Cyber attacks: a growing threat

Make sure that your business is ready for the challenges

Professional services firms are becoming increasingly reliant on technology, to perform both internal and external functions, whether essential or non-essential. But with cyber attacks a growing fact of life, it is now a question of ‘not if, but when’ firms suffer a business-critical event. Addressing this exposure is a challenge that all professional services firms must meet.

Accounting firms are an attractive target

Irrespective of the nature of its business, every practice has assets of value which can be leveraged by cyber criminals, or exposed to an indiscriminate computer virus. According to the most recent Cyber Security Breaches Survey, 39% of micro and small businesses across the UK have identified a cyber attack, with 82% of those reporting phishing attempts, and 25% identifying a more sophisticated attack type such as a denial of service, malware, or ransomware attack.

Nevertheless, accountancy firms represent a particularly attractive target for cyber criminals, due in large part to the sheer volume of confidential and sensitive client information which such practices typically hold. Clients’ financial details, tax returns, identification numbers, asset investments, corporate strategies, and intellectual property all constitute desirable information, and may relate to private individuals and businesses alike.

Where a firm’s cybersecurity is breached, the consequences can be significant. For instance, the release of client information could lead to devastating financial loss for individuals and bring significant damage to a firm’s reputation.

In one example with which Lockton is familiar, a recent malware attack on a global provider of accounting software had a profound effect on a broad range of their business platforms. The firm was forced to take some of its cloud-based software applications offline. Service to most of their customer applications and platforms was restored over a six-day period and after which a full investigation was undertaken. The firm’s accounting clients experienced major interruptions and delays of their own whilst their own clients’ data could not be accessed.

Where firms are then found to have been negligent in their handling of data and cybersecurity measures, they may be the subject of lawsuits from clients.

Preventing business-critical cyber attacks

Given the potentially devastating impact of a cybersecurity breach, it’s vital that firms take effective steps to mitigate against their occurrence.

As a preventative measure, firms must ensure that appropriate attention and investment be given to the levels of cybersecurity. This may include privileged access management, patching management, and SIEM (Security Information and Event Management) systems, as well as tools such as multi-factor authentication (MFA).

There must also be focus on ongoing risk management. Having suitable controls in place is essential to ensuring basic and common incidents can be avoided. These fall into three categories:

  1. Preventative controls – improving weaknesses in information systems to prevent the business from experiencing a cyber attack in the first place
  2. Detective controls – alert businesses to attempts to infiltrate their networks and warn them when a cyber attack occurs
  3. Corrective controls — used after a cyber incident to minimise the impact and help to restore functionality as quickly as possible, for example with back-ups.

The extent to which firms are adequately prepared is likely to dependent on size. Smaller firms typically lack the budget or resources to implement strong perimeter and internal defences, and thus represent low-hanging fruit for threat actors. This is reflected in the fact that 96% of all cyber attacks are directed at small and medium-sized businesses. Such firms are also more likely to pay ransom demands in the absence of appropriate advice or guidance.

On the other hand, while they are more likely to have strong cybersecurity measures in place, larger firms will represent a more valuable target for cyber criminals. Where such firms do suffer from cyber attack, the scale of the damage will be significantly greater.

Cyber insurance – a worthwhile investment

For all firms establishing financial and operational resilience is essential. An option to mitigate against the risks that cyber attacks present, is to take out comprehensive cyber insurance.

Doing so is not without cost. In the continuation of a trend more in the year in the making, premiums and self-insured retentions have ticked up, while limits continue to reduce. This is in line with a growing number of claims within the sector, and a rising average cost. As a result, many firms have deemed cyber protection too expensive relative to other forms of cover, such as professional indemnity insurance (PII).

But with cyber attacks occurring with increasing frequency, firms who choose to forego cyber protection must beware the significant gaps in their exposure. Contrary to popular belief, it remains the case that many traditional policies may not respond to a cyber incident. Where a policy does respond, it may only respond to third-party liabilities, and not first-party costs.

As a result, when faced with a cyber breach, affirmative cover under a standalone cyber policy may be vital. Such policies offer protection for businesses against risk relating to IT infrastructure and activities, including both malicious attacks and some types of inadvertent incident which cause harm to a business’ network or data. Policies will also offer partial reimbursement for the costs of responding to a cyber event, as well as resulting liabilities to third-parties.

Another significant benefit of a cyber policy is the breach response services provided, whereby the insured gets immediate access to an expert breach response team, including IT forensics, lawyers, PR and crisis management consultants, and ransom negotiators.

To minimise premiums, firms should instead focus on scrutinising their own exposures, with a view to providing underwriters with greater assurances around their cybersecurity controls.

Jack Bassett, assistant vice president, global cyber and technology, a division of Lockton Companies LLP

If you have any questions about professional indemnity insurance, please contact your Lockton Account Manager for further advice or email ACCAaccountants@uk.lockton.com.

Lockton is ACCA’s recommended broker for professional indemnity insurance