IT contractor guide to data breach and cyber security insurance
Cyber and data theft is one of the fastest-growing threats to businesses of any size, ranging from one-person companies right up to big multi-nationals.
In fact, the latest government figures suggest that nearly three-quarters of small businesses have suffered some form of information security breach, according to the Information Security Breaches Survey 2015. And no business, even a single-person operation such as those run by IT contractors, is immune to the possibilities of a security breach.
That’s why Hiscox are leading the way with their cyber and data risks insurance which is designed to support and protect your business if it experiences a data breach or is the subject of an attack by a malicious hacker that affects its computer systems.
Working in IT, you are vulnerable to a whole range of threats. These risks range from:
- loss or theft of personal data
- loss or theft of commercially sensitive information
- inoperable IT systems, making your business unable to function after being hacked
- intellectual property infringement, defamation or extortion.
It’s why every business, even if you’re the smallest of companies, should make sure that you have done everything possible to protect your operation from the risks associated with cyber attacks.
The following guide outlines those risks, offers hints and tips to help you deal with the threat, and explains how cyber and data risks insurance can help protect your business and your reputation.
What types of cyber and data risks do IT contractors face?
The risk of suffering a problem related to issues with computer systems or holding sensitive customer data continues to grow. It could be that your business holds personal information on clients or customers, including names, addresses and banks details. Maybe your systems and data are held on physical servers or in the cloud, or perhaps you are reliant on a website to run your business. Damage or unauthorised access to any of these could lead to your business being unable to function, as well as reputational damage and legal or regulatory costs.
As an IT contractor, your cyber and data risks include:
- data breach – someone hacks into your systems and accesses personal/confidential data. The impact could damage your reputation with clients – who might take legal action against you – and result in costs from regulatory action you’re required to take. It might not be a malicious attack either – a data breach could result from something as simple as losing a memory stick or leaving a laptop in a taxi!
- cyber business interruption – if an unauthorised intrusion into your systems prevents you from accessing your systems, what would happen to your business? Do you have contingency plans?
- extortion – a hacker could hold your business to ransom – demanding money in return for the confidential information they might have stolen or to unlock your IT systems
- hacker damage – a hacker could simply disrupt your website or systems which will need to be repaired.
How can contractors prepare for security breach incidents?
As with most areas of risk management, the best place to start is to prevent the problem happening in the first place rather than waiting to deal with the consequences. It’s important to start by understanding where your vulnerabilities are. Look at what information you hold, both for your own business and any clients you might be working with, and where you store it. Think also about what systems you will need to be up and running in order to function as a business. Then:
- List all your information assets such as email, customer databases, Microsoft Office documents – Word, Excel – and understand what risks they could be vulnerable to e.g. hacking, theft, employee misuse.
- Consider what IT services you rely on e.g. email, a website. If these are down, can you function as a business while a hack is being investigated?
Once you have a clear picture you can start to address any potential weaknesses such as appropriate virus software. Make sure you have downloaded software updates, have good encryption in place as well as contingency plans if any system should go down.
Dealing with a data breach
So, despite your best efforts, a data breach has taken place. This is where a good ‘incident response plan’ will play its part in terms of making sure that any breach is closed off as quickly as possible to prevent any further loss of data, as well as understanding what data has been lost. Your incident response plan should have clear procedures in place as soon as a breach has been discovered, covering areas such as:
- technical – do you have the necessary IT skills to identify how the data breach has happened and how to close it off and repair the damage? If not, make sure you can find someone who has, and that they’re available at any time
- legal – a data breach can have all sorts of liability issues from clients and contacts, not to mention what the regulators might do – make sure you have access to legal support
- communication – you will need to advise your clients and contacts of any information stolen. It’s important for your ongoing reputation that you consider and list who you would need to notify in the event of an attack – customers, suppliers, and other third parties such as regulators
- you’ll need to use multiple communications channels – possibly by phone, email and social media
- what will you tell them? As a small business it’s likely that you’ll need to personalise communications as much as possible. Bigger clients for example will probably appreciate a phone call rather than just an email. Clients will be looking for reassurance that the situation is under control.
Can a cyber and data risks insurance policy protect you?
In conjunction with good risk management, cyber and data risks insurance is available to support and protect you and your business if you experience a data breach, or are the subject of an attack by a malicious hacker that affects your computer systems.
Cyber and data risks insurance will meet many of the costs incurred following an incident such as:
- the cost of forensic investigations
- legal advice
- notifying customers or regulators
- support such as credit monitoring to affected customers
- compensation for loss of income, including where caused by damage to your reputation, if a hacker targets your systems and prevents your business from earning revenue.
A policy can also offer third party liability where a client sues you for losing their confidential information, for example, and will pay the costs associated with regulatory investigations and settle civil penalties imposed by regulators where allowed. In addition, if you mistakenly infringe someone’s copyright, by using a picture online without permission for example, or inadvertently libel a third-party in an email or other electronic communication, you can be covered against any potential legal action.
It is important to look for a policy that not only pays out following a problem but proactively helps to minimise the possible damage to your business and reputation. This can mean immediate access to legal and forensic IT help as well as expert public relations practitioners to help you manage the crisis effectively.
Getting the right cover
You can choose from different levels of cover to ensure you get the right protection for your business. When working out the amount of cover you need, you should consider:
- the amount and type of confidential, personal or sensitive data you hold
- the size of your business
- your dependence on computer systems.
Can my limited company cover the cost of a cyber and data risks insurance policy?
Cyber and data risk insurance is becoming as important as the insurance that many businesses buy to cover conventional risks such as their office contents. They tell us that for the relatively modest amount a policy can cost, it is a worthwhile investment.
Also, most business insurance policies including cyber and data risks insurance, can be offset against your company’s tax if you run a limited company.