Charities quantifying and responding to cyber risks
The cyber threats to charities are growing on an exponential basis annually. Many observers now believe that it is case of "when" rather than "if" a charity will be the subject of a direct cyber attack, while some charities have inevitably been caught up in the fallout from cyber attacks directed at other organisations, or by general cyber sabotage, e.g. international attacks.
Cyber breaches are a great threat to charities, yet only a few can truly quantify just how great the threats really are to themselves.
That being the case, how do charities know they are correctly prioritising their risk management efforts and insurance spend? Completely eliminating risk is impossible and this means discovering new methodologies to help them quantify their investment spending. Here we explore how charities can calculate and measure cyber exposures.
Assessing risks and remedies
Charities in particular are a high profile target as they hold information on volunteers, staff and donors and the implications of GDPR (General Data Protection Regulation) mean significant fines are on the horizon. Therefore it is critical to understand and mitigate the cyber exposure.
The first step in putting a financial figure on cyber risks is to identify your charity’s most important assets and its biggest vulnerabilities.
Cyber risks generally fall into two categories:
- Systems risks - those that involve services shutting down.
- Data risks - those that compromise information, ranging from sensitive data of your employees or volunteers to bank accounts.
But assumptions will differ greatly depending on the nature of employees, volunteers and donors.
The challenge is to build a smart, well designed cyber risk model that is able to capture and analyse potential direct revenue, liability and brand loss scenarios. Also important are probable ancillary costs related to fixing the problem: forensics, consulting costs, notification costs and potentially large regulatory fines.
Appreciating financial implications
To give you an idea of your exposure, below are the financial implications of cyber risk:
With third party liabilities, for instance, you might be asked to compensate partners with years of remediation, so alongside damages you will need to consider legal fees and credit monitoring expenses.
Using both internal and external data relating to the operations and the health of their organisation, charities should be able to predict their expected possible cyber losses over a one to three year period, just as they can forecast anticipated revenues. They should also be able to estimate what percentage of their income could suffer if their reputation was damaged.
Charities should also judge, in part from previous incidents even if not direct cyber attacks, which applications are at highest risk.
Risk management expenditure
With this information it will be easier for managers to gauge if their charities have the right level of cyber risk protection as well as help to budget for potential additional spending.
Questions like "how much should the charity invest in evaluating the state of its vendors’ and partners' cyber security?" and "at what cost is more authentication software appropriate given the likelihood that critical data will be accessed?" become much clearer.
Charities can also balance how much they should invest in training of employees and volunteers, or in more technical controls to monitor potential cyber breaches.
These quantification techniques really help to evaluate not only where investment pounds may be best spent but also often the viability of investing in a new product or service.
Cyber crisis management plan
An experienced insurance broker should work alongside a charity to create a plan tailored to the way the charity operates, to respond to a cyber incident. This should work in conjunction with the charity's existing business continuity plan.
The worst really can happen to a charity as this real life example shows:
A medium sized charity was subject to a ransomware attack and contacted its insurance broker for help as its outsourced IT firm was unable to provide meaningful assistance. The charity had not purchased cyber liability cover despite a competitive quotation provided in the previous months. However, the claim was made under the charity's special contingency policy. The insurer's emergency assistance providers were able to provide advice in dealing with the criminals and arrange for the bitcoin ransom to be paid.
A forensic IT firm was appointed to identify and remedy the breach as well as providing ongoing monitoring. The charity’s system was quickly back on line and it was able to continue with its humanitarian work both in the UK and overseas. The total claim cost was £80,000, of which £4,500 was the ransom paid.
Necessary risk mitigation
99.3% of cyber attacks could be mitigated or partially mitigated by these basic five controls:
- Boundary firewalls and internet gateways. These are devices designed to prevent unauthorised access to or from private networks, but good set-up of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration. Ensuring that systems are configured in the most secure way for the needs of the charity.
- Access control. Making sure only those who should have access to systems have access and at the appropriate level.
- Malware protection. Ensuring that virus and malware protection is installed and is up to date.
- Patch management. Ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
It will often be the case that cyber insurance represents great value for charities bearing in mind the potential financial liabilities from cyber risk.
The cyber insurance market has developed rapidly in the last few years with many new carriers entering the market. Every insurer has developed cover in their own way and comparing policy wordings is challenging and how insurers respond to various risks is not the same. Even so-called "best of breed" policies can have their drawbacks.
When placing cover the following must be taken into account:
Is social engineering (when a third party fraudster mimics legitimate correspondence) included and to what degree? How the business interruption cover work and when is it triggered? Are all notification costs covered or only those mandated by law?
Will the outsourced service provider be covered? This is particular important if the data is migrated to the cloud. Are payment card industry fines covered? What retroactive date will apply?
Are the policy conditions reasonable? Policy conditions such as: a confidentiality clause; a reasonable precautions condition precedent (the charity being required to take all reasonable precautions); searches required to identify prior circumstances; compliance with subrogation waivers (limiting the rights of the insurer) being prohibited – most policies contain this; the requirement to use the insurer's chosen experts; non-contribution (other covers for the same risk not operating) – this needs to dovetail with other policies.
Is contractual liability included? Is physical damage following a cyber attack included? Are forensic costs included? Are Information Commissioners Office investigation costs included? What is the situation regarding cyber extortion – in some countries it is illegal to insure against extortions, something to be examined if the charity is operating overseas and it has IT there which could be vulnerable. Is negligent transmission of virus included?
Immediate access to advice
The true value of a cyber insurance policy for a charity is the immediate access to expert advice following a breach. The more experienced cyber insurance brokers have providers in place to deal with all aspects of a cyber incident both in the UK and internationally.
So there are comprehensive insurance facilities available to charities in the event of a cyber attack - charities should make full use of them, but they do need to obtain the cover before they are affected by an attack.