What is Candid Corner


Title : Cyber Insurance 101 for eCommerce Website Companies

Author : Brian O' Mara

Company : O'Leary Insurances

A disclaimer to begin with – there is no one ‘Cyber Insurance’ product. There are several – each insurer has its own take and coverage varies wildly. Some offer limited policies which offer to repair your IT systems after a hack/virus. The broadest policies respond to accidental and malicious losses and include cover for bringing in IT forensic experts, getting systems back up and running, restoring systems and data, dealing with lost profits and reputational fallout, covering the loss from a cyber crime incident, notification costs for those affected by a breach and dealing with regulatory actions.

The bad news is that it can be difficult for companies to understand what their exposures are and which policy best suits their needs. The good news is that independent insurance brokers exist for the very purpose of providing guidance (yes, we do have some uses!). Below are some scenarios for firms to consider – any examples used are real-life and affected Irish firms.

For this article, I have chosen to focus on 9 of the most prominent cyber insurance scenarios, describing examples, the worry and whose websites are most at risk. Here is a quick look at the 9:

9 Most Threatening Cyber Insurance Scenarios for eCommerce Website Companies:


1) Cyber Crime

2) Data Breach

3) Forensic Costs

4) Notification Costs

5) Business Interruption

6) System Damage

7) Reputational Damage

8) Crisis Consultants

9) Social Media/Online Content

1) Cyber Crime:


Past example:

Hackers monitored email conversations between the financial controller of a hotel and their supplier over a period of time. When they became sufficiently familiar with the conversations between the two, the hackers struck. The hacker made contact with the financial controller – again, from a very similar email address to the supplier’s – and used the language the supplier would have used about the latest Man Utd match. They then requested for the hotel to make payment on the 21st rather than the 30th due to cash flow issues and to update their bank account details. By the time the real supplier requested payment the monies were not recoverable – €49,000 was lost.

What’s the worry?

I could write a whole other blog just going through the various incidents I have seen. Cyber crime is now more lucrative than the global drugs trade and it is very common among Irish companies – the average loss to our clients in the past year has been around €30,000 per incident.

Most affected companies:

Those that transfer money, particularly large payments to suppliers or on behalf of clients.

2) Data Breach:


Data Breach

Practical Examples:

Accidental- Sending an email with client/employee information to the wrong person.

Malicious – A hacker steals data which can identify individuals – names, addresses, date of birth, credit card details etc.

What’s the worry?

A data breach would be bad news at any time. However, new EU Regulation comes into effect in 2018 whereby it will be mandatory to notify the Data Protection Commissioner (DPC) if a breach occurs (whether accidental or malicious). The DPC will have a whole new range of powers including the ability to fine companies up to €20m or 4% of global turnover, whichever is higher.

Most affected companies:

Those that even briefly processes client or employee data.

3) Forensic Costs:


Practical Example:

You receive a call from your IT department. A breach has occurred and has just been discovered – but how long ago and what is the extent?

What’s the worry?

The average time taken to discover a breach is over 6 months – a lot of damage can be done in the interim. Insurance can cover the cost of using in-house or specialist IT consultants to get to the root of the breach and to stop it at source.

Most affected companies:

Anyone with significant reliance on IT systems

4) Notification Costs:


Practical example:

A breach has happened – there is a cost associated with finding out who has been affected, what data has been taken and then notifying them of same.

What’s the worry:

This will have a particular effect after the new regulation comes into force – the average cost per file works out around €134. For companies with many thousands of files this cost alone has been known to exhaust policy cyber insurance limits.

Most affected companies:

Those with a number of client/employee files which include Personally Identifiable Information (PII).

5) Business Interruption


Business Interruption


Your website is taken down by cyber criminals and you cannot process online orders during this time.

What’s the worry?

You may buy Business Interruption already under your Office Insurance – however, it only responds to physical loss such as fire or flood. Loss of income while systems are down would not be covered, unless it was due to physical damage to your servers.

Most affected companies:

Those that rely on systems to trade.

6) System Damage:


Practical example:

A virus or a disgruntled employee has wiped out a large amount of your computer programs and they need to be reinstated by IT.

What’s the worry?

Getting up and running again can be costly and time consuming.

Most affected companies:

Those that rely on systems to trade.

7) Reputational Damage:


Practical example:

Loyaltybuild in Clare had a significant and high-profile data breach in 2013, with the personal details of around 1.5m individuals affected. That year they posted a profit of €1m. Earlier this year the firm announced an €18m pre-tax loss.

What’s the worry:

People don’t like the thought of their data being ‘out there’. When this happens, it makes good copy for newspapers and can keep radio-station phone lines buzzing. How a company moves on can depend on their response to an incident, but in the interim profits can be hit.

Most affected companies:

Firms that hold a large amount of client information.

8) Crisis Consultants


Practical examples:

Loyaltybuild’s Managing Director carried out an interview in 2015 stating how the firm had trained employees, improved systems and essentially moved on from the breach – the damage to their brand may already have been done.

Did you know Ryanair announced last year that it had €4.6m stolen from by cyber crime, or that Paddy Power had a breach of affecting 650,000 customers between 2010-2014? Both were well managed news releases with minimal obvious impact to each company’s brands.

What’s the worry?

Having consultants such as PR firms may sound farfetched right now, but in the event of an incident about to make headlines their guidance could be invaluable to your firm being able to continue to trade.

Most affected companies:

Firms that hold a large amount of client information.

9) Social Media/Online Content


Practical examples:

A bar hires a photographer to take photos of its clientele after every Friday and Saturday. When the photos are uploaded, everybody loves ‘tagging’ their friends on Facebook – however one photo slips through that shows a bit too much of one individual, and their friend has just shared it. The request to take the photo down isn’t seen for a period of time, meanwhile more and more friends see the embarrassing shot.

What’s the worry?

There are other considerations apart from infringement of privacy. Does your website claim you are the best at what you do? If so – says who?! You are responsible for your online content. Be aware of what is being uploaded online and of who has access to upload to your company pages.

Most affected companies:

Firms with active websites or social media accounts.

If you would like to discuss the adequacy of your existing insurance programme against cyber threats, feel free to contact the author– bomara@oli.ie.

About The Author:

Brian O’Mara works with O’Leary Insurances, Ireland’s largest independent insurance broker. He specialises in Cyber Insurance having cut his teeth placing complex bespoke policies for some of Australia’s largest publicly-listed and private companies including utilities and tech firms. In mid-2015 he returned to Ireland to co-ordinate O’Leary Insurances approach to this ever-changing area of risk. He regularly presents on cyber exposures to professionals around Ireland and has also contributed to newsletters and podcasts on the topic.


Title : Cyber Liability: Hype or a Real Threat ?

Author : Martin Adams

Company : Arachas Insurance

– Sony Loses $100m in Cyber Attack

– Talk Talk Loses £3.5m in Cyber Attack by 15 Year Old

– Estimated Cost of Cyber Crime in 2016 $120.1bn

We have all read these headlines and there has been a lot of press recently regarding cyber liability and the exposures companies face on cyber threat.

So Is Website Risk Justified ?

In recent surveys of companies, cyber liability is always in the top 3 of risks they are concerned about so why don’t companies take more action to combat the threat? Perception is one answer, in the same study:

  • 52% of CEO/CFOs believed they have some cover for cyber
  • 20% of CEO/CFOs specifically addressed the issue at senior management or board level
  • In reality on 10% of Companies actually had some form of viable cover

Another answer is they don’t know where to begin, however. Ignorance is not bliss and ignorance is one of the biggest threats to a company.

Ignorance And Cyber Liability Dangers


In an Irish Examiner poll on 4th May 2016, 4 in 10 companies had no formal cyber security strategy despite the majority of directors identifying this as an important issue. This apathy is even more pronounced in small companies with under 100 staff, where 68% have no strategy in place.This partly explains why some SMEs go to IT vendors who claim to provide an automatic solution, a one stop shop. Unfortunately, this does not exist and the company itself still needs to invest to protect itself. This needs to be done through education, training and practical guidelines for all staff. In fact, Cyber risk should not be approached any differently to any other risk, such as fire or theft. Companies would not ignore a fire risk on the premises and they would take action to mitigate or reduce the risk, the same frame work should be taken to combat cyber issues.

  • Understand the risk.

  • Make the action required to reduce the risk.

  • Make sure to educate and implement risk reducing measures.

So, what is the threat? Who could pose a threat? and how do we protect ourselves for cyber threats?

Threats Can Come From:

  • Rogue Employees
  • Negligent Employees
  • Company Outsiders
  • Vendors
  • Social Networking

And this Can Lead To:

  • Loss of intellectual property
  • Business interruption – loss of profits
  • Data Loss
  • Extortion
  • Network Failure
  • Reputational Damage

The Aftermath of Failed Cyber Security

Cyber Security Ireland

These attacks can be rapid and very damaging. Imagine losing all your records and data within 60 seconds, what do you do and what will your customers think? With the new EU data regulations you will have to advise all clients that you have had a breach when it happens, you will need to stand in front of them and advise what measures you put in place to try and prevent a breach.Some companies believe because they are compliant they are protected, unfortunately being compliant does not mean being secure. In fact, companies should be aiming for embedded security culture and not just a “tick the box “ exercise. Another problem companies have is they believe they have nothing of interest. Every company has something of interest even if it is just used as a gateway to a bigger prize.


Cyber Attacks Can Happen To Your Website

Cyber attacks can happen to anyone whether you are large or a small company. We have seen claims from sole traders to larger companies. So, all companies should be cyber aware and have a risk statagy to protect themselves. This will be a requirement with the new regulations and may also affect investment in companies, as we see more investors looking for confirmation that the company has a cyber risk policy prior to investment. One of these risk measures can be Cyber Liability Insurance which can be purchased at a reasonable cost, starting at €500, and can provide guidelines for protection.


About the Author:

Martin Adams ACII MIRM, is the Special Risks Director for Arachas Insurance. Arachas Insurance help you to prevent cyber attacks and to make sure that your site is safe.