The overwhelming majority of Portuguese companies are SMEs and in recent years, whenever the issue of cyber risks is addressed, they would mostly answer something like:
"We are too small to care."
Watch out, really worry, because the reality of today has brought incontrovertible evidence.
AIG is one of the world's largest insurers in this field, compiling important cyber claims statistics, and warns that:
"While large companies continue to improve their security mechanisms, cyber criminals have started to look for smaller and easier targets: 75% of database attacks occurred in companies with fewer than 100 employees. Smaller companies may not have the resources to ensure the effective integrity of their databases and prevent loss and damage, or mechanisms and strategies to mitigate that damage after an attack."
Over the next few issues, we propose to bring our readers insights on this constantly dynamic reality that is devastating the entire planet. In the ranking of risks that most affect, or may affect in the short term, the world published by the World Economic Forum (see the article on major industrial accidents in this issue), cyber risks are among the Top 10 most likely and most impactful.
It resulted from the illegal and unauthorised withdrawal of a bank account with BPI - Semanário Expresso| 27.11.20
News like this, involving more or less damage, is almost a daily presence in the tabloids all over the world and Portugal has been in the special sights of cyber attackers:
According to the latest data from the Attorney General's Office for Cybercrime, in the first five months of this year alone more 139% cybercrime reports than in the whole of 2019, which put Portugal in the Top 30 countries with the highest number of attacks in the world. This increase in attacks resulted from taking advantage of the pandemic lockdown period: the rapid resolutions that had to be taken made it difficult to make users properly aware of the security measures for remote working and, in this way, the doors of many less protected organisations were opened!
And much of the impact could come within months, as stolen data often follows the sales circuit in the dark web and only later are they fraudulently used
Our country has been on the radar of cybercriminals
And what kinds of attacks have we been subject to in Portugal?
90% of attacks have predominantly been carried out via email campaigns phishing* (data theft).
The typology of threats that Portuguese companies have been targeting far exceeds the Iberian, European and global figures, whether they are mobile threats, banking attacks,cryptominingorbotnetsbeing just in line with world figures for data theft (3.1%)!
(Source: 16 May 2020_Link to Leaders|)
*in future issues, we will explain these concepts and their risks.
Let us now look at two real examples that affected Portuguese companies
- Source AIG InsuranceIn mid-April a small company received an email from a foreign domain informing them that their computer system had been attacked and infected with a virus and that it would be blocked and their entire database destroyed. To prevent the blocking and destruction of the data, the hacker demanded €10,000 ransom.
The company immediately activated its cyber insurance policy (in this case AIG). The insurer provided the services of its specialists and forensic experts, who detected that the hacker's "gateway" had been the download by an employee of a Covid-19-related file attached to a fraudulent email. The insured also received legal support from the start. After five days, the insurance company's specialists were able to restore the operating system and recover the data.
The insurer bore all these costs, which amounted to several thousand euros. Additionally, and as the company was inactive and had to suspend its commercial activity, the insurer paid the loss of profits it suffered. There were no claims from customers arising from failure in the security of the insured's network or failure in data protection, however, if this had occurred, they would have been covered by the policy subscribed.
- Source Hiscox Insurance: A publisher was notified by a computer security specialist that its customers' user names and passwords had been intercepted.
Hiscox had their Forensic Technicians investigate the event. They confirmed the attack and have begun restoring the security breach. The Publisher has also received legal advice on how to contact and explain to the affected users that their data has been compromised, as required by law. In addition, the information monitoring service was activated to prevent fraudulent use of the stolen information.
The costs covered by Hiscox exceeded 15,000 euros.
As can be seen from these examples, a competent cyber insurance offers a very wide range of support services and covers, at even lower prices (the annual cost may not reach 1,000 euros).
The combination "Management/protection + cyber risk transfer" is today fully advised and, in a growing number of cases, a factor of survival and continuity.
There are solutions for companies and also for families.
We are at your disposal to study the solution that best suits your case.
Due to its relevance and topicality, we promise to address this issue in more detail in future issues.
Cyber Risks and Insurance
