Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
In the wake of increasing cyberattacks (and increasing media coverage), the cyber insurance industry is witnessing a huge boom in demand.
Aon Australia estimated the local cyber insurance market premium totals to be about A$60m in 2018, and is forecasting 15% growth per year. To keep up with the demand, insurance providers are offering a new crop of cyber-insurance products, typically built on top of their existing insurance offerings. In episode #10 of our ‘Get cyber resilient show’ podcast, we spoke with Blake Deakin, Director and Principal Broker at Cyber Insurance Australia, who explored in detail how insurance products are rapidly changing in light of the new risks digital organisations face.
But picking the right cyber insurance can be an intimidating affair. How do you know you’ve got the right cover? How much cover do you actually need? Are you being taken for a ride? Let’s start with the basics and see if we can get some answers.
What is Cyber Insurance?
Often known as a cyber insurance policy, cyber risk insurance or cyber liability insurance coverage (CLIC), is a form of insurance designed to help an organisation manage its cybersecurity risk. Cyber insurance helps offset the costs of damage and recovery after a cybersecurity incident. Specifically, cybersecurity insurance covers breach events where personal identifying information is lost, compromised or stolen.
There are two different approaches to cyber insurance you can take. The first one is to get basic financial coverage at the least possible premium cost. This is a great choice for companies who have the internal resources to handle cyber failures on their own.
The second approach is to get more extensive (and expensive) financial coverage. This usually comes with advanced policy features that include things like cyber incident response and recovery support. In this case, the insurance company will also provide services from pre-selected vendors for stuff like digital forensics, crisis communications, legal defence, and data breach notifications. This gives policyholders a ‘one-stop shop’ for all the support needed to navigate a cyber crisis. This could be a smarter option for companies who don’t have the in-house capabilities to deal with all the hassles that come with a big cyber incident.
What kind of cyber insurance is ideal for your organisation?
This is a ‘how long is a piece of string’ kind of question. There are a lot of factors to consider, everything from organisational size, budgets, risk profile, risk tolerance and potential liabilities come into play. Like with any kind of insurance, the more coverage you have the better. But you’ll need to make your own assessment to figure out exactly what kind of coverage works best for you. It’s always a good idea to consult with an expert, like a legal team that specialises in cyber risk, to find out what your ideal cyber insurance policy should look like.
If you’re thinking you might be able to get by without any cyber insurance at all, keep in mind that small businesses are the target of 43% of all cybercrimes in Australia. A significant number of businesses that do get attacked simply cannot continue to operate any more.
Having cyber insurance is also good from a reputational standpoint. It shows your management is proactive and responsible when it comes to cybersecurity, and can be reassuring for stakeholders to know that you are well-prepared for any threats.
What should I look for in a cyber insurance policy?
There’s no ‘standard’ kind of cyber insurance, so you’ll have to shop around and check with different providers to see if they can offer coverage that matches your cyber risk profile. You should have plenty of options though. Cyber insurance is highly competitive and more providers are jumping into the fray every day.
Are there any mandatories or baseline features you should consider? Absolutely. Any good policy should provide coverage for legal fees and expenses, assistance with customer notification, personal ID restoration services, data recovery, and repair of damaged systems. Any policy that doesn’t include these is risky and probably not worth the asking price.
Here are a few more things to consider when comparing insurance providers:
- Does the insurance provider offer standalone cyber insurance policies? or is the coverage simply an extension of an existing policy? Are they open to tailoring the policy to your needs?
- What are the deductibles?
- Does the policy cover human error or non-malicious actions taken by an employee?
- Does it cover any widescale attack that happens to affect your company, or does it only cover planned attacks that specifically target your company?
- Does it cover social engineering attacks as well as network attacks?
- What does the policy say about advanced persistent threats? Advanced persistent threats take place over long periods of time, up to years in some cases. Does the policy specify which time period it covers? What about attacks that are discovered AFTER the policy expires, but actually took place when the policy was in effect?
- Does the policy cover the actions of third-party service providers? Almost every company nowadays works with third-party services and the security risks that come with them. It’s a good idea to find out if your service providers have cyber insurance of their own and how it would affect your policy.
Getting cyber insurance doesn’t let you off the hook
Now that you’ve got coverage, you can rest easy, right? Not quite. Quite the opposite in fact. Your insurer is going to be accepting considerable risk on your behalf, and they’re going to want to make sure you have all your cybersecurity ducks in a row before signing on the dotted line. A reputable insurance provider will conduct full risk assessment first, to make sure your company is following industry best practices and that your current cybersecurity measures are up to standard.
They may also suggest that your organisation conduct security awareness training to ensure some level of readiness for phishing, social engineering and other threats. We say it all the time (and the data also shows): human error is the single biggest cause of data breaches. It pays to be prepared. The security of your organisation (and the cost of your insurance premiums) depend on it.