The Role of Cyberinsurance Policies in Cybersecurity Today
Technology, social media and business automation are moving forward so darn quickly these days, and with that comes the increase in data breach risks and cyber INsecurity. Many businesses, big names included, have suffered the aftermath of cyber warfare with some permanently damaged in the process. While it's imperative that a business has various forms of first-line cybersecurity defences in place, such as intelligent firewalls and enabling multi-factor authentication (MFA), it’s equally important to have an insurance policy in place as part of the overarching cybersecurity strategy - a policy that is specifically created to cover the impact of cybersecurity breaches.
One example of an enormous data breach occurred in 2014 when five hundred million user accounts perished under a massive cyber attack. Personal data such as users’ full names, birth dates, phone numbers and passwords were breached. And in March 2018, 32 million accounts were impacted in another hacking. All these attacks were aimed at one of the world’s biggest companies - Yahoo. Yahoo has been around for more than two decades and is one of the biggest names in its industry so surely such a big enterprise is giving it their all to protect their data (which is also OUR data)? Despite Yahoo undoubtedly spending millions, if not billions, of dollars on cybersecurity, they can still be vulnerable to cyber attacks. In late 2017, Yahoo admitted that all three billion of its user accounts had been hacked in previous years. This speaks volumes about cyber insecurity today.
If one day your business is faced with a cyberattack, how confident are you that you have strong enough first-line cybersecurity defences in place to prevent an attack from happening? Do you have a solid plan to put you back on track if worst-case scenarios occur? Do you have a cyber insurance policy for your business? If your answer is NO to any of these questions, then you have some cybersecurity homework to do, and one important element in your cybersecurity strategy is having a cyberinsurance policy in place.
Have you heard of cyberinsurance?
You no doubt already have an insurance policy for your business to cover theft on your premises, natural disasters, professional indemnity and other scenarios that a policy would offer protection from. But have you thought about cyberinsurance?
A cyber insurance policy is specifically designed to provide aid in the event of a cyber security breach. Whilst still relatively new in the world of insurance policies, the rapid development of these cyber security-centered policies has evolved in recent years in response to the fast-paced world of technology and increased number of cyberattacks.
If you approached an insurance broker a few years ago to have a discussion around cyberinsurance, you might have received a short form asking you the usual business and financial questions before being given a quote and signing up for a policy. But as technology has evolved and risks have materialized into much greater threats, insurance companies are now assessing cybersecurity risks in greater depth. You may now find specific questions around how your business mitigates cyber risks, what kind of firewall you have in place, who manages your IT, what kind of network you have, etc. Clients are expected to understand the risks of a security breach and to recognize scams such as phishing emails. In fact, insurance providers may not even cover your business until they have confirmed that first-line cybersecurity protections are already in place.
What does a cyberinsurance policy cover?
While cyberinsurance can differ from policy to policy, an insurer will generally provide coverage when a breach affects business operations and leads to financial losses. Areas of coverage may include:
- Business interruption loss due to a network security failure or cyberattack.
- Data loss and restoration
- Incident response and investigation costs
- Delay, disruption, and acceleration costs from events causing business interruption
- Crisis communications and expenses surrounding mitigating impact on a business' reputation
- Liability arising from failure to maintain confidentiality of data
- Liability arising from unauthorised use of your network
- Network or data extortion/blackmail (where insurable)
- Online media liability
- Expenses relating to regulatory investigations
It’s important to understand what you are covered for and what may be excluded. For example, some insurance policies may give you access to a 24/7 service where you can report cybersecurity incidents and receive professional advice from forensic IT consultants and other experts who can help with your case. Some policies may exclude damage instigated by existing staff members.
What does a cyberinsurance policy cost?
The cost of a cyber insurance policy will vary from provider to provider and will largely depend on the requirements of your business. Another factor that will contribute to the cost is your history of cyberattacks. There are multiple things to consider before costs are calculated and a good insurance broker should be able to help you find a policy that fits both your budget and coverage needs.
The big question is, can you afford to NOT be covered if your business experiences a cyberattack?
What is the true cost of a cyberattack?
Imagine for a moment that your business is hit by a ransomware attack and the ransom amounts to $4,300. What if the cyber attack causes your operations to halt for an hour, what would that cost you in numbers? Data from datto.com states that it can go up to approximately $46,800! Per HOUR. Not just that, an attack may freeze your operations and halt all incoming-producing transactions but, whether your business is at a standstill or not, you probably still have to pay your staff and office costs. These are just some of the costs to consider in the event of a cyberattack.
Now imagine all the screens in your office suddenly turning black and your IT provider telling you that the damage will take three hours to diagnose, before they even start fixing. That is $140,400 down the drain for your business due to downtime. Add in costs of diagnosing the actual breach, plus salary losses, and that is a whole lot of profits lost in less than a day.
(You can read through a number of other loss scenarios from Chubb over here.)
As our business operations have become increasingly reliant on computers, the internet and cloud services, the financial losses associated with downtime is much more significant than it ever has been. Talk to an insurance broker so that you can assess costs specific to your business and devise an appropriate action plan to mitigate negative consequences of a cyber attack before one occurs.
Why not just rely on your current business insurance policy?
Many standard business insurance policies will not cover cybersecurity breaches. So if you want to put your mind at ease and ensure you are covered in the instance of a cyber breach, start talking to your insurance broker about cyberinsurance as soon as possible.
If you have a business that stores valuable data online or accesses cloud services via the internet (which is pretty much every business these days), cyberinsurance is no longer an optional extra. Having a comprehensive insurance policy should work in conjunction with (not instead of) first-line cybersecurity defences, which are vitally important, and can offer you peace of mind to know that you’re covered in the case of a cyberattack.
So your homework now is to get in touch with your insurance broker and work with them around putting a cyberinsurance policy in place to protect your business. Don’t wait until it’s too late!
Visit www.grassrootsit.com.au to find out more about what Grassroots IT can do to deliver solutions that drive change to your business. Or browse through our collection of helpful blog articles at blog.grassrootsit.com.au for your daily reading.