What to know about Cyber Insurance
Back when cyber insurance first became available in the 1990s, there wasn’t much need for it, but in today’s business and digital landscape, cyber insurance has taken on greater urgency.
Why do I need Cyber Insurance?
Many small and medium-sized business owners have the idea that their business is not worth a cybercriminal’s time since they don’t have valuable data. Your business holds much more data than you think and what’s more, your business might be one link in a supply chain that if it gets hit, the rest of the chain’s data is at risk of being compromised.
Since many business owners think this way, it makes their businesses easy targets for cybercriminals to hit them with malware or ransomware that can potentially ruin their business, and it makes the statistic of 43 per cent of all cyberattacks being on SMEs not at all surprising.
The knowledge that any incident can compromise sensitive data or put an organisation at risk of lost business should be enough to make cyber insurance look appealing.
While strategies put in place are to prevent IT risks, there is always a chance that they will still happen and unfortunately, with so many variables outside your control, it’s no longer a matter of if, but when. This is why cyber insurance provides another way to reduce risk to your business.
So, if you have a large customer base, handle customer data or store information about your business, you should have Cyber Security Insurance.
What Does Cyber Insurance Cover?
Since there’s no guarantee you will never be breached, you need to insure against the costs that are involved with a data breach and theft, system hacking, ransomware demands and other attacks. Claims under a Cyber Security policy are often broad but typically include:
- Liability: privacy lawsuits and regulatory defence.
- Internal Financial Loss: extortion, notification expenses, data recovery, business interruption, theft.
- Emergency Incident Response: costs incurred from responding to a Cyber Security attack.
Check the policy, but generally, cyber insurance covers your business for expenses related to the following:
- Business interruptions like loss of profits and operational expenses
- Recovering or replacing records or data
- Liability and loss of third-party data
- Hiring negotiators and paying a ransom
- Defence of legal claims
- Crisis management and monitoring
- Media liability
It’s important to note that Cyber Security does not cover property damage that occurs due to a cyberattack, such as if hardware becomes fried during an incident. It also doesn’t cover intellectual property losses, businesses charged with committing a crime or self-inflicted cyber incidents, or costs associated with avoiding future attacks, like employee training, or working with a managed service provider.
Am I eligible for Cyber Insurance?
Being eligible for cyber insurance requires your business’ Cyber Security processes to meet certain standards and these must be maintained to continue to be covered.
Too many organisations have become complacent with their Cyber Security though as attacks become even more complicated, and while premiums are increasing, insurance companies are becoming more selective in what they will pay. As cybercriminals change their methods, it’s harder for organisations to put the best protections in place, which then impacts how insurance companies shape their policies.
As government regulations continue to be implemented to maintain a set of minimum standards for businesses, as cyber insurance does, this forces companies to strive to upgrade their defences from only virus protection and firewall. This only forces companies to reach their minimum standards though and does not provide the incentive to do better, which is where cyber insurance can produce better security.
When filling out a cyber insurance questionnaire, make sure you consult with your MSP so you know how to answer the questions the insurer is asking you. If you input the wrong information and take out a claim, you might find that you’re not covered for certain things that you haven’t told the insurer about. If your business then is hit by a cyberattack, the insurance company will not honour your cover.
Keep in mind that premiums for ransomware — paying a large sum, often in multiple stages, to a cybercriminal who has either stolen data or locked you out of your systems — policies have increased as the number of claims for ransom and extortion has increased. Cyber insurers often cover ransomware protection but since there is no standard policy surrounding this, cyber insurers are starting to rethink their coverage, so this varies significantly depending on the insurer. You might have to pay a separate, standalone cover for ransomware coverage that is outside of your standard Cyber Insurance.
The Australian Government advises to never pay a ransom as there is no guarantee you will gain access to your information, nor that the cybercriminals won’t sell or leak the data online. If you’re hit by a ransomware attack, call the Australian Cyber Security Centre 24/7 Hotline on 1300 CYBER1 (1300 292 371) for assistance, or contact your IT service provider so that they can guide you through the next steps forward.
The good thing about Cyber Insurance
The good thing about cyber insurance is that it forces your company to examine its risk levels in depth, such as in areas like security issues commonplace in your industry, the type of information your company stores and shares, your formal Cyber Security processes and tools, auditing procedures, backup and data loss protection, compliance regulations as well as your security history, such as whether you have had a breach in the past and how the business responded.
By doing this, businesses can develop an understanding of what Cyber Security truly encompasses and be better aware of everything within their network.
As with any insurance, no business wants to deal with cyber insurance claims. What having insurance does though, is allow organisations to survive serious cyber incidents while also changing the way businesses build and improve their Cyber Security programs.
