A cyber insurance specialist at insurance broker Gallagher is urging businesses of all sizes to ensure they have cyber-risk management controls in place and a cyber insurance policy that can respond in the wake of a breach, particularly around the use of third parties.
The warning comes following the hack of global giant Ticketmaster, which exposed the British business via customer-support software from a third party, impacting around 30,000 customers in the UK and potentially affecting international customers who bought or attempted to buy a ticket from September 2017 to June 23.
Ticketmaster said the third-party software was to blame for the incident – a claim denied by the manufacturers of the software, Ibenta, which said it was due to the ticketing giant misusing its product.
“This incident highlights the potential vulnerability clients face when using third-party software providers and integrating systems, and reinforces the importance of vendor management and undertaking appropriate due diligence,” said Brett Parnell of Gallagher’s professional and financial risks team. “Before allowing a third-party access to sensitive customer and business data, the third party should be properly reviewed or vetted.”
Parnell said the review should include security checks to ensure third parties have systems in place which comply with legislation such as the Notifiable Data Breach scheme in Australia and GDPR in Europe, as well as an analysis of cyber insurance coverage.
“When you’re negotiating contracts, cyber insurance can put you ahead of competitors that don’t have it in place,” he said. “It’s a sensible part of any business risk management strategy.”
Parnell added that the Ticketmaster breach also highlighted the need for cyber insurance to deal with the time-consuming and costly aftermath of an event, including limiting reputational damage and notifying potentially affected clients.
“A cyber policy is really designed to be an incident response policy,” Parnell said. “Rather than waiting to go through a long and drawn-out process of legal recourse against the vendor, the cyber policy gives a business the opportunity to respond to the incident, get those specialist services in early and get on the front foot as time is so crucial in these sorts of events.”
And it’s not just big companies such as Ticketmaster that need insurance – it’s SMEs, too.
“All companies need to be aware of the brand and reputation damage that cyber breaches can lead to,” Parnell said. “That’s why cyber insurance is as relevant to a small business owner as it is to multinational companies.”