Towergate Insurance Cybercrime Case Study

Company: Towergate Insurance Brokers –
Key Industry: Insurance & Risk Management Advisors
Key Sector: Insurance


Towergate Insurance Brokers is one of the UK’s leading independent insurance broker and risk management advisors with over 60 “local” offices and more than 1800 employees dedicated to client service delivery.

The local Towergate office has been based in Hemel Hempstead for over ten years. They provide solutions to large corporations, organisations and SME’s with a local, regional, national or international footprint; businesses with complex needs requiring bespoke insurance programmes.

The Challenge

Through their trusted local team and network of experts, clients have access to an extensive range of independent tailor-made, trade-specific insurances, claims management and risk governance programmes.

Economic crime continues to be a major concern for organisations of all sizes, across all regions and in virtually every sector. One in three organisations reports being hit by economic crime with, according to PwC’s Global Economic Crime Survey 2016, both developed and emerging markets affected. The five most consistently reported types of economic crime are asset misappropriation, bribery and corruption, procurement fraud and accounting fraud – with cybercrime now in second place in 2016 in terms of frequency, having been steadily on the rise since 2011.

Since most businesses in the UK now use the internet, email or cloud technology as an integral part of their operation, they become ever more reliant on technology. This increases the vulnerability of each business to electronic security threats. A UK government report from 2016 found that 60%1 of small businesses had suffered a data breach in the last year; a further 16% of small businesses experienced a ‘denial of service’ attack, effectively making their computer systems unusable. Recently hackers reportedly swamped a large high street retailer with junk traffic as a smokescreen, before breaking into systems and stealing the details of 2.4m of their customers. The most common terms for the issues (threats) associated with cyber include: data breach, viruses, hacking, and employee error.

In most small and medium sized businesses, responsibility for data control under the Data Protection Act lies with the owner of the business. The loss of personal or customer data can bring significant financial loss and/or prosecution. Any attacks could also significantly impair the company’s ability to operate. Therefore, if your business: holds sensitive customer details such as names and addresses and banking details; is heavily reliant on computer systems to conduct its business; has a website or is subject to a payment card industry (PCI) merchant services agreement; then it could be vulnerable to a data breach or loss of vital business services.

Given that a substantial number of UK companies have a website and email, every business is at risk and not just the large corporates or global organisations. Therefore, assessing the risk to a business is crucial. However, many smaller businesses and sole traders may not have the knowledge, skills or personnel to conduct such a risk nor the budget to ensure the latest security technology and procedures are in place.

The Solution

There are several risk management and risk transfer strategies that can be undertaken to minimise the exposure:

  • Identify and understand the risks – understanding the exposure of the business enables a number of bespoke precautions to be put in place such as: a business security plan, the encryption of sensitive data, secure and hide wireless networks, installation and maintenance of anti-virus software and firewalls, restriction of employee usage of non-business-related web sites and carrying out daily backups of data.
  • Planning ahead – the process of Business Continuity Planning (BCP) identifies potential threats to the business, evaluates the threats and determines the action required to minimise the effect that any resultant losses will have on the business. A viable BCP will also ensure that staff, customers and suppliers are reassured that there are effective policies and practices in place to manage the unexpected.
  • Risk Transfer – Many traditional liability and business interruption insurance products do not address the full range of risks associated with e-commerce and the internet. However, a Cyber Liability policy will fill the gap in the protection of your business by including your own losses (first party) and third-party losses (claims against the business by others):
    • First party protection covers your businesses for costs of notifying customers and regulators and will also include network interruption to your computer systems which cause your business to be disrupted with the resultant loss of revenue
    • Third party exposure involves the financial risks relating to loss or breach of personal or confidential information contained on your systems and protects you against claims for damages from data subjects resulting from the loss of their confidential information.

Though every data breach is different, certain industries can have more costly breaches. However, it is almost as important to consider those indirect costs which can also affect a company’s chance of rebounding from a cyber-attack, such as:

  • Litigation – The first, and most obvious, of these costs, comes in the form of legal action, with many customers and victims seeking monetary compensation, even when financial losses cannot be quantified.
  • Damage to company databases – the cost of repairing and remediating a company database once it’s been hacked.
  • Reputational damage – One of the biggest impacts following a data breach is the effect on the company’s reputation. Research2 has shown that up to a third of customers in retail, finance and healthcare will stop doing business with organisations that have been breached.

In addition, companies that have experienced a breach often see an increased cost when it comes to acquiring new customers.

Thankfully, there are ways in which an organisation can protect itself, ie, with the purchase of the most appropriate Cyber Risk Insurance Policy.

The Result

Ian McFadyen, Development Director, for Towergate Insurance in Hemel Hempstead talks through two recent examples:

  • A food services company with a turnover of £1-£10m experienced a ransomware attack which encrypted a restaurant’s entire server, impacting its point of sale registers and meaning it was effectively unable to trade. Having exhausted all other options, it was clear that the most effective way to restore the restaurant’s systems was to pay the ransom. The insurance covered the cost of the ransom, together with the associated IT costs of applying the decryption key and ensuring that the insured’s business was back up and running. The insurer also engaged a breach coach to confirm whether any Personally Identifiable Information (PII) had been compromised. In addition to these costs, the insurer covered the business interruption suffered by the restaurant because of being unable to trade.

Additionally, by helping staff recognise the style of potential phishing emails and what to look for in email senders’ details to help identify suspicious looking emails, they can significantly reduce the risk of phishing attacks in future. Furthermore, best practice was ensured for future regular back-ups.

Amount claimed £20,000

  • A PR company with a turnover of £0-£1m noticed a problem with its emails. Its regular IT contractor investigated and concluded the most likely cause was malicious activity. The insured contacted us, and we deployed an IT forensics team who were quickly on site to investigate and confirmed the insured had indeed been the victim of an attack.

The PR company’s IT systems had been infected with crypojacking malware to mine for cryptocurrency. They also confirmed that the hackers who deployed the malware had accessed the insured’s systems and that PII was potentially compromised.

As a result, IT team were able to remove the malware and plugged the gap in the PR company’s security which had allowed the breach. We then engaged legal counsel to advise the insured on its notification obligations, and then arrange the notification of the regulator and relevant data subjects.

Amount claimed £40,000

“The fact is”, said Ian, “malicious acts are here to stay for the foreseeable future, and they don’t discriminate when choosing their victims. The long-term damage caused by a breach can be mitigated based on how the company reacts, but organisations should audit their security protocols and solutions regularly whilst also considering the cost to replace outdated systems against the expense of such a data breach.”

Don’t get locked in Cyber Space, Hiscox Underwriting Ltd 2/2/15

Our Ambassadors