Do I Need Cyber Insurance if I Have Outsourced IT?

Caeva O'Callaghan | May 5th, 2021


Cyber insurance if I have outsourced IT?

Hiring in third party individuals and services can be cost-effective. But if someone else is handling your data, are you still responsible for cyber insurance?

Yes. Under GDPR regulations, you are the data owner and are therefore responsible for its safekeeping. This means if you outsource any data storage or processing service, you are still liable for that data and should urgently consider getting cyber insurance.

In this article, we’ll answer the following questions:

  • Do I need cyber insurance for using third party payment processors?
  • Should my cloud data service provide cyber insurance?
  • How are my customers’ details protected?

Just because sensitive data may be stored elsewhere, doesn’t mean you aren’t responsible for it. You need cyber insurance in place to cover costs and associated fines in the event of a cyber attack.

Your business is liable for the data you hold

If a company collects the data of its customers, e.g. credit card information, then it is the company’s responsibility to keep that data secure. Even if you store that data on a third party service, or use a third party service to process that data, it is yours and you are responsible for its safekeeping.

This is because of one good reason: the data would not be there if it wasn’t for you. If you use outsourced IT services or third party tools and apps, it is ultimately still data under your protection.

There are many ways in which you might outsource IT. You could have workers managing your entire IT system from overseas, or just a few developers who maintain an app you distribute and own. You could be using a third party payment processor like PayPal or Stripe to handle online purchases.

Using a third party payment processor lets you provide more payment methods to your customers, handle transactions securely, and your customers will already be familiar with using these services. However, they are targets for larger, ambitious criminal organisations.

As Ireland becomes a destination for IT businesses hoping to expand, cyber security is becoming even more important. Staff at payments solutions company TSYS, based in Belfast and Derry, were told in December of 2020 that their personal data was likely compromised after the US-owned fintech group was targeted in a ransomware attack.

Get your own cyber insurance

What many business owners forget is that, even if some or all of your IT systems are handled by a third party service, your business will still hold information on your clients. This may include their passwords, their order history, addresses and more, for example.

Just because a third party is responsible for your day to day operations, doesn’t mean it’s responsible for the wellbeing of the data you hold. While cost-effective, these solutions are not necessarily a safer option.

For example, November 21, 2019, Edenred, another payment solutions provider, reported that it was infected by malware. Operating across 46 countries, they managed 2.5 billion payment transactions in 2018. The number of people affected and the extent of the attack is still currently unknown.

And in 2020, the Marriott Hotels Group suffered an attack in which 5.2 million customers’ credit card details, emails and home addresses were obtained by hackers. It came after a catastrophic data breach which saw the records of approximately 339 million guests exposed, where hackers were found to have had unauthorized access to the hotel’s network since 2014.

These large businesses are not cyber criminals’ only targets: many more small and medium enterprises are targeted each year, because hackers take advantage of a lack of cyber awareness security.

Not all businesses survive cyber attacks, and getting cyber insurance increases your chances of getting your business back on its feet. Your organisation – and your clients’ and employees’ information – is at risk if you don’t have cover.

The costs of a data breach

Cyber insurance cover includes the clean up of the breach, notification to the affected clients, any resulting regulatory fines and third party liability awards.

As soon as possible after you realise your business has been compromised, you must inform the regulatory authorities. Failing to do so will result in a hefty fine, as you will be falling foul of GDPR regulations.

Your cyber insurance will also help to cover the costs of hiring security experts to upgrade your systems so an attack doesn’t happen in the future.

Talk to us today about any queries you have regarding Cyber Insurance

If you are unsure or confused about cyber insurance, pick up the phone and call us today, and our cyber insurance experts will be on hand to walk you through what’s involved in ensuring your business is fully protected from cyber attacks. We look forward to helping you today!

Arrange Callback

OUR CYBER INSURANCE SPECIALISTS

RACHEL DIXON

CAEVA O'CALLAGHAN

CAROLINE MCARDLE

All Information in this post is accurate as of the date of publishing.