from an early stage. An incident response plan, which considers not just business continuity and disaster recovery, but also easy to implement steps and pre-contracted responders, can make the difference between a disastrous impact to reputation and a positive outcome for the entity in question.