Cyber Insurance for E-commerce
Marketplaces such as Amazon and eBay have given rise to several millionaires in the online seller sector. Technology plays a pivotal role for online ordering, stock inventory management and accepting debit card and credit payments through third party payment gateways. This very same technology has enabled cyber criminals to access your online business, often in a bid to disrupt business operations, steal sensitive data or hold an online seller to ransom. Cyber threats to business, small or large, are being witnessed daily with research showing that on average the cost of a cyber hack is in the region of £160,000 in the UK.
What is Cyber Insurance?
Cyber insurance, which is also referred to as Cyber liability insurance or Cyber risk insurance, is a form of insurance that assists an online business in transferring cyber risk to an insurer. Much like a home insurance policy covers a policy holder in the event of any risk of structural damage to a building, Cyber insurance mitigates a policy holder against the exposure of a cyber-attack.
As part of your business risk management, an online retailer must decide which risks to accept, avoid, control or transfer. Accepting risk could be that you make a delivery to an address not matched by the cardholder address as the customer has been long standing. Or controlling risk could be that you do not allow orders to be executed for any goods that are not physically in stock. The transfer of risk is usually in the form of an insurance policy whereby you have implemented all the internal risk management solutions possibly available to you and yet you are still vulnerable to a certain type of loss if an event occurs.
A Cyber insurance policy allows the transfer of any cyber related risk to an insurer whereby in exchange for a premium, your business will be able to make a claim against a policy to cover any eventualities such as regulatory fines or third-party losses.
What are the Cyber vulnerabilities in E-commerce?
The greatest threat to an e-commerce business is via a Web based attack through the applications used by a business with a target centred around data. Customer data, security data and intellectual property such as supplier data are all vulnerable to cyber criminals who can monetise the data in varying formats which we will take a closer look at now.
We do not for a minute take for granted that business owners are educated on such risks, however the modern-day business owner leverages technology to automate to create operational efficiencies with minimal staff so it only takes one mistake to leave you vulnerable to attack.
Payment Gateway Security
Merchant acquiring online has been made easier by payment processors allowing customers to make payments using debit cards or credit cards online. While the technology to process payments has become more frictionless over time, the actual storage of the credit or debit card numbers of your customers becomes a target for cyber criminals.
Any credit card or debit card details stored as part of your business database automatically becomes a liability and can affect your brand reputation if a hack were to occur and your customers payments details are stolen. When it comes to ecommerce, a business must obtain Payment Card Industry Data Security Standard (PCI DSS) certifications which relates specifically to the storage, transmission, and processing of card payments.
A point to note is that once a data breach occurs, the PCI regulatory body can be utilised by a payment brand to appoint an independent PCI Forensic investigator which in some cases will have a cost to your business and may even prevent the payment processing for any sales until the investigation is complete.
Email is the primary source of communication for employees, customers, suppliers, and your professional advisors such as accountants or solicitors. This is one of the areas that is vulnerable to attack from cyber criminals where an employee might be sent a harmless email disguised as coming from a known entity requesting a password reset.
A link will be contained in the body of the email and direct the employee to a URL not affiliated with the actual product provider but made to look similar. The target will be asked to enter the log in details, existing password, and a new password to take the appropriate action. From this information, the new password is disregarded, and the cybercriminal now has access to the log in username and password of the user.
Pharming attacks affects the domain name of an e-commerce seller by attacking the DNS system and affecting the routing system of the internet by manipulating the domain name look up process. The result is that a customer enters in your e-commerce URL and is diverted to a site with a similar look and feel with the ability to take payments for non-existent products or services.
A form of software that is designed to be malicious in intent is known as malware with the sole purpose of causing disruption by gathering information with the potential to lead to gaining access to personal data and system resources.
Here are some well-known E-commerce businesses that were breached.
Zappos – owned by parent Amazon, Zappos suffered a hack which exposed 24 million customer names, addresses, email, and telephone numbers as well as the last 4 digits of their credit/ debit cards.
eBay – one of the biggest recorded data breaches where cyber criminals accessed over 100 million customer records comprising of names, mailing address, passwords, and birth dates.
Starbucks – the popular app was hacked by cyber criminals twice in a short space of time with hackers gaining access to customer credit card information through the autoload function.
What does a Cyber insurance policy cover for Ecommerce businesses?
Each individual cyber insurance provider will have inclusions and exclusions, so it is important to decide on a cyber liability policy that best suits your business requirements. Here we will go through the aspects a cyber insurance policy would cover in the situation a breach occurs.
In the event your business is unable to operate as normal where revenue is lost as a direct consequence of a cyber-attack. As an e-commerce business, if your payment processor is compromised because of an investigation due to a breach, this may mean your business is unable to take payments disrupting your sales turnover.
In the event your business loses information that belongs to other owners and information that you own. Under GDPR, a business or organisation has a duty to report personal data breaches within 72 hours of becoming aware of said breach. Your customers have the right to take preventative measures should their personal data become compromised because of a cyber-attack on your business.
This will cover your business if your customers personal information is leaked because of a hack as the sensitive information could often lead to hackers taking out credit under identity theft.
Data Loss Recover
Business records maintained by your business may be an integral part of your operations to generate sales, such as a CRM for repeat orders. Recovering these records will be vital to having your business up and running again post a breach.
Post a cyber attack of any sort, you may need to conduct a thorough investigation as to how the breached occurred wither for your business or at the behest of your regulatory body. The costs involved can be covered by an insurance policy either in full or a part payment which will be outlined in a policy schedule.
On the basis you are mandated to notify your customers who may have been affected by a data breach, this may give rise to cases where a customer or a group of customers decide to seek compensation for any losses incurred as a direct consequence of the breach your business have suffered. A cyber insurance policy has the potential to cover the costs involved in having legal representation and or seeking legal advice in the event of litigation.
Often with ransomware attacks, cyber criminals will breach your security and hold your data to ransom by demanding payment in return to not leaking the data or activating malicious software. In some cases, insurers will cover the payment on your behalf on the basis that if the threats of the cyber criminals were to transpire, the losses may be a more costly than the ransom sum demanded itself.
Cyber-related incidents are a common and ever evolving threat to business both large and small. Having an insurance policy to transfer your cyber related risks is a pragmatic way to obtain peace of mind that you have support in the event of a cyber related breach, to protect your business, your customers and any regulatory fines you might have to pay.