Supply chain cybersecurity is now one of the key overwhelming concerns for companies. Knowing where the weakest link is can be a real challenge particularly with insufficient remote access management over vendors and lack of visibility over incident reporting throughout the chain.

Although Financial institutions and large corporations are more likely to be attacked, Cyber-attacks are increasingly happening to SMEs, as well as mid-sized firms, and regardless of their industry sector.

The sudden and rapid increase of remote working and “WFH” (working from home) has meant that we are all much more digitally connected, operating on different networks, on multiple devices and not always sitting behind the office firewalls like before. Home “security” is not the same as business-grade infrastructure and when kids are using the same network streaming and playing games, the environment becomes less and less secure. For many of us, WFH is a new experience but it’s easy to become isolated from the warnings and helpful advice from co-workers who are more IT savvy. Face-to-face meetings have fallen dramatically due to the pandemic and email traffic has surged as a result. Our working habits are less predictable than before, when working hours were more consistent – making monitoring of suspicious activity harder. Hackers know all this.
A cyber-attack can cause no physical damage (a Property policy typically responds to destruction or damage to tangible property resulting from a physical peril), although the attack can shut down a business resulting in substantial expense costs and lost income.
What can we do?
Conduct Cyber awareness training across the business with simulated attacks, phishing experiments, strengthen passwords (and not allowing the same password to be used across multiple applications), set out your protocols for helping everyone to detect suspicious emails, install patches and even checking attachments before hitting “send” on emails. Checking email attachments can avoid inadvertently sending data to the wrong person and cleansing data to ensure confidential and sensitive personal data is removed. Regularly evaluate the supply chain and include security conditions where possible in supply contracts. Don’t allow the cyber-criminals take advantage of you if you haven’t activated your Microsoft Office security functions (don’t rely on the default settings) ….and backup your data.
 
It’s not all about the cyber-criminal. Employees must also be aware of the General Data Protection Regulation (GDPR), the obligations, strict breach notifications and the risks of fines and penalties.
The GDPR came into effect over 2 years ago and applies to the processing of personal data regardless of whether the processing takes place in the EU or not. This is relevant to offering goods or services to EU citizens (irrespective of whether payment is required). Businesses in violation of the GDPR can be fined up to 4% of their annual (global) turnover or EUR 20 Million (whichever is greater).
 
Insurance protection
Emails being compromised, extortion, ransomware, and forensic / IT / business interruption costs are common costly events to insurers.
 
Cyber events can cause losses relating to business interruption (loss of net profit and continuing operating expenses as a result of the cyber-attack), data confidentiality breaches by your employees or suppliers, data theft or loss, data recovery costs, malware, ransomware, extortion, damage to physical assets including damage to system hardware, damage to equipment from the impact of system malfunctions.
Cyber insurance is complex, relatively new and is not helped by different insurers using different definitions and techie-jargon. However, the exposures are growing and like any fast-paced dynamic environment it is advisable to keep up to date and not get left behind.