Our Regional Director and Head of Sales and Distribution – Commercial, Chris Lennon, considers the everyday cyber challenges faced by organisations in the UK.
The topic of Cyber is one that receives a lot of attention and rightly so. Whilst much is made of major cyber events, such as the international outbreak of WannaCry and NotPetya in 2017, and the headline grabbing hacks and data breaches from global companies and financial institutions, there is relatively little focus on everyday challenges faced by UK companies and other institutions.
Unlike healthcare and financial services organisations who handle vast amounts of personal and sensitive information, many businesses have been slower to adopt cyber insurance and look at system and human vulnerabilities in their information management chain. Many of these smaller organisations assume that their risk is limited, and ask themselves the question “why would someone hack me?”
However, any business that relies on computer systems to generate or store business-critical information can have a very real exposure to cyber risks if they lose or are unable to access their digital files. In addition to the operational challenges that such a loss of data or interruption may cause to trading, the biggest concern is consumer trust. Imagine an online retailer who was a victim of a hack or significant data breach. The key risk is not the lost trading and the costs incurred to remedy, but the loss of customer confidence and lasting reputational harm.
Cyber risks for academic institutions
The same is true of educational institutions such as academies, independent schools, universities and colleges. These institutions hold vast amounts of personal and often sensitive information. This includes personal student data, contact information, financial details of parents/guardians and physical and mental health records. They will also hold confidential information about staff and governors.
This information if breached could cause significant embarrassment, and create vulnerabilities and risks for families, students and staff. Many educational institutions do not have the same level of IT security that most private sector and financial organisations do. Unfortunately, it is not hard to imagine how information pertaining to the health and wellbeing of children could be targeted and misused.
Any breach or corruption of such information, particularly any that led to abuse, would also create a lasting reputational challenge for the school or college. This could result in reduced student intakes, parents removing children from the school and even prosecution and civil action.
Following the introduction of GDPR all schools and colleges should be aware that they owe a greater duty of care to minors and that personal data will extend to images and video. The risk of prosecution and penalty is real and with a maximum fine of €20m or 4% of revenue the financial implications far more stark than under the previous regime.
The costs of a security breach
In May, The University of Greenwich was fined £120,000 by the Information Commissioners Office for a security breach in which the personal data of 19,500 students was placed online. The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health records.
This information was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down. The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.
Steve Eckersley, head of enforcement at the ICO said, “Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress. The nature of the data, and the number of people affected have informed our decision to impose this level of fine.”
Cyber insurance is the fastest growing area of insurance for good reason. It is unimaginable that a college or school would not insure its computers and equipment for physical theft but the theft of data is easier, less risky and more valuable than physical assets. With premiums starting from as little as £500, Cyber insurance can be a vital protection. It can provide cover for costs and awards, and more importantly a leveraged and funded breach response service to prevent or minimise lasting reputational harm.
Such is the focus on Cyber Insurance that research*suggests that Cyber premiums will see the most rapid global growth in the next three years. Worldwide premiums are predicted to be worth $4 billion by 2021, an annual growth rate of 14.1%. The same study found that over the past five years cyber premiums saw the most significant growth at 23% annually.
At Stackhouse Poland, we have seen a significant shift in customer focus from tangible to intangible, as businesses and institutions appreciate the value of data and the need to safeguard it. We are a finalist in the Commercial Insurance Broker of the year category at the upcoming British Insurance Awards based on our approach to Cyber.
We focus on educating clients on Cyber risks and urge clients not to overlook the dangers that exist, particularly to organisations where IT and data management is not a primary function.
Find out more
If you would like to learn more about how we can help you with cyber insurance, please get in touch.
Call us on 0207 089 2900 or email us at firstname.lastname@example.org
* Research conducted by Aon