CNA Hardy – Report Back

Friday October 11th 2019

Five years since we started! Been a busy time since 2014… But some problems have got far worse. So for our October meeting we welcomed Mark Armstrong, Technology and Cyber Underwriting Manager for one of the world’s biggest specialist insurance companies.

CNA Hardy is a $10 billion turnover operation, of which $9 billion is in the US. They’re seeking to expand their UK activities and have opened a Manchester office. “Five years from now,” predicted our member Nigel Bailey, insurance broker (Vista Insurance), “everyone will have cyber insurance.” At the moment however it’s a virgin market.

So what can go wrong..? Cyber crime is the biggest exposure risk for business after natural disasters, Mark reckoned, likely to cost around $2 trillions (yes, trillions) globally this year. It’s believed that 46% of UK firms had a cyber breach last year, though the real figure may be higher as companies don’t report a problem for fear of reputational damage.

Realistically, too, there may be little point in contacting the police, as the originators of such crimes are hidden via many names and timescales, and bury themselves in jurisdictions such as the Ukraine.

The WannaCry ransomware virus brought the NHS to their knees in 2017, using Windows XP (unsupported operating platforms). (that group was traced to North Korea). British Airways was hit with a record £183 million penalty under GDPR. But it’s not just big data or national operators who are the target, as perpetrators will send out millions of hits indiscriminately. The peak danger time is 5pm on a Friday when everyone is winding down for the weekend and clearing outstanding stuff; it’s not always an office junior in a hurry who will click on a dodgy attachment, but may be the directors, who send all their staff for compulsory internet training but don’t attend themselves.

Who gets hit most often in the UK? Our guest said currently it’s the building trade, with a bad habit of paying fraudulent invoices into some distant criminal bank account. One hotel chain (he didn’t name it, but I believe it was Marriott) had a nightmare experience one busy Friday evening when malware jammed all the booking systems worldwide after hackers stole the records of 339 million guests. Point of sale computers failed so that no money could be taken at bars or restaurants. Even key cards stopped working – so nobody could get into their rooms, let alone turn the lights on once inside. That resulted in a £100 million fine on top of everything else.

And how would you respond, if your children were at a private school, and you received an email offering you an “Early Bird offer –  Pay by a certain date and get 5% off..?” The money then slips away into much more private accounts. In one such event Mark described, the school suffered losses of £30,000 in fees when this happened. But over 45,000 emails were compromised which then needed manual checking and contacting parents – that’s a lot of worried people – which cost £270,000. That’s where insurance can step in, to cover this massive multiplier loss.

Cyber insurance can cover a variety of risks: not just loss of income, but also the manhours to reinstate, including informing customers; media expertise to mitigate any reputational damage; and legal skills too, if the business is facing fines or regulatory investigation. Just as important are pre-breach services to ensure that the business is better protected (there resulted a discussion about how often we should change passwords, and how on earth to remember them…).


Questions flowed.. Apple are good at protecting their users, why not other providers like Microsoft? Good question, said Mark, they could do far better. But until the omission affects their reputation and sales, it won’t happen.

What about other forms of protection? Many websites offer it at a small monthly premium. Yes, Mark said, but they will just check your website for weaknesses; what about your emails?

And what does it cost to insure so comprehensively? One member, part of a group with a £2.5 million turnover, was promptly quoted £2,500 – £3,000 premium per year. That seems remarkably cheap, but Mark explained that this service is competitively priced – for the moment.

Mark has given us a link to a recent blog:

Finally, a reminder (from me). Your other risk of data loss and equipment damage probably comes not from criminals but from old plugs! Your stuff should all be attached to the power supply via surge protectors – and if they’re 20 years old, they’re worse than useless. At a fiver a time they should be renewed regularly. Then you can continue getting my emails with confidence..