War on cyber attacks

Philip Tompsett

Philip Tompsett

Have your say

An island insurance company is setting up an anonymous cyber losses register amid growing fears over cyber crime.

Aon (Isle of Man) Ltd is making the move to help businesses learn from one another’s experience and becoming more savy in the fight against cyber risks.

The register will be completely anonymous and, in agreement with firms concerned, the generic scenario will be included within Aon’s regular cyber seminars.

Philip Tompsett is director of broking at the company based in St George’s Court, Upper Church Street, Douglas.

He said: ‘Since we started the programme of cyber risk seminars there have been substantial developments in the world of cyber insurance.

‘Many of the scenarios insurers use to explain insurable events seemed far-fetched but are now becoming a reality and as time goes by we are continually surprised at the losses which have been occurring.

‘One of the more common incidents we have seen on the island is where a payment has been made in error following sophisticated ‘‘phishing’’.

‘These aren’t simply requests to confirm bank details or passwords, they are well thought out and carefully executed campaigns.

‘We have seen close calls and actual payments made ranging from £9,000 to £20,000.’

Mr Tompsett told Business News a typical case is that the criminal has hacked a personal email account of a business person and gone to considerable effort to read through the history. ‘It is not island firms whose systems have been hacked in these cases but their clients or customers.

‘A number of emails then come in over time with a very small change to the usual email address be it a single letter or .co.uk changed to ‘.com’ and this culminates in a small payment request or a change of bank account for bills being paid on instalments. In the latter case two instalments of over £1m each were paid by a UK firm before the change of account was identified.

‘In our experience island losses are dealt with in house and are typically under £20,000. ‘

Mr Tompsett explained that reporting of an incident is not currently mandatory and few firms would welcome the publicity so incidents are largely unreported.

‘The situation will change in the EU in 2017 when new regulations come into force.

‘Insurers are rapidly altering their policy wordings and introducing new exclusions to clarify that it is not their intention for conventional policies to cover cyber risks.

‘Equally specialist cyber policies are developing rapidly.

‘As recently as seven years ago, there were around ten cyber risk insurers working with Aon.

‘Now there are 67 insurers with 67 different cyber risk policies.

‘Understanding the differences and ensuring you have the right policy is not an easy task in the dynamic world of cyber insurance.’

Aon (Isle of Man) says cyber risks remain misunderstood or unquantified for most businesses.

‘Aon are urging businesses on the island to take a proactive approach to assess their cyber risk exposures and to share their issues with Aon in addition to any action they may wish to take with the relevant authorities.

‘Knowledge and awareness is key to having more control over the ever growing threat of cyber risks.

Mr Tompsett explained how the information would be shared.

He said all businesses, whether an Aon client or not, will be given controlled access to a summary of incidents upon request to Aon.

‘While there would be no data that could identify firms, or that is sensitive, we would be looking to highlight types of incidents, the broad circumstances and how the matter might be avoided by others.

‘A summary of topical UK or global incidents will also be included. We will issue alerts to all interested parties if there is a sudden upsurge in any particular type of incident.

‘Updates will be given at Aon’s regular free seminars on example losses.

‘These seminars are currently aimed at business folk who want a greater understanding of the types of risk and the difference between DDoS, malware, cyber extortion, rogue employee/contractors, sophisticated phishing etc and the types of losses these can result in’.

He said the next seminar with spaces will be at 5.30pm on Monday, August 24.

‘The thrust is two fold really.

‘To highlight that the island is not immune from the same incidents that we are seeing in the UK/elsewhere and to help businesses avoid similar incidents by taking appropriate action.

Back to the top of the page