By Jason Plumridge, Head of Advisory, Pure Security
The risk of cyber-crime is one of the most crucial challenges facing Australian companies and boards. As attacks increase in frequency, complexity and severity, the potential for major business disruptions, significant financial and reputational damage is high.
Businesses don’t think twice about insuring their business premises and other physical assets. Understanding the risk to digital assets is critical for companies and boards in the 21st century. Accepting the risk of loss and the potential disruption to digital assets means cyber insurance is emerging as key in the damage mitigation strategy.
Globally, cyber-crime increased by 600 percent in 2020 according to the United Nations, largely due to COVID-19 changing work practices and rocketing phishing attacks. In 2021, cyber-crime is expected to be a $6 trillion business, more profitable than the combined trade of illicit drugs and human trafficking.
With many boards and businesses seriously considering their risk mitigation strategies, cyber insurance is now increasingly being adopted. If you’re investigating which cybersecurity insurance is most suitable for your business, keep the following in mind.
1. Analyse and understand your risk first
To start, you really need to evaluate your business’s cyber risk and involve a governance, risk, and compliance consultant to help align your information technology plan with your business objectives and to assess your risks and threat and your regulatory compliance obligations. Identifying, rating and assessing your organisation’s risks, will help determine your coverage requirements and help you obtain the best and most suitable coverage possible.
2. Understand what’s covered and what isn’t
A common misunderstanding is that traditional insurance policies will cover your cyber risk. But most policies will not cover cyber-related losses without endorsement, and many policies contain specific exclusions for such losses. A robust cybersecurity policy will withstand exposures and deliver a comprehensive strategy that minimises costs, damages and reputational harm.
A cyber event, as defined in most policies, can include loss and unauthorised distribution or theft of data, an attack on your network from a virus, malware, a denial-of-service attack, an extortion event or a network interruption.
A typical cybersecurity insurance policy will cover first party exposures including – a breach of network security, network interruption or system failure (identifying, terminating), data breach costs (regulatory, notification, PR, legal, forensic), data destruction events (costs of restoration), business interruption loss and reputational harm loss and costs associated with a denial of service attacks.
party liabilities such as theft of data, unauthorised access or use of
data, transmission of malicious code, with network extortion events and
ransomware may also be covered. Unlike traditional insurance products, a
robust cyber insurance policy will not only provide financial cover,
but it also gives the policyholder access to a broad range of services
in the event of an incident, including 24/7 support to help the business
identify and recover from the breach as well as mitigate further
3. Policies should be bespoke
Mark Luckin, the Head of Cyber and Technology at Lockton Companies Australia, the world’s largest privately owned insurance brokerage, says businesses evaluating cyber insurance need to have policies tailored to their specific requirements. This means considering the unique internal and external threats, business size and revenue and what they want to be covered for.
“We worked with an organisation recently who once they analysed their risk and risk appetite determined they wanted to implement a cyber insurance policy with the primary intention for it to provide significant public relations costs cover. They were confident with the capability of their internal information security team, they have lawyers on retainers, they had confidence in their ability to restore from backups, but they wanted cover to enable them to spend a significant insured sum on public relations in the event of an incident that might affect their reputation,” he says.
According to Mark, for a major global company with hundreds of sites, thousands of employees, and thousands of points of risk, Lockton has worked with organisations to build a tower of cyber insurance with a limit of liability in excess of $400 million. “On the other end of the spectrum we work with small businesses to implement limits starting from $1 million, for example with premiums starting as low as $1,000. Each policy should be tailored to reflect the client’s risk profile to avoid nasty surprises in the event of an incident,” he says.
4. Cyber insurance and ransomware
With ransomware attacks on the rise, Mark reports many organisation’s utilise their Cyber Insurance policy in the occurrence of a ransomware event, to assist with associated event costs and even potential ransom payment.
Governments in Australia and around the world are currently looking closely into this area and global insurance players are also looking carefully at what they will cover, with some putting limits on how much can be paid out for events.
Every Australian business needs to carefully review it’s preparedness to mitigate and respond to a cyber-attack and take steps to identify risk and increase its security defences. Cyber insurance is a critical piece of the risk management puzzle.