a risk underestimated by SMEs
While many small businesses and SMEs still think they are not a target for hackers, many statistics show today that they are more and more exposed to financial losses due to cyber-attacks.
According to the recent survey of a large audit firm, 88% of Swiss companies faced a cyberattack during the past 12 months, against 54 % of the previous year. In around two thirds of cases, hacking has caused an interruption of business activities. And a third of the companies surveyed had confidential data, of clients or partners, stolen.
Despite these relatively alarming figures, 36% of companies still do not have a crisis plan. It would seem, however, that gradually there is more awareness, since 61% of CEOs are concerned about cyber risk. This concern is even more relevant because there are important implications in relation to the executives’ liability (as it was the case for Equifax in the United States).
Phishing is the medium most frequently used by hackers. Companies in the financial and technology sectors are the most highly exposed:
- Services de livraisons
- Vendeurs IT
- Organisations gouvernementales
- Jeux en ligne
- Réseaux sociaux
- Portails Internet
this trend is confirmed by data from insurers. According to data published by AIG, one of the leading companies operating in Cyber insurance (for over 15 years), the most affected areas are as follows for the period from 2013 to 2016:
- Financial services 23%
- Communication, Media & technology 18%
- Retail / Wholesale 17%
- Business services 9%
- Hospitality and leisure 8%
- Manufacturing 8%
- Professional services 6%
- Public entity and non-profit 4%
- Other industries / Services 8%
Therefore, one might conclude that companies in the financial and technology sectors are the most concerned. However, all SMEs and industrial companies also are at a major risk:
A study carried out by GFS-Zurich in September 2017 with 300 Swiss SMEs suggests that 23,000 companies (4% of the Swiss companies) have been exposed to blackmail and 290,000 companies (36%) were faced with malware. In addition, 62 percent of people surveyed considered the interruption of their IT services as very important to their business.
Indeed, the exposure of their operational systems to cyber-attacks may lead to substantial operating losses. A striking example occurred at DaimlerChrysler in 2005, at the moment of the spread of the worm Zotob. The interruption of production chains stopped 50,000 workers in 13 plants, which caused a loss of USD 14,000,000 for only an hour of interruption:
Cyber-risks: Several major industrial incidents since 2000
- Nombre d’incidents industriels majeurs
Many cases of cyber-attacks have hit the headlines. This has lead today all the companies to invest more and more significantly in their cybersecurity policy, whether in relation to business processes, through different technology media, or to management.
The problems related to social engineering have lead companies to increase their prevention and internal controls, to implement protocols and training, a cautious management of rights on computer systems, etc.
The transfer of all these risks to insurers sometimes takes place within the framework of a comprehensive approach to risk management, whether in relation to fidelity insurance or Cyber insurance. Although this is less often the case for SMEs.
The current trend however, seems a greater awareness of all the players.
But what do insurers offer within the Cyber insurance?
On the one hand, it provides different dedicated services and insures the different costs caused by a cyber-attack: Management of crisis costs, public relations consultancy fees, costs of legal advice, and other costs related to reporting obligations and loss of data. The main benefits are:
- Cost of the “forensic” expertise (to identify and remedy the attack), with the availability of (often from external providers) crisis management services,
- Public relations and lawyers’ fees (to manage the reputation of the company and develop an appropriate legal response),
- Costs of reporting to the administrative authorities (given the obligations of notification under the Federal Act for Data Protection and sometimes also the GDPR *) and costs of notification to individuals whose sensitive or personal data was stolen,
- Data recovery fees (by third-party companies, who re/enter data that exists only on paper, and restore or refurbish damaged software).
On the other hand, it seems useful to integrate coverage of operating losses, when insurers are willing to do it, in order to be protected from the financial consequences of an interruption of IT systems (production and /or inventory and purchases management, etc.). Indeed, traditional operating loss insurance in principle excludes cyber risk. However, these solutions are not always available. According to SwissRé data (opposite), it is harder to get this type of coverage for businesses in certain sectors of activity. But in practice, insurers seem more inclined to grant extended guarantees, in response to a need that is constantly increasing with the upsurge of cyber risk.
Since corporate financial protection is a central aspect of Cyber insurance, the coverage of “cyber extortion” also became an important element, given the proliferation of ransomware on the net. This fact alone should already lead businesses to protect themselves more, because even an attempted extortion can cause insurable costs.
At the same time, some insurers also offer to allocate bonuses to people who have information which may stop hackers, through dedicated coverage and subject to certain conditions. The fight against the proliferation of Internet crime has actually become a priority for insurers, along with the initiatives of some public and institutional players (project of creation of a Swiss DARPA linked to the army, Center for digital trust at the EPFL, etc.).
Finally, it is also necessary to cover losses suffered by third parties, since civil liability contracts tend to exclude it. Corporate liability may be indeed affected by the violation of the confidentiality of data, as a result of breaches of security of the IT systems. For this reason, Cyber insurance in principle includes a civil liability component, often supplemented by a so-called “Media” civil liability coverage: In this case, this simply protects against various risks incurred by the insured for the use of their website (defamation, false statements, violation of copyrights, plagiarism, misuse of information, etc.).
In the event of violation of the confidentiality of client data, companies must comply with their reporting obligations, and it can even happen that penalties be imposed against companies victims of hacking. Some jurisdictions allow civil fines (which is not the case in Switzerland), and the penalties imposed by the administrative authorities are therefore insurable in theory for businesses also operating abroad (except for the criminal fines).
* The General Data Protection Regulation, which will come into effect on 25 May 2018, also applies to Swiss companies with clients domiciled in the EU, and provides for fines of a very significant amount (up to EUR 20 million and 4% of the turnover). However, the enforcement of such penalties could face legal obstacles, and the administrative authorities may stick to coercive measures.