With the recent reports on the cyber-attack on Travelex and, in particular, the cyber gangs’ reported demand for payment of a ransom of $6m to avoid them releasing sensitive customer information, it is once again evident the significant impact that cyber security and cyber breaches has on businesses.
Since the introduction of the new General Data Protection Regulations, companies can now receive a maximum fine of 4% of its global turnover or $20 million (whichever is greater) for breaches of data protection obligations. Given the level of potential fines as a result of security breaches, cyber gangs / hackers now have a significant weapon in their armoury to hold companies to ransom in the event of a security breach.
With such far reaching consequences and the crippling effect that a successful hack can have on a business as evidenced by the recent Travelex situation (whereby Travelex reportedly had to fulfil orders manually and take its services offline) it can often seem imperative that a company reacts immediately and urgently to a ransom request.
Whilst a prompt response to a cyber breach is inevitably required, there is a significant risk that, in trying to respond to the threat urgently, employees/the company may initiate unauthorised ransom payments in an attempt to avoid the damaging impact of the security breach. In doing so, it is possible that a company would invalidate any insurance policy which covers security breaches. Many insurance policies will have very clear terms in relation to their position regarding ransom requests. Insurers will almost invariably want to be kept up to date and immediately informed of any request for a ransom in order to provide cover. Organisations should contact their advisers and insurers as soon as possible to ensure that any response is dealt with in the appropriate manner.
Businesses must adopt a pro-active rather than reactive approach to cyber security. In particular, they should ensure that all employees are properly informed of the company’s insurance obligations and the processes which must be followed in the event of a security breach. Providing training to employees on their responsibilities and processes is crucial. Organisations must have robust and clear policies in place when it comes to data protection and their responses should there be a breach.
Companies should also liaise with their insurance brokers and advisers to select the most appropriate insurance cover depending on their risk appetite. This will require companies to carefully assess what cover they require and for what purposes.