Preparing for the worst: the importance of cyber contingency planning

It is often said that data is the new oil of the digital economy.

For many companies, the harbouring and capture of data is at the heart of their business. Tech start-ups in particular are driven by data, as they search for digital oil to turn into innovative new services.

Data is the value asset of these businesses, but like any traditional asset, data is at risk of:

  • Theft
  • Damage
  • Loss
  • Extortion

Recent global cyber attacks have underlined the importance of properly preparing for cyber attacks before problems arise.

That applies to all commercial enterprises, from tech start-ups through to multinational companies and their insurers.

The problem

Ransomware has become the fastest growing cause of cyber insurance claims, with powerful malware such as ‘Wannacry' attacking an increasing number of businesses. This may, however, be a mere tremor, with an earthquake yet to come — WannaCry inflicted relatively little damage compared to the more recent ‘Petya’ attack.

This new breed of ransomware appears to be more dangerous, and has caused chaos for businesses around the globe.

Early indications suggest that ‘Petya’ could cost 10 times more than ‘Wannacry' to unravel and resolve. In real terms, that means that businesses across the globe will be paying many millions of pounds in legal and regulatory costs, customer mitigation initiatives and IT/forensic costs.

In addition to these immediate costs, businesses should be mindful of the sideways exposure of cyber attacks. In particular, business interruption and the longer term impact of lost competitive advantage and customer confidence.

The trend should not be ignored. There is a constantly developing technical ability for these types of attacks to infiltrate themselves into some of the world’s most sophisticated organisations.

Ever-increasing exposures

Regulatory exposures are also developing, and businesses need to meet this burden head on. For example, the long-awaited General Data Protection Regulations (GDPR), which come into force in England and Wales in May 2018, will impose more onerous regulatory burdens and introduce the potential for considerably higher fines to be handed out by the Information Commissioner’s Office.

Even more troubling, GDPR will make it easier for third parties to bring claims against those responsible for losing their data.

In cases where several thousand customers are affected by a data breach, the attritional effect of multiple customer claims could be substantial.

The Federation of Small Businesses has recently highlighted cyber risks as being a key area which requires priority attention in the FinTech industry, and other industry bodies are making similar noises.

Whilst there are no easy solutions when it comes to cyber risks, both insurers and businesses need to be thinking about practical issues and what can be done now.

Contingency planning for insurers

Most insurers will have already built a financial contingency plan for dealing with the fallout of mass attacks such as ‘Wannacry’ and ‘Petya’. However, attention also needs to be focused on the practical implications of dealing with an attack simultaneously affecting hundreds or thousands of their insureds.

For example:

  • How will the claims teams deal with a flood of urgent notifications?
  • Are the insurer’s third party response teams able to simultaneously service multiple insureds who are in the grip of an attack?
  • What happens if the insurers’ systems are also affected by the attack?

These are difficult issues to plan for, but insurers will be able to use ‘Wannacry’ and ‘Petya’ as ‘dry runs’ to build a robust, and practical, contingency programme.

Contingency planning for commercial entities

Cyber contingency and remediation planning is an absolute must for businesses of all sizes.

All commercial entities need to think about:

  • How sensitive customer/client data is stored and who within the business has access to it.
  • The robustness and appropriateness of cyber training given to staff. Cyber criminals often target junior administrative staff as they tend to be overlooked when it comes to training.
  • Their contractual relationships with customers and clients. Can pockets of potential future liability be excluded?
  • Their contractual relationships with third party IT suppliers. Who is responsible for backing up and updating software? Does the third party attempt to unreasonably exclude liability for loss arising out of their own negligence? Will the IT supplier be available to immediately assist if a cyber attack occurs?
  • How will the business communicate with customers and clients if all IT services are lost?
  • The benefits of cyber insurance.

Kennedys advises tech companies and their insurers on a wide range of legal issues. We can assist on company and commercial pre-emptive measures.

Kennedys also provides a range of post-breach services to companies affected by data loss incidents or cyber attacks.

Read other items in the Professions and Financial Lines Brief - August 2017