As you will have seen from the previous articles on GDPR you will now get the picture that the new regime is going mean considerable additional burdens and onerous responsibilities being placed on businesses and individuals within those businesses resulting in a huge increase in risk which can lead to severe financial penalties let alone the devastating effect it will have on your own business.
These risks can be transferred by way of placing them with an insurance company if you are unwilling to face the risks yourselves. There are many insurance policies now which will cover the financial losses you incur, as well as those of your clients/customers for which you become liable from such data breaches as well as many of the following additional risks:
Data protection and liability
Damages and defence costs, arising from:
– Data liability
– Security liability
– Data protection Iinvestigation and fines
– PCI-DSS assessments
Loss of profit and ICOW, arising from a material interruption, caused by:
– Security failure
– System failure
– Outsource service provider security failure
– Cloud service failure
– Legal services
– IT Sservices
– Data restoration
– Reputational protection Sservices
– Notification costs
– Credit monitoring and ID monitoring
– Ransom payments
– Investigation / negotiation costs
Such policies will arrange for experts in the field of IT to help you re-build/re-write your systems, set up your security, manage your reputation and PR failure after the event. Furthermore, should you accidentally pass on any viruses, ransomware etc then the financial losses suffered by your clients would also be covered.
At the end of the day though it is down to you to introduce the security systems, the checks and the procedures. The better these are the lower the costs to you both in terms of cost of risk transfer but, more importantly, your reputation.
If the above list doesn’t frighten you enough into doing something then perhaps the following examples will:
Hacked email identity
Two payments were made/processed by an employee in the accounts department to two different UK Barclays bank accounts on the emailed instruction of what appeared to be an email from the financial director of the company. However, this was a case of hacked email identity and someone using the name/email of the finance director from a different domain name!
First payment was £22,183
Second payment was £18,211
Both were paid out of the account on the same day!
Retailer – Cyber Extortion
The retailer has a trading entity, with an online presence. The company received a demand from an individual/organisation demanding payment of a set sum or they would crash the website. The payment was not made and the individual launched a denial of service attack. The website crashed multiple times. During one attack, the Insured lost revenue of £250,000.
Non-physical business interruption
A company suffered a system failure due to faulty hardware, leading to the corruption of data. Point of Sales system failed, as did the automatic stock re-ordering system. Staff dealt with the POS system failure, by reverting to manual processes. Once systems were restored, the supermarket had to perform a full stock-take in order to investigate what had been sold, what had been re-ordered and what still needed to be replenished.