By CFC Underwriting
Outdated Windows systems vulnerable to BlueKeep exploit
Security researchers have recently seen a mass exploitation attempt targeting devices vulnerable to the BlueKeep exploit, also known as CVE-2019-0708. This advisory urges you to ensure all systems are updated to avoid potential attacks as a result of this, or any other, vulnerability.
BlueKeep is a critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services (RDS) and was first reported in May 2019. It is ‘wormable’, meaning it could be used to spread malware without authentication or user interaction. It therefore has the potential to create incidents similar to the WannaCry ransomware attack of 2017.
As of November 2019, it is estimated that 500,000 systems could still be exposed to BlueKeep, despite Microsoft releasing patches against the exploit shortly after its discovery in May. The National Security Agency and Microsoft have stressed the importance of running system updates and have advised everyone to immediately apply patches to the following affected versions of Windows:
• Windows XP, Windows Vista, Windows 7
• Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
Please upgrade to the most recent version as soon as possible. Legacy operating systems pose a serious security risk since the more outdated systems become, the less likely manufacturers will support them with security patches.
Besides upgrading systems, the following additional measures should also be taken:
• Block TCP port 3389 at your firewalls, as this port is used by the Remote Desktop Protocol. This will deny any attempts to establish a connection.
• Enable Network Level Authentication (NLA). This would mean an attacker would first have to authenticate the RDS to exploit the vulnerability.
• Disable RDS if it is not needed to reduce exposure to vulnerabilities overall.
For those who use the affected versions of Windows, links to critical patches are contained within the Security Guidance Advisory link from Microsoft here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
Thanks for your time and attention!
Erimus Insurance Brokers
Read article »
By Emma Hughes, New Business Broker
The majority of Contract Works policies will look to exclude damage to property which is in a defective condition but will provide cover for other parts of the property which are damaged as a consequence of this defect. Insurers apply this exclusion in the form of a Defective Design Exclusion, tiered from DE1 (lowest level cover) to DE5 (highest level cover).
DE1: Outright Defect Exclusion
Excludes all losses arising from defects in the Design, Workmanship or Materials.
DE2: Extended Defective Condition Exclusion
Excludes property which is defective and property which relies for its support on property which is defective but covers other insured property which is damaged as a result of the defect.
DE3: Limited Defective Condition Exclusion
Excludes property which is defective but covers other insured property which is defect free and is damaged by the defective property
DE4: Defective Part Exclusion
This is similar to DE3 but the exclusion is restricted to apply only to any ‘component part or individual item’ which is defective eg. Only the defective nut, bolt or screw would be excluded.
DE5: Design Improvement Exclusion
Provides full cover for both the defective and non-defective products but damage must occur. The existence of a defect alone is not insured. The costs in improving the design, materials and workmanship are excluded.
A steel framed building collapses during the construction period due to the connective bolts being inadequate for their purpose. The building collapses after the roof has been erected, the cladding has been partially completed and a dwarf brick wall has been built. The various Defect Exclusions would pay as follows:
DE1: All damage would be excluded
DE2: All damaged items are excluded apart from the Dwarf Brick Wall
DE3: Steel Framework is excluded but the Roof, Cladding and Brick Walls are paid for
DE4: Only the Nuts & Bolts are excluded and all other damage is paid for
DE5: All damage is paid for but improvement costs are excluded
The most common level of cover found in a Contract Works policy is DE3 and there may be an option to uplift cover to DE4/DE5 if requested. As you can see from the above example it is prudent to ensure you have DE3 coverage as a minimum. Defective Design Exclusions should not be confused with Professional Indemnity insurance. Professional Indemnity would provide cover if the design was found to be defective but no damage had occurred.Read article »
By Emma Hughes, New Business Broker
In February 2017 the Lord Chancellor amended the Ogden Discount Rate from 2.5% to -0.75%. This change has brought in to question whether businesses are adequately covered in the event of a catastrophic and complex injury claims.
The Ogden Discount Rate is used by UK Courts when calculating compensation in personal injury claims, the intention is to put the claimant in the same financial position had they not been injured. The Discount Rate reflects the additional earnings the claimant would make from low-risk investments and deducts this from the overall settlement. Since the economic crash in 2008 investment returns have tumbled, leading to the Lord Chancellor changing the rate of discount from 2.5% to -0.75%. Although a change of 3.25% may not seem too significant, in the case of catastrophic claims this can lead to substantial settlement costs.
For example, a Male aged 21 years old with a life expectancy of 87 years suffers a serious head injury resulting in needing 24 hour care. Under the previous 2.5% Ogden Discount Rate he would expect to receive £15.1 million in compensation. However, with the reduced Ogden Discount Rate of -0.75% this skyrockets to £29.3 million.
As you can see from this example, the rate change leaves all businesses vulnerable to underinsurance, not just industries partaking in high hazard activities. It is therefore important that you put measures in place to protect the balance sheet of your business. The standard limit of indemnity for Employers Liability given in the UK is £10,000,000. In the event of a serious injury, as per the above example, the standard indemnity for Employers Liability would leave a £19.3 million shortfall in cover. In this instance the Courts will look to the business assets to compensate the claimant. If your business is a Partnership, Limited Liability Partnership or Sole Trader then they can pursue your own personal assets.
The best and most cost effective way to protect your business is by increasing the limits of your Liability insurances. Your broker should be able to provide you with indications for increasing your limits, the additional premium often being minimally priced in comparison to the underlying policy.Read article »
By Emma Hughes, New Business Broker
As we say goodbye to our glorious summer it is time to start thinking about winter and how to keep yourself and loved ones safe on the roads. The clocks going back signals the start of dark evening commutes, increasing road accidents between the hours of 5pm and 8pm by 34%. With this in mind we have put together 5 top tips to ensure you are prepared for winter driving.
Lights Make sure that your headlights are free of dirt, switched on and in good working order – no matter the time of day. The darkness coupled with adverse weather conditions means visibility is reduced and the likelihood of an accident increases.
Speed Inclement weather and poor visibility means that you may have to react quickly to unforeseen situations, try to keep below the speed limit allowing for easier adaptation of speed. You should aim to maintain a moderate and steady speed.
Pedestrians Although your lights may be in tip-top shape be aware that others, particularly cyclists and pedestrians, may not be as well prepared. Darker clothing and no lights can make people difficult to spot so be vigilant.
Tyres Seasonal hazards such as slippery leaves, mud and ice can be treacherous so make sure that you have checked your tyres. If they are looking borderline then don’t risk it, get a new set and consider investing in specialist winter tyres.
Visibility The low winter sun and headlights can cause glare; avoid excessive glare by keeping your windscreen clean (inside & out) and making sure your wiper blades are in good working order. Also, make sure your windscreen wash is topped up regularly with anti-freeze solution.
For further information see Insure The Box’s full study: https://www.insurethebox.com/beware-fright-night-as-the-clocks-go-back-this-weekend/Read article »
By Emma Hughes, New Business Broker
‘Cyber’ is an emerging risk and SME businesses need to be aware of the level of exposure they face. Typically a business would want to protect their physical assets but when it comes to cyber you are insuring the intangible – data, customer information, and intellectual property. Arguably data or information has become one of the most important assets to a business and worth many times more than the physical equipment it is stored upon.
There is no doubt that the implementation of GDPR in May 2018 shone a spotlight on the growing need for cyber insurance with 66% of organisations more concerned about their cybersecurity than they were a year ago. Despite growing concerns 43% of British SMEs admit to having no business continuity, disaster recovery or crisis management plans in place. In order for these businesses to create a thorough business continuity plan they must first understand and identify the risks they face.
After the catalyst of GDPR businesses are now beginning to address cyber exposures but the focus on data breaches is detrimental in providing a comprehensive cyber risk solution. For example, almost a third of CFC’s (a top UK cyber insurer) cyber claims are a result of the theft of funds, which is a significant risk for almost any business and has been for quite some time. Cyber insurance goes beyond simply providing cover, ultimately cyber insurance has a role to play in helping businesses to understand where to put their limited IT security spend, and hopefully put it in better, more effective areas.
Cyber-crime is the fastest growing crime in the world, affecting businesses of all sizes and sectors. In Britain 46% of SMEs admitted to suffering at least one cyber security breach or attack in the last 12 months. To illustrate this the insurer Hiscox has set up a typical small business server to record how many attempted cyber-attacks happen in real-time. By mid-day almost 27,000 attacks had been attempted.
Every cyber-attacker will have their own purpose ranging from the ransom of data to malicious destruction. Often breaches are not discovered until weeks or months after the event, by then untold damage could have been caused.
Businesses need to start asking themselves what would they do if they found out that they had been the victim of a cyber-attack? WannaCry in May 2017 and NotPetchya in June 2017 raised the question of when businesses are affected, who do they call? There is no state-provided IT security service. Although the UK has the National Crime Agency and GCHQ they are focused on protecting national infrastructure, rather than individual businesses [..] the state has not provided the services to support businesses, and that is what the cyber insurance industry is doing.
The impact of a breach can be felt for many months, even years after an event. Although a system may be back up and running within a matter of days the effects of reputational damage and lost data can be felt long after. Every single breach will be different and there is no ‘one size fits all’ solution. For example a business that receives their income on a contractual basis could be more exposed to long tail financial loss, as the cancellation of monthly or annual contracts could very quickly result in sizeable financial losses being incurred. It is unlikely a traditional business interruption policy would respond in this instance so it will have to be written in to the cyber coverage. Regardless of your business type or size there is an exposure to be mitigated.
Now is the time to start addressing Cyber as a very real and tangible risk to your business. The threat of a cyber-attack is ever growing and it has the potential to impact your business in the same way as fire or flood. Please do not hesitate to contact us on firstname.lastname@example.org or 01642 240400 if you would like to discuss Cyber cover for your business.
Graham, Luke. “Cyber Insurance, the Great Fire of London, and the need for digital fire figthers in the modern day” Accessed October 24th, 2018. http://dev2.cityam.com/263335/cyber-insurance-great-fire-london-and-need-digital-fire
CFC News. “Cyber Claims Case Study: Software Shutdown” Accessed October 24th 2018. http://cfcunderwriting.com/media/3219?topic=1
CFC News. “Top Five Reasons To Buy Cyber” Accessed October 24th, 2018. http://cfcunderwriting.com/media/3186?topic=1
CFC News. “2018 Survey Reveals Concern About Cybercrime Continues To Rise” Accessed 24th October 2018. http://cfcunderwriting.com/media/5632?topic=2
Aviva PLC. “Supporting UK SMEs to address vulneratbilities” Accessed October 24th, 2018. https://broker.aviva.co.uk/news/article/695/supporting-uk-smes-to-address-vulnerabilities/
CFC News. “Beware The Data Breach Bear Trap” Accessed October 24th, 2018. http://cfcunderwriting.com/media/3283?topic=1
Read article »
By Mike Bailey, Technical Broking Consultant
As yet another big name is in the news because of a data breach following a cyber-attack many of us will be worrying about whether we are at risk of our personal information being in the hands of the hackers and will be checking credit card statements and bank accounts for some time to come in case our own finances are in jeopardy from the hackers criminal activities.
This comes as Talk Talk announced on Thursday evening [22nd October 2015] that it is the latest victim of an attack with potentially millions of its customers account and card details being in the hands of the perpetrators.
Could it happen to my business?
Whilst we see these large profile breaches on our television screens and on the front pages of our newspapers we may think that this is a problem for big business and the rest of us won’t be targeted by the hackers…but is that true?
It doesn’t matter what size your business is, it is likely that you will have an IT infrastructure of some sort. There is a risk that you will suffer some sort of income loss through interruption to your business as well as a need to manage and repair damage, including reputational damage if IT systems or equipment should fail or are interrupted following a cyber breach.
In 2014 a UK Government survey estimated that in 2014 81% of large corporations and 60% of small businesses suffered a cyber breach. The average cost of a cyber-security breach is £600k-£1.15m for large businesses and £65k-£115k for SMEs.
Whilst without taking specific cyber cover your existing insurance portfolio such as your commercial property, business interruption or professional indemnity insurance may provide some cover against cyber risks it would not provide the protection and support that would be available under cyber insurance. This is why businesses are increasingly buying the specialised policies to supplement their existing arrangements, particularly when they:
Data breach examples
Small businesses urged to encrypt data after London sole trader fined £5,000. The Information Commissioner’s Office (ICO) has warned small businesses that they must have adequate measures in place to keep customers’ details secure. October 2013
Worldview Limited, a hotel booking organisation, was recently fined £7,500 by the Information Commissioner’s Office (ICO) for failing to appropriately secure personal data that it was responsible for. November 2014
How do breaches happen?
There are a number of ways that a data breach could arise ranging from the sophisticated like a hack by a criminal network with the intention to extort, sell or distribute to the more mundane such as inadvertently sending out extra information in a letter; leaving papers on a train; dumping papers in a skip; incorrect disposal of data/shredding; faxing to the wrong people; or the theft/mislaying of laptops or data sticks and discs.
What does cyber insurance cover?
It covers losses that arise from damage to, or loss of information from IT systems and networks. In addition they will generally include some significant assistance with and management of an incident which occurs. This is an important part of the cover when considering the possible reputational damage that a business could suffer as well as potential regulatory enforcement.
Cyber risks are usually split into first party and third party risks and cover is available which can protect you for either or both types.
First party insurance – covering your own assets, may include:
Third party insurance – covering the assets of others, typically your customers, may include:
Speak to us to arrange your cyber insurance cover
Erimus can arrange cover for most SMEs with limits usually between £100k and £5 million. We may be able to arrange higher limits for businesses facing more complex cyber risks.
Some insurers can extend their insurance products to include additional cyber cover to that which would normally be provided and the cost for low levels of cover can be easily affordable. Even for more extensive cover for many SMEs the cost would not be prohibitively expensive whether this is where the existing insurer can extend cover or if a separate specialist policy is purchased.
Paying for cyber insurance doesn’t have to break the bank but being unable to respond to a data breach or a cyber-attack may well do.
Managing your cyber risk
Whilst insurance plays an important part in risk management for your business it is also important that you manage your own cyber risks. This risk management may include:
The Government launched Cyber Essentials in 2014. This is a basic cyber security hygiene standard aimed at helping organisations protect themselves against common cyber-attacks. This is something that you may want to consider as a first step in becoming resilient to cyber events.
Taking cyber insurance can make the recovery process following a cyber breach more straightforward and as rapid as possible but it is still likely to a number of days or weeks depending on the severity. Some policies will include technical assistance with managing a breach and this is likely to be an invaluable part of the insurance package in the event of an incident.
UK and EU data protection regulatory change
The European Parliament voted in March 2014 in favour of a new draft EU Data Protection Regulation which is designed to provide a single set of rules to all EU member states. They are expected to be finalised in late 2015 with a 24 month transition period. Although 2017 seems like a long way off it is pertinent to consider what the potential impact on your business will be.
One of the matters that will be included is the consequence to businesses responsible for data breaches. It is proposed that data breaches would need to be reported to the relevant national supervisory authority in the country of the organisation’s main establishment without undue delay, and where possible, within 72 hours.
In case of a more serious data breach the sanction that is imposed may be more stringent with proposed fines of up to €100 million or 5% of global annual turnover (whichever is the highest), although there are other more complex systems of fines proposed where the severity of the penalty would depend on the nature of the non-compliant activity.
Other key changes that are in the draft changes include:
Ease of transfer of data between service providers in a format that can be easily reused. There are, of course, contradictions here with data security requirements.
Consumers will be able to request firms to delete their data if there are no legitimate reasons for keeping it.
Organisations will be obliged to appoint such persons if they process the personal data of more than 5,000 data subjects in any 12 month period.
These will have to be used on all communications with customers to ensure their understanding of how their data is collected and how it will be used.
This is permitted as long as consent to do so has been obtained from the individual. There is a proviso that if the profiling affects the interests of the data subject it should not be solely based on automated processing – human assessment should be included.
The EU Data Protection Regulations will generally be beneficial for business and clear up some of the ambiguities from Europe on data protection but we all need to be aware of the key changes to EU requirements and should act now to plan for their implementation.
The UK Government views cyber-attacks as a highest level risk to national security, alongside terrorism threats, and has introduced a number of changes already to help prevention, including:
Remember: please speak to your usual Erimus contact to discuss this fast emerging risk cyber risk and to arrange your cover.Read article »
Erimus Insurance Brokers is a trading name of Teesside Insurance Consultants Ltd. Registered in England No. 2043783.
Authorised and regulated by the Financial Conduct Authority No. 307660.
Directors: P.J. Davison, S.D.E. Hughes, I. Miller ACII, S.S. Pinnell. Non Executive Director: G. Lumby MBE, FCIBS.
Company Secretary: C. L. Nolan.