An Overview of Cyber Insurance
Cyber is an element of insurance that is often misunderstood, due to its complexities and wide ranging covers. The cover can broadly be split into three; first party costs arising from an incident interrupting your own systems, third party costs due to an inadvertent virus transmission or the compromise of data and finally, the theft of money and/or data through fraudulent cyber means.
Threats to the Museum & Visitor Attractions Industry
Breaches in cyber security exist for most businesses in an age where technology has significantly changed human behaviours. Cyber criminals are increasingly sophisticated and such attacks are commonplace; Government statistics show that 32% of businesses suffered some form of breach in 2023, increased to 59% for medium-sized businesses and 56% for charities with income beyond £500,000. Even the most proactive of museums are at risk within this fast-paced and evolving industry. Digitisation for example has created considerable efficiencies by converting physical reporting to digital reporting. (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023)
This naturally reduces costs and human errors, but brings with it an increased reliance on internal systems which could be compromised. In the event of an attack, the interruption to a museum and its cash flow could be considerable. Systems may be impacted indefinitely, causing an operational challenge and reputational risk, not to mention the associated loss of profit. The same can be said in the event that a museum compromises confidential third-party data or has been alleged to have transmitted a virus.
Museums can hold significant volumes of third-party data, so these risks need to be considered and managed accordingly. A well-publicised incident involved The British Library in October. The British Library were subject to an attack by a ransomware group, whereby almost 500,000 files were leaked with personal information, and a week-long auction persisted asking for £600,000 for the full dataset. Soberingly too, following the October attack, The British Library has warned that disruption to some of its operations may persist for months to come, possibly until the autumn or even longer which evidences the significant disruption that such attack can cause a museum.
Insuring Cyber Risks
The ever changing risks of cyber security can be transferred to an insurer, adding reassurance and security. There are plenty of key benefits, not least cash flow being protected. Insurers commonly now provide a host of additional services to support how museums can manage the threat of cybersecurity. This includes training tools to educate employees to spot fraudulent activity and minimise the risk of allowing a breach. Specialist insurers can also provide museums with a continuous scanning platform, notifying its IT team when it becomes aware of potential vulnerabilities. This, in addition to 24/7 breach experts often provided, can significantly improve internal practices for museums to manage their risk.
From a cover perspective, insurers will indemnify a museum for its costs incurred from any extortion or ransom demand, costs of repairing system damage and rectifying data, breach notification costs, and importantly the associated loss of gross profit. In the event of cyber infringements harming a third party, insurers can also cover defending and settling such allegations, in addition to associated PCI fines. A pivotal tool to recovering from any cybersecurity incident should be averting and mitigating any damage to the reputation of businesses and a specialist Cyber insurance policy will can provide an outsourced PR consultancy, specifically for this purpose.
Summary
For museums that rely on their IT systems, preventative measures and internal procedures should be at the forefront of handling cybersecurity risks. This can include commonly utilised methods such as multi-factor authentication, penetrative testing and cyber awareness training for employees. Insurance cover should be an important component too, transferring the various risks and consequences to insurers. Insurers will not only cover the financial and reputational costs, but provide added value services to compliment existing internal procedures.
