"Aside from hardware and software vulnerabilities, we are aware of cyber criminals exploiting people’s current fears by using coronavirus in social engineering scams."
We spoke to Michael Whitfield, managing director of insurtech firm CPP Group UK, about how the Covid-19 outbreak could increase risks surrounding cyber-attacks and what features advisers should look out for in cyber insurance products.
CR: Tell us a bit about CPP and how it can help advisers add further value to their products and services.
CPP Group UK has a suite of innovative products in insurance, insurtech and cyber security. We develop these products to help our adviser and insurer partners gain a competitive edge, create customer loyalty, and drive ancillary revenue.
The Insurance Distribution Directive focuses on customers being better informed and having access to products that meet their needs. It’s driven by providing value to the customer. Brokers are in the ideal position to achieve that by offering ancillary benefits to clients, such as our specialist cyber policy designed to cater for SME businesses. Despite being particularly vulnerable to attacks, SMEs are under-represented in traditional cyber insurance products. So, we created a policy that is affordable, with a reduced question set and understandable language to make it accessible for SMEs and advisers. We wanted to make it easy for advisers to offer a simple policy with an extensive list of features.
CR: How can businesses know if they are at risk of cyber-attacks and how can these be prevented?
All businesses are at risk of cyber-attacks, but some are much more aware of the risks and therefore able to better protect themselves. There are a number of preventative measures to take, starting with firewalls and high-quality antivirus software. The top cause of breaches is employee negligence, so cybersecurity training is needed to give staff the tools and confidence they need to recognise and appropriately deal with threats.
Cyber risk management technology can help businesses understand how they might be vulnerable. KYND is an example of this – it provides a real-time scan of a company’s entire online presence, identifying any security lapses or potential risks. It then displays these using a simple traffic light system to highlight the most severe issues first, and provides expert advice on how to fix them. This can be particularly useful for businesses that don’t have in-house cybersecurity experts, and is most effective when coupled with a data-monitoring tool like OwlDetect. It scans the internet 24/7, including the dark web, for any business data that appears. If information is found to be compromised, it sends an alert in real time and provides a plan of action. These tools are especially helpful for businesses that don’t have an in-house cyber security expert.
Brokers and advisers, as trusted consultants to their clients, can provide additional value and strengthen those relationships by helping founders and CEOs understand how to prevent and mitigate against cyber risks.
To help advisers better educate their clients on the risk of cyber-attacks CPP have launched a new initiative called KYND Start. It offers brokers and advisers the opportunity to run a real-time scan on the websites of current and potential clients and produces a report that can help articulate the need for cyber insurance by demonstrating the threats they are already facing.
CR: Why should all SMEs have cyber insurance?
Even with every possible preventative measure ticked off, things can slip through the cracks; cyber attacks are becoming more sophisticated, and human error can occur at any time. Small business owners may not imagine themselves to be at risk compared to larger organisations, but research has shown that UK SMEs are the target of approximately 65,000 cyber attacks each day. A UK small business is hacked once every 19 seconds.
Businesses of that size rarely have dedicated IT departments, and are unprepared to deal with attacks. This has a number of potentially devastating consequences including business interruption, loss of revenue, reputational damage and the possibility of incurring regulatory fines. The financial impact of a breach alone is often enough to put SMEs under.
Having appropriate cyber insurance in place helps to protect against these risks. Statistically, businesses are more likely to suffer a cyber attack than be burgled, and yet everyone is covered against burglary! Brokers deal with a lot of sensitive data relating to clients’ personal and financial information too, and should consider practicing what they preach when it comes to advising on cyber insurance.
CR: What features should advisers look out for in cyber insurance products?
A comprehensive cyber policy goes beyond simply insuring against liabilities that arise from cyber attacks or related data privacy legislation breaches – it should also provide tools to help businesses prevent them from happening. This could include high-quality free antivirus software, a 24/7 helpline, and cloud-hosted backup storage. You may also wish to look for a policy that incorporates support if an attack does occur, such as access to a specialist IT forensic company to investigate what data has been compromised, and public relations support to mitigate against potential reputational damage. To be accessible to SME-sized businesses, selectable indemnity limits, reasonable excesses and competitive rates are key. Most cyber insurance policies, unlike ours, also don’t include social engineering as mandatory cover. Social engineering is when a criminal uses psychological manipulation to trick people into transferring funds or other assets, for example in phishing, baiting, or spoofing attempts.
CR: How could the Covid-19 outbreak increase risks surrounding cyber-attacks?
The increased shift to home-working has played a key role in keeping people safe from the virus, but unfortunately it does heighten the risk of cyber attacks. There are a few reasons for this: employees are using personal devices that don’t have strong antivirus and firewalls, or software that hasn’t been updated to include new security patches, all of which help to guard against threats. Many people are relying heavily on home Wi-Fi systems, but are not aware that they should change their router password when it is first installed to avoid their home networks being open to attack.
Aside from hardware and software vulnerabilities, we are aware of cyber criminals exploiting people’s current fears by using coronavirus in social engineering scams. Recent phishing emails and texts have been designed to look as if they contain important updates on the pandemic, to tempt people into opening them and clicking on links. As home workers are separated from colleagues, they are also at risk of spoofing attacks, where a cyber criminal pretends to be someone else to steal information or funds. For example, they may receive an email that looks like it comes from a boss or accountant asking them to transfer money, when actually it is a cyber criminal cleverly disguised by authentic-looking email addresses and signatures.
CR: If you could see one headline about the financial services in 2020, what would it be?
“Cyber insurance to become mandatory to protect all businesses against cyber crime”.