This advice has been collated by EMSOU and is intended for wider distribution within the East Midlands Region to raise awareness among businesses and the public. Advice and information is changing daily as we navigate our way through the COVID-19 pandemic, so please ensure you only take information from reputable sources. If you require any further information, assistance or guidance please contact the EMSOU Protect Team or your local Force protect team. Today’s topic is Cyber Insurance In July 2019, more than 100 million customers had their personal information exposed following a massive data breach at Capital One, the fifth-largest credit card issuer in the US. Data breaches are not restricted to large financial institutions and we have seen them take place in; healthcare, airline, retail, restaurant, entertainment, social media, hotel, and manufacturing. Highlighting that any organisation can become a victim. In addition to financial damage and reputational harm, data breaches have a significant impact on an organization’s operational capabilities - Mondelez International, one of the world’s largest snack companies, announced that “a global malware incident” affecting sales, distribution and financial networks cost them $54 million in 9 months. The theft of stock from a warehouse would be covered by insurance, would the financial effects of a cyber incident be covered by your insurers? General liability insurance does not typically cover cyber-related incidents. Legislative and regulatory changes regarding personal data, has also led to a sharp increase in litigation, instead, you will need: First-party cyber insurance: which provides assistance to mitigate the financial impact of a cyber-incident to the business, such as crisis management and interruption costs. Third-party cyber insurance: which picks up business costs for impacted customers; settlements, fines, attorneys’ fees legal expenses etc. Before purchasing a cyber insurance plan, organisations need to asses: What sensitive information do you hold and its value? The financial impacts of exposure - legal, regulatory or contractual penalties imposed? What systems are critical to performance and profitability? The next step is to determine the amount of coverage, policies can mitigate the cost of: Diminished business operations and Incident response (e.g. forensic investigations). Notifying affected parties and offering Credit monitoring Crisis management & public relations Lost or stolen devices or data (hardware replacements) Legal advice & litigation brought by affected; employees, customers, 3rd parties and regulators.

Also note that the policy should go beyond traditional network security (e.g., denial of service or defacing of a website) to cover more recent attack vectors such as social engineering, phishing, or ransomware. The policy might also need to cover incidents that happen anywhere in the world and not just a specific country.

Managing the cost