Next month sees the four year anniversary of the introduction of the UK General Data Protection Regulation (GDPR), a law that governs how organisations process personal data.

Businesses can be fined up to €20 million or 4% of their turnover (whichever is the higher figure) in the event of customers’ personal identifiable information being lost, stolen, or leaked. These regulations are among the world’s toughest data protection laws and since they took effect in 2018, over 900 fines have been issued across the European Economic Area (EEA) and specifically in the UK GDPR fines have ramped up significantly in recent months. The sum total of GDPR fines levied in Q3 2021 hit nearly €1 billion, which is 20 times greater than the totals for Q1 and Q2 2021 combined1.

As many businesses become more reliant on technology, the threat of a cyber-attack and subsequent data breach has become one of the most significant – and growing – risks they face, with cyber-attacks increasing year-on-year. Any business that electronically stores customer information is vulnerable to suffering a data breach, the impact of which can be significant from a business interruption, reputation and financial perspective. In this article our cyber experts outline steps that businesses should take to help protect client data being compromised.

Encrypting data

Encryption converts data into a secret code before it is sent over the internet, so it is vital for businesses to turn on network and data encryption when storing and sharing data. This can be activated through router settings or by installing a virtual private network (VPN) software on computers and other devices.

Cybersecurity awareness training

Employees are arguably one of the most important lines of defence against cyber-attacks. Businesses should provide tools and training to employees to help them identify a potential cyber threat, and take the appropriate steps to mitigate it.

Employee security policies

Linked to the above, it is important that businesses have clear cybersecurity policies to guide employees on what is acceptable when sharing data, using computers and other devices, and accessing internet sites.

Vulnerability scanning

A business should keep a record of all the equipment and software it uses and should conduct on-going vulnerability scanning against its publicly facing assets, identifying potential vulnerabilities and exploits. A key step is removing sensitive information from any device and software that is no longer in use and disconnect these devices from its network. Older equipment could serve as an avenue for criminals to access data. A cyber risk management expert can support conducting vulnerability scanning.

Use multi-factor authentication

Multi-factor authentication (MFA) adds a layer of protection to the sign-in process. It strengthens security by requiring users provide at least two pieces of evidence, or authentication factors, to prove their identity. By requiring multiple authentication factors, MFA provides a higher level of assurance about the user’s identity. Even if one of the factors has been compromised, the chances that all of the factors have been compromised are low.

Cyber insurance as a risk management tool

Although good cybersecurity practices are important for businesses to try and minimise the risk of an attack from happening, such as ensuring employees have strong passwords in place and are trained to be aware of the risk of cyber-attacks, checking firewalls, conducting regular software updates, and turning on multiple-factor authentication – businesses are potentially leaving themselves open to the threat of financial and reputational damage if they don’t have cyber insurance in place.

Cyber insurance cannot protect a business against cyber-crime completely, but it can it recover and respond to the immediate impact of an attack by working to quickly restore network systems and data, while minimising business interruption as much as possible, including covering loss of income during any periods of disruption.

Cyber insurance can be bought as a standalone policy or as part of a wider commercial insurance policy which will include cover for other risks to the business. In many cases, however, a standalone cyber policy may be the best solution to ensure comprehensive cover.

Policies vary but the majority of standalone cyber insurance policies include cover for cyber extortion, business interruption and crisis management costs. Through a specialist insurance broker, businesses can also access a range of support measures including help with developing cyber risk management procedures, legal advice and access to forensic IT consultants, who help to establish the existence, cause or scope of a security incident and to stop or limit the incident - enabling organisations to respond to an event quickly and effectively.


The opinions and views expressed in the above articles are those of the authors/contributors only. This does not necessarily reflect the opinion of Gallagher nor is it intended to constitute any form of specific guidance nor legal or financial advice, and recipients should not infer such from it or its content. Recipients should not rely exclusively on the information contained in the bulletin and should make decisions based on a full consideration of all available information. We make no warranties, express or implied, as to the accuracy, reliability or correctness of the information provided. Our advice to our clients is provided subject to specific terms and conditions, the terms of which take precedence over any representations in this document. We and our officers, employees or agents shall not be responsible for any loss whatsoever arising from the recipient’s reliance upon any information we provide herein and exclude liability for the content to fullest extent permitted by law.