So you think buying cyber insurance means your firm will avoid a major nightmare?
You’ve bought a cyber insurance policy to help protect your firm against devastating cyber attacks. It looks comprehensive so you can finally sleep at night. But before you get too carried away, is that really the case? Many accountancy practices which have been victims of a cyber attack held cyber insurance policies. That cyber insurance did not prevent them from being the next victim. Of course, you will be glad you had the policy if the worst does happen, but it is essential to understand the difference between cyber risk management and cyber insurance. Simply put, cyber insurance is the transfer of residual risk once you have taken the right steps to manage your cyber risks in the first place. That includes carrying out proper cyber risk assessments and implementing robust cyber security controls.
What is not covered by cyber insurance?
There is no substitute for having proper cyber risk management in place. Cyber insurance may allow some costs to be recouped, provide cyber specialists to help deal with the immediate crisis and may even allow payment of a ransom demand in some cases, but there is a range of issues that cannot be resolved by simply putting insurance in place.
Difficulties that we have seen firms trying to manage after a cyber attack include:
- Senior management working through the night trying to work out how they are going to continue to run the business with no functioning systems
- Fee earners unable to continue cases while locked out of their systems
- Having difficult conversations with clients explaining how and why their confidential information has been breached and the fact that their transactions are unable to proceed
- The requirement to communicate the problem to clients, staff, other third parties and the press, again without being able to use the firm’s usual methods of communication
- The need to report the incident to the ICO, the ICAEW and law enforcement agencies
- Internal disruption, as well as blame and condemnation among personnel
- Extensive lost time
- The arguments over fault and liability in cases of diverted payments
- Trying to negotiate with criminals over their ransom demands for the return of confidential data or decryption of systems
- The fact that the underlying weaknesses that allowed the cyber attack to happen will still need to be identified and eliminated
The National Cyber Security Centre (NCSC) notes that:
“Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”
Why is cyber risk management essential for accountancy practices?
The professional services sector is a high-risk when it comes to cyber security. Criminals have found a variety of methods, including email account takeover and ransomware attacks to be particularly profitable in a profession where data protection and client confidentiality are crucial.
The major risks of failing to proactively implement strong cyber security measures that cyber insurance will not help with include:
1. Breach of legal and regulatory obligations
The ICAEW requires all practices to comply with legislation. This includes compliance with UK GDPR for the protection of personal data. Basic requirements include:
- Carrying out regular risk assessments for the security of data
- Putting effective controls in place, including:
- Providing relevant training to personnel and having policies in place outlining expected behaviour
- Having secure technology
- Having the right policies and framework in place in respect of governance
- Regularly testing, assessing and evaluating the controls
- Being able to provide evidence of compliance with the above
Failure to comply with legal and regulatory obligations can result in substantial fines – fines by the way, that your cyber insurance policy won’t cover.
2. Data breaches
In the case involving law firm Tuckers LLP, the ICO issued a fine of £98,000. A ransomware attack resulted in a personal data breach. Files were encrypted by the hackers, including court bundles, and a number were offered for sale on the dark web. The ICO found this was a result of the firm’s failure to implement appropriate technical and organisational measures and Tuckers had failed to process personal data in a way that ensured its security and protection.
The ICO stated that due to the confidential nature of data held, schemes such as Cyber Essentials and Cyber Essentials Plus were NOT sufficient security standards.
As Tuckers involved a law firm, the ICO also highlighted breaches of the Solicitors Regulation Authority Code of Conduct which it regarded as an aggravating factor. In the context of a breach relating to ICAEW members, one can expect the ICO to scrutinise (for example) ICAEW Code of Ethics, including 110.1 A1 Fundamental Principle (c) (Professional Competence and Due Care) and related R113 (competent professional service based on current standards and relevant legislation); Fundamental Principle (d) (Confidentiality) and related R114 (to take all reasonable steps to preserve confidentiality, and being alert to the possibility of disclosure); Fundamental Principle (e) (Professional Behaviour to comply with relevant laws and regulations) and related R115.
In the Interserve case, the ICO fined the construction company £4.4m over its failure to protect its employees’ data from cyber attacks. The Information Commissioner said companies should “expect a similar fine from my office” if they fail to put proper protections in place. The ICO made it clear it will have regard to “relevant industry standards of good practice” such as ISO 27001; the National Institutes of Standards and Technology; the various guidance from the ICO itself; from NCSC and from any sector regulator.
3. Breaches of client confidentiality
A breach of client confidentiality will have implications for your clients, their affairs and your reputation. It is very hard to remedy the loss of confidentiality in any meaningful way and there is a substantial risk that major clients could look elsewhere for advice.
4. Business disruption
Business disruption can also result in substantial losses, both in momentum and for clients who may lose trust in a firm that has failed to put adequate security in place. The initial difficulties can be crippling, and the long-term issues can last for many weeks or months whilst those involved scramble to restore systems and databases and persuade clients not to jump ship.
The importance of dealing with cyber security at partner level
Given that cyber security failures have the potential to devastate a practice, it must be understood that this is a matter for the senior leadership team in the firm. It is the senior partners who will have to face the consequences, answer to regulators, the ICO, clients, other affected third parties and their own colleagues. The senior leadership team need to have the appropriate management information in place that is discussed regularly at partners meetings.
The Government’s draft Cyber Governance Code of Practice, aimed at executive and non-executive directors and other senior leaders, highlights the fact that cyber risk should have the same prominence as financial or legal risks and that responsibility and ownership of cyber resilience is a Board level matter.
The importance of independent assurance
It should also be recognised that proper cyber risk management requires some independent assurance carried out by genuine cyber security specialists with in-depth knowledge of the latest security risks and experience of the attacks taking place in your sector. They should be independent of your IT provider, because having your IT mark their own homework is a non-starter from a compliance perspective.
Who are Mitigo and how can we help?
At Mitigo, we offer specialist advice and cyber security services to accountancy practices and other professional services. We are not an IT company. We know that you are a prime target for cyber criminals and our experts have the understanding needed of both your business and potential cyber risks to give you the protection you need.
We can work with your business and your IT partner to identify potential risks and eliminate them without delay. So don’t rely on your cyber insurance to save the day. The only way of effectively protecting your organisation is to ensure that your security protocols and systems are as strong as possible.
Mitigo are partner of the Institute of Chartered Accountants in England and Wales (ICAEW) and the Institute of Chartered Accountants of Scotland (ICAS). Our bespoke service takes into account the particular requirements of your working practices and the threats you face.
Contact us today for a vulnerability risk assessment
If you would like a cyber security overview carried out by our cyber security experts, contact us today. We will identify any issues that need attention and work with your business to ensure that you have the optimal cyber security protection for your organisation.
Speak to one of our cyber security experts by calling 0161 711 0201, emailing us at info@mitigogroup.com or filling in our contact form.