Back

Date:20 August 2010

Cyber Threat Continues to Rise

In August, around £675,000 was stolen from 3,000 online banking customers in the UK alone by criminals using the new Trojan virus, known as a Zeus v3, which cannot be detected by traditional anti-virus software.

Cyber liability is a significant and growing risk for any business that holds personal, financial or health information on their customers or that is dependent on a network. Even banks – arguably the best protected of any business – are struggling to keep pace with the threat posed by technically sophisticated organised crime gangs, many of which are based in Eastern Europe.

As the risks multiply, businesses are concerned about the impact of rising financial penalties and, more significantly, the reputational damage caused by data breach.

ICO updates guidance

In updated guidance issued on 8 July this year by the UK Information Commissioner’s Office (the ICO), data controllers in any business operating in the UK have “a duty to inform the Information Commissioner’s Office by email or post”.
The notification should include:

• The type of information and number of records

• The circumstances of the loss / release / corruption

• Action taken to minimise / mitigate effect on individuals involved including whether they have been informed

• Details of how the breach is being investigated

• Whether any other regulatory body has been informed and their response

• Remedial action taken to prevent future occurrence

• Any other information companies feel may assist the ICO in making an assessment

ICO may recommend publication of data breach

Where the ICO finds evidence of a serious, deliberate or reckless breach of the Data Protection Act, it has the power to issue fines up to the value of £500,000. It may recommend that the breach be publicised if it considers “there is a strong public interest argument to do so.”

Dan Hopkinson, partner at Lockton International comments:

“Site security is a major issue for all online retailers, as hackers and phishers are using increasingly sophisticated techniques. Many use malware Trojans to gather passwords and other personal information, making many people’s account details very vulnerable to attack. In addition, customers make it easy for cyber thieves by using the same password across multiple sites.

“Security problems are being exacerbated by the popularity of social networking sites. People often put personal information such as where they went to school, and where they went on honeymoon on Facebook and other social networking sites, they then use these facts as answers for security on e-commerce sites. So with a little research a cyber thief can make an educated guess as to the answers to security questions.

“It is not surprising with the news full of online security and data breach stories that data security claims are predicted to become a major source of liability claims in the coming years. With fines escalating, it is surprising that only about 20% of businesses with an online presence are protected by cyber liability insurance.

“Insurance cannot stop the fraudsters, but it can help to protect a company’s balance sheet should a cyber crime incident affect their business and its reputation. We can arrange competitively priced insurance that will cover the cost of regulatory investigations, customer notifications and any subsequent civil suits. In addition, insurance will provide access to advice from reputational management specialists, should a major breach occur.”

Lockton Companies International Limited specialises in the design, placement and management of technology, media, telecom and cyber risk insurance. It works with retailers to help them understand and contain their exposure to online fraud, data breaches and other forms of cyber risk through arrangement of suitable insurances. It’s specialists create tailored insurance programmes to help protect their clients’ businesses against the direct costs of business interruption and additional expense associated with a data breach or system outage – as well as integrated programmes covering cyber risks along with other technology and professional liability risks.