This document provides a summary of a cyber security breakfast briefing for small and medium-sized enterprises (SMEs). The briefing included welcome and introductory remarks, presentations on good cyber governance, GDPR compliance, insurance aspects of cyber risk, examples of recent cyber breaches, and a discussion of current threats to SMEs. Key points emphasized included the importance of board-level cyber security oversight, having a cyber security strategy and risk management in place, avoiding GDPR fines and other consequences of data loss or security incidents, and understanding common cyber threats facing SMEs today. Examples of recent breaches demonstrated the costs of ransomware, data breaches, and other attacks.

1. C Y B E R S E C U R I T Y B R E A K F A S T
B R I E F I N G F O R S M E S

2. HOUSEKEEPING
@pkfFrancisClark
#CyberSecurity19

3. CHAIRMAN’S WELCOME
Richard Wilding, Head of Cyber Security - PKF Francis Clark

4. GOOD GOVERNANCE IN CYBER
Ciaran Martin, CEO of the National Cyber Security Centre (the governments cyber centre),
speaking on 12 September 2018 at the CBI Cyber Conference included the following quotes:
‘My message today is aimed at board level and general corporate leadership, which is key to
managing this crucial risk.’
‘When we look at some of the advice given around the world on how to manage corporate
cyber security risk, it’s basically about governance. Good governance is necessary.’
• Cyber Security Strategy.
• Risk Management.
• Regulation and Certification Controls.

5. AVOIDABLE CONSEQUENCES
• GDPR fines.
• Loss of data assets.
• Loss of finances.
• Loss of trust.
Elizabeth Denham, Information Commissioner, delivering a speech on
GDPR and accountability.
‘If a business can’t show that good data protection is a cornerstone of their practices,
they’re leaving themselves open to a fine or other enforcement action that could
damage bank balance or business reputation.’
Since GDPR came into effect less than 12
months ago there have been over 130
enforcement actions taken by ICO including
almost 80 monetary fines.

6. PROGRAMME
 9.00 - Current threats to SMEs - Laura Cowie, Devon & Cornwall Police
 9.35 – The GDPR landscape - Ben Travers, Stephens Scown
 10.05 - Insurance aspects - Jonathan Cox, Pavey Group a Gallagher Company
 10.30 - Examples of recent breaches - Peter Lannon, PKF Francis Clark
 11.00 - Close

7. CURRENT THREATS
TO SMES
Laura Cowie, Devon & Cornwall Police

8. THE GDPR
LANDSCAPE
Ben Travers, Stephens Scown

10. BEN TRAVERS – HEAD OF IP & IT
 b.travers@stephens-
scown.co.uk
 01392 210700
 LinkedIn – Ben
Travers

11. RECAP
• May 2016 – GDPR becomes law, 2 year grace period
• April 2018 – business panics, consumers rebel against
‘consent emails’
• May 2018 – GDPR comes into force
• June 2018 – everyone becomes a self-proclaimed
‘GDPR’ expert

12. TRENDS SINCE MAY 2018
• Increasing awareness of rights amongst consumers
• Businesses start (over reporting) breaches
• ICO actively investigates breaches
• UK business still largely in the dark
• Increase in confusing and contradictory commentary in the
market
• Review of previous advice from non-experts

13. COMMON MISTAKES
(WE STILL SEE BUSINESSES MAKE)
• Not having a data map
• Assuming it’s an HR or IT or Marketing issues and not taking
a holistic view
• Not responding fully to a SAR
• Sharing data in non-compliant ways (look at 3rd party platforms)
• Sending unnecessary consent emails
• Relying on Legitimate Interest
• Unable to respect the ‘Right to be forgotten’ requests

14. HOW TO GET IT RIGHT
• How to complete a data map
• When to use ‘consent’ emails
• How to run a legitimate interest test
• How not to share data
• How to respond to a SAR

15. PREDICTIONS
• Cookies
• The end of soft opt-in
• B2B consent
• Telemarketing
• Withdrawing consent
• OTTs and VOIP
• Privacy shield
• Weaponisng SARs
• Compliance in USA?
• Increased consumer awareness

16. 16

17. BEN TRAVERS – HEAD OF IP & IT
 b.travers@stephens-
scown.co.uk
 01392 210700
 LinkedIn – Ben
Travers

18. INSURANCE ASPECTS
Jonathan Cox, Pavey Group a Gallagher Company

19. CYBER RISK

20. 20
Cyber &/or Crime
Cyber Liability Insurance provides businesses with protection against financial
loss resulting from the loss of personal and/or corporate data.
Cover addresses the first and third-party risks ranging from the loss of a
single laptop or file to the hacking of a companies website or network.
Security
Breach
Data
Breach
Operational
failure
Main policy triggers:
Crime Insurance provides businesses with protection
against financial loss resulting from criminal or fraudulent
taking, obtaining or appropriation of money, securities,
funds or property.

21. • SMEs subjected to circa 65,000 attacks every day, of which 4,500 are successful…
• …this equates to one every 19 seconds
• Average cost of “clear up” £25,700 – ignoring wider issues1
• Despite this just 10% of SMEs purchase a Cyber Insurance policy2
1 – Hiscox, October 2018, “UK Small Businesses targeted with 65,000 attempted cyber attacks per day”
2 - PWC, April 2019 “PwC Survey shows that SMEs are cyber insurers’ number one target for growth”
Cyber – The scale of the problem

22. “There is no technology today that cannot be defeated
by social engineering.”
- Frank W. Abagnale
To be solid, insurance must be flexible

23. Breach
Counselling
Crisis
Management
Notification
Assistance
Call Centre
Support
Remediation
Planning
Public
Relations
Assistance
Evidential Support
Legal Advice
& Support
What happens in the
immediate aftermath?

24. ajginternational.com
An HR recruiter for a healthcare organisation accidentally attached
the wrong file when sending an email to four job applicants. The
file included HR demographic data consisting of 43,000 former
employee names, addresses, and national ID numbers.
The insured telephoned the Incident Response Hotline for
assistance and an incident response manager was assigned. Legal
services were brought in to manage regulatory implications.
Scenario 1 – Employee Error
Chubb 2018.

25. ajginternational.com
Scenario 1 – Potential Impact
Privacy Liability - mismanagement of personal and/ or corporate confidential
information, violation of company privacy policy.
• Defence expenses arising from regulatory investigation.
• Defence & settlement costs for claims employees that had identity stolen.
Incident Response Expenses
• Incident response manager fees
• Notification to affected individuals
• Identity theft monitoring services for affected individuals
• Legal consultation fees
TOTAL COST: £186,000
- £55,000
- £100,000
- £5,000
- £3,000
- £13,000
- £10,000

26. ajginternational.com
The data centre which hosted an online retail company’s website
became the target of a distributed denial of service attack. The
attack flooded the data centre’s network with so much traffic that
their network failed. This made the online retail company’s
website inaccessible for a period of six hours before backup
systems were able to restore 100% functionality. The insured in
this scenario is the online retailer. After telephoning the insurers
Incident Response Hotline, an incident response manager was
assigned.
Scenario 2 – Denial of Service Attack
Chubb 2018.

27. ajginternational.com
Scenario 2 – Potential Impact
Recovery Costs
• Increased cost of working required to get website functioning properly
• Costs to subcontract with external service provider
Business Interruption
• Lost sales and revenue from website downtime
Incident Response Expenses
• IT forensics firm
• Legal consultation fees
• Incident response manager fees
TOTAL COST: £144,000
- £12,000
- £95,000
- £12,000
- £10,000
- £6,000

28. ajginternational.com
An employee of a car components manufacturing company clicked on a
malicious link in an email and malware was downloaded onto the
company server, encrypting all information. A message appeared on
the employee’s computer demanding £10,000 to be paid by Bitcoin in
the next 48 hours in exchange for the decryption key.
Scenario 3 – Ransomware Attack
The company telephoned the insurers Incident Response
Hotline for assistance. The assigned incident response
manager brought in IT forensic investigators to assess the
validity of the threat and to determine whether the
company could avoid paying the ransom.
Chubb 2018.

29. ajginternational.com
Scenario 3 – Potential Impact
Network Security Liability – failure of insured’s network security in defending
against computer malicious acts.
Cyber Extortion – costs associated with addressing extortion threats to release
information or malicious code unless extortion monies were paid
• Information technology consultant fees to assess backup capabilities
Incident Response Expenses
• Forensic investigation costs to locate malware, analyse impact, ensure
containment, and calculate extent of loss.
• Legal consultation fees
• Incident Response Manager fees
Data Asset Loss – costs associated with replacing lost or corrupted
data
TOTAL COST: £60,000
- £14,000
- £18,000
- £7,000
- £6,000
- £15,000

30. ajginternational.com
An employee for a consultancy company sent an internal email
containing negative comments regarding a service provider. The
email was forwarded to others within the organisation and
eventually was sent externally.
The email was seen by the service provider and a defamation
lawsuit was brought against the consultancy company for harming
the service provider’s reputation.
Scenario 4 – Media – Disparagement via Email
Chubb 2018.

31. ajginternational.com
Scenario 4 – Potential Impact
TOTAL COST: £181,000
Media Liability – third party claims arising from Insured’s Internet media
activities. Wrongful Acts include product defamation, disparagement, trade
libel, false light, plagiarism, and more
• Defence and settlement costs for claims from service provider
Incident Response Expenses
• Crisis communication services
• Public relations expert fees to minimise reputational impact
• Incident response manager fees
- £150,000
- £12,000
- £16,000
- £3,000

32. ajginternational.com
Hackers gained unauthorised access to account information located on
a school district’s network due to an unknown vulnerability. The
account information included names, email addresses, national ID
numbers, and financial account information of 20,000 past and
present faculty and students. After multiple students and teachers
reported suspicious activity on their email, IT discovered that an
unauthorised user was in the system.
The school district telephoned the Insurers Incident
Response Hotline and an incident response manager
was assigned.
Scenario 5 – Unauthorised Access
Chubb 2018.

33. ajginternational.com
Scenario 5 – Potential Impact
TOTAL COST: £243,000
Privacy Liability – mismanagement of personal and/ or corporate confidential information.
• Defence expenses arising from regulatory investigation due to irresponsible
management of private information
• Defence and settlement costs for claims from individual that had identity stolen
Network Security Liability – failure to effectively protect insured’s network from malware,
hacking, denial of service attacks or unauthorised use or access
Incident Response Expenses
• Forensic investigation costs to locate vulnerability, analyse impact, ensure containment,
and calculate extent of loss
• Notification to affected individuals
• Identity theft monitoring services to affected individuals
• Costs to set up and operate a call centre for enquiries
• Public relations expert fees to minimise reputational impact of the incident
• Legal consultation fees
• Incident response manager fees
- £75,000
- £40,000
- £80,000
- £9,000
- £6,000
- £1,000
- £10,000
- £9,000

34. ajginternational.com
An employee received a call purporting to be from the company’s
bank saying there had been a problem with a payment, possibly
caused by a virus. The caller told the employee that the payment
would have to be made manually and managed to extract some,
but not all, of the bank security code.
The employee became suspicious and alerted managers who
immediately informed the bank. The bank put a stop on the
account but not before eight transactions had been
made, totalling more than £430,000.
Scenario 6 – Crime – Funds Transfer Fraud
Chubb 2018.

35. ajginternational.com
Scenario 6 – Potential Impact
TOTAL COST: £430,000
Crime Loss – fraudulent taking, obtaining, or appropriation of money,
securities, or property - £430,000

36. “The knock on effect of a data breach can be
devastating. When customers start taking their
business elsewhere, that can be a real body blow.”
- Christopher Graham – Information Commissioner of the United Kingdom - 2016
To be solid, insurance must be flexible

37. How would a cyber policy respond?

38. 3
8
• Solid IT security
• IT penetration testing
• IT System backups (at least
weekly)
• Portable IT hardware encryption
• Regular IT patch installs
• Strong data access controls
(Principle of Least Privilege)
• Disaster recovery/incident
response plans
• Strong staff awareness training
• Contractual protection from 3rd
parties
• Low PCI compliance level (3 or 4)
• Managed reliance on internet
based trading
• Multi step, multi person
verification process for
payments
Positive risk features

39. ajginternational.com
Any Questions?

40. EXAMPLES OF
RECENT BREACHES
Peter Lannon, Cyber Protection Adviser

41. CYBER SECURITY - THE FIGURES 2019
Of the businesses
that reported
breaches
48%
identified at least one
breach or attack per
month.
31%
of UK businesses
have done a cyber
risk assessment in
the last 12 months.
Just
33%
of UK
businesses have
a cyber security
policy.
98%
of UK businesses
rely on some form of
digital
communication or
service.
32%
of UK businesses
have identified
and reported
cyber security
breaches in the
last 12 months.
78%
of businesses
say that cyber
security is a high
priority for them.
Statistics taken from the Office of National Statistics Cyber Security Breaches Survey 2019

42. CASE 1
A client was defrauded of £5,000 by a cyber criminal.
What happened
By gaining access to the client’s email and duplicating a
legitimate email requesting that funds be paid to a
certain account. The money requested in the original
email was still owed.
Create strong passwords.
Use different passwords.
Keep them secret.
Restrict access to devices that are logged in.
How was it done
How to prevent it

43. CASE 2
A large, corporate client gave a cyber criminal £200,000 after a phone call.
What happened
How was it done
An account password was reset by a third party. By
understanding company structure an employee was
manipulated into believing a secure account was
compromised. Using multiple privileges a new holding
account was created with details provided by the
scammer. Company funds were transferred.
How to prevent it
Segregation of duties.
Clear procedures.

44. CASE 3
A large company had the personal details of over 145 million
individuals stolen costing the company approximately £336 million
so far.
What happened
How was it done
A vulnerability in an outdated piece of software was
targeted and exploited by hackers. This gave them
access to the company’s databases largely
unchallenged. The attackers remained undetected in
the system for over 2 months.
Efficient patch management.
Clear structure and responsibilities within the IT
department.
Regular audits and assessments.
How to prevent it

45. THE VISIBLE COST AND THE UNSEEN COST
Time lost dealing with breaches or attacks.
Staff prevented from carrying out daily tasks.
Damage to reputation or loss of trust.
Small business - £4,180
Medium business - £9,270
Large business - £22,700
Visible costs in 2019
Unseen costs
Statistics taken from the Office of National Statistics Cyber Security Breaches Survey 2019

46. THE WIDER WORLD
Average losses to firms from breaches in the last 12 months
Netherlands - £294,000
Belgium - £376,000
Germany - £701,000
UK - £188,000
Reported attacks on SMEs have increased significantly.
Overall cyber-readiness has stalled.
Nearly 2/3rds of firms have experienced cyber related issues
with their supply chains.
Statistics taken from Hiscox Cyber Readiness Report 2019

47. THE FUTURE
FIVE EYES

48. PREVENTION IS BETTER THAN CURE

49. ANY QUESTIONS?
Peter Lannon
peter.lannon@pkf-francisclark.co.uk
07458 021891

50. 01392 667000
Exeter
01722 337661
Salisbury
01823 275925
Taunton
01803 320100
Torquay
01872 276477
Truro
01752 301010
Plymouth
01202 663600
Poole
Francis Clark LLP is a member firm of the PKF International Limited network of legally independent firms and does not accept any responsibility or liability for the actions or inactions on the part of any other
individual member firm or firms.

51. © copyright PKF Francis Clark, 2019
You shall not copy, make available, retransmit, reproduce, sell, disseminate, separate, licence, distribute, store electronically, publish, broadcast or
otherwise circulate either within your business or for public or commercial purposes any of (or any part of) these materials and / or any services provided
by PKF Francis Clark in any format whatsoever unless you have obtained prior written consent from PKF Francis Clark to do so and entered into a licence.
To the maximum extent permitted by applicable law PKF Francis Clark excludes all representations, warranties and conditions (including, without
limitation, the conditions implied by law) in respect of these materials and /or any services provided by PKF Francis Clark.
These materials and /or any services provided by PKF Francis Clark are designed solely for the benefit of delegates of PKF Francis Clark.
The content of these materials and / or any services provided by PKF Francis Clark does not constitute advice and whilst PKF Francis Clark endeavours
to ensure that the materials and / or any services provided by PKF Francis Clark are correct, we do not warrant the completeness or accuracy of the
materials and /or any services provided by PKF Francis Clark; nor do we commit to ensuring that these materials and / or any services provided by PKF
Francis Clark are up-to-date or error or omission-free.
Where indicated, these materials are subject to Crown copyright protection. Re-use of any such Crown copyright-protected material is subject to current
law and related regulations on the re-use of Crown copyright extracts in England and Wales.
These materials and / or any services provided by PKF Francis Clark are subject to our terms and conditions of business as amended from time to time, a
copy of which is available on request.
Our liability is limited and to the maximum extent permitted under applicable law PKF Francis Clark will not be liable for any direct, indirect or consequential
loss or damage arising in connection with these materials and / or any services provided by PKF Francis Clark, whether arising in tort, contract, or
otherwise, including, without limitation, any loss of profit, contracts, business, goodwill, data, income or revenue. Please note however, that our liability for
fraud, for death or personal injury caused by our negligence, or for any other liability is not excluded or limited.
PKF Francis Clark is a trading name of Francis Clark LLP. Francis Clark LLP is a limited liability partnership, registered in England and Wales with
registered number OC349116. The registered office is Sigma House, Oak View Close, Edginswell Park, Torquay TQ2 7FF where a list of members is
available for inspection and at www.pkf-francisclark.co.uk. The term ‘Partner’ is used to refer to a member of Francis Clark LLP or to an employee.
Registered to carry on audit work in the UK and Ireland, regulated for a range of investment business activities and licensed to carry out reserved legal
activity of non-contentious probate in England and Wales by the Institute of Chartered Accountants in England and Wales. Partners acting as insolvency
practitioners are licensed in the UK by the Institute of Chartered Accountants in England and Wales. A partner appointed as Administrator or Administrative
Receiver acts only as agent of the insolvent entity and without personal liability. Francis Clark LLP is a member firm of the PKF International Limited
network of legally independent firms and does not accept responsibility or liability for the actions or inactions on the part of any other individual member
firm or firms.