Cyber security is the topic on every business leader’s mind these days, and for good reason. With highly publicised cyber attacks against Optus and Medibank prompting the federal government to reconsider the state of its cyber laws, Australian businesses are taking stock of their vulnerabilities, as well as the potential costs associated with a cyber security breach.
This has led to growing concerns about the limitations of professional liability insurance to protect you in the event of a cyber attack. Separate cyber insurance policies exist, but according to the Actuaries Institute’s report on Cyber Risk and the Role of Insurance, only 20% of SMEs carry cyber cover. As an example, Medibank—whose remediation costs may exceed A$200M—does not appear to have had cyber cover in place prior to the attack.
With the risks of a cyber security breach on the rise, why hasn’t cyber insurance been more widely adopted? While cyber insurance can help to mitigate your risks, make sure you understand what’s covered—and what’s not—before investing in a policy.
This article is based on our experience and that of our clients. Cyber insurance coverage and premiums vary widely, and calculations are based on a number of variables. Be sure to seek guidance from a qualified insurance broker who can advise you based on your specific situation.
Applying for cyber insurance cover is often a lengthy and exhaustive process.
Firstly, you’ll want to explore your options by contacting providers and comparing their offerings. You can do this directly, or work with a broker who will communicate with providers on your behalf.
Each provider will require you to submit a detailed report containing all the specifics of your environment and current security protocols. The insurer will use this document to determine if they are able to provide coverage, and if so, what type of policy they can offer you.
It’s possible that they may come back with an offer conditional on making certain changes to your environment or putting specific safeguards in place.
Rates for cyber insurance policies are determined on a case-by-case basis, using a complex calculation involving numerous variables. For this reason, it’s difficult to estimate the cost of your cyber insurance or to understand what variables may affect your premium.
As the Actuaries Institute report notes, several challenges limit enrollment in cyber insurance policies.
• Market capacity for the policies remains limited: As rates of cybercrime continue to skyrocket, providers are (understandably) hesitant to enter the space.
• Coverage is decreasing, while premiums are going up: As existing insurers tighten their policies, it’s becoming increasingly difficult to get cyber insurance at all, let alone a policy with comprehensive coverage. Of the claims reviewed by the Actuaries Institute, insurance covered just “44% and 37% of data breach and first-party costs respectively”.
• Tightening restrictions around security controls: Many insurers are also increasing demands around protocols that must be in place before policies can be issued. If controls aren’t in place, companies may not be issued policies or their premiums may be increased. Implementing these controls can be especially challenging for SMEs that lack the required resources and expertise in-house.
As a result, companies may find it difficult to qualify for cyber cover in the first place—and near-impossible to access these policies in a way that’s cost-effective.
At CBS, we’ve had a number of companies come to us for help ticking the security boxes required by their insurance providers, often wondering what preliminary actions they can take to boost their eligibility and reduce their premium.
The fact is, there’s no cut-and-dried method to determine your cyber insurance premium. Rather, it’s best to take a collective approach to total security, taking into consideration a multitude of factors and maintaining a continued focus on improving security over time.
Some organisations may find it more beneficial to allocate their security budget towards investing in in-house measures to mitigate cyber security risks rather than relying on insurance. As the Actuaries Institute report indicates, “insurance covered only 44% and 37% of data breach and first-party costs respectively.” Most claims are a result of a data breach, which also tend to be the most costly form of cyber attack.
For companies whose premiums are in the six to seven figure range, we recommend working with a consultant who can recommend additional products, services, features and training that may go further towards improving your security posture and provide a greater return on investment than cyber cover.
With that in mind, the following are some of our best tips for leveraging technology to drive down costs.
Transform Your Cyber Defense: Prioritised Actions for Staying Ahead of Threats.Download
Using organisational best practices and technology to mitigate both your risk and the insurers can help you to keep premiums tight and reduce the likelihood of experiencing a security breach.
• Determine how much cover you need. Understand that insurance may not cover you for all types of cyber attacks. To determine whether you will receive value from an insurance policy, the cost should fall below your business’s annualised loss expectancy (ALE), a calculation of your business’s potential loss in the event of a cyber attack.
• Implement multi-factor authentication (MFA). This is one of the primary requirements of most insurers, as well as one of the simplest methods to significantly boost your organisation’s security posture. MFA acts as your second line of defence; in the event that a bad actor gets their hands on your passwords, this will prevent them from infiltrating your environment, so it’s essential to implement two-factor authentication wherever possible. This is especially important for financial accounts, system admins, and other privileged users.
• Make sure to back up all data. Insurance providers will want to see that you have a system in place to regularly back up your data. This is one of the most important factors, both for qualifying for cyber insurance and recovery in the event of a cyber attack. We recommend immutable backups - as in our private cloud - through data that’s fixed, unchangeable and can never be deleted – vital to meet recoverable data needs, protect backups from new ransomware infections, and guarantee recovery from an attack.
• Be aware of and manage insider risk. Your organisation is only as strong as its weakest link. While you may not think your receptionist needs cyber security training, if they have their identity compromised and you haven’t got role-based access control set up properly, that could be just the window bad actors are looking for to infiltrate your business and gain access to your valuable data. Regular cyber security training and education is essential for all team members.
• Stay on top of patching. Outdated software can create vulnerabilities in your organisation that act as open doors for cybercriminals. We recommend only running current, vendor-supported operation systems that offer regularly scheduled updates, as well as testing available security patches and applying them to production systems based on the severity of the risk they mitigate.
• Invest in a business contingency plan (BCP). A business contingency plan is a strategy for how your organisation will respond in the event of a cyber attack. Identify roles and responsibilities as well as processes that will help to minimise the effects of the incident and keep your business operations on track as much as possible.
Before you start shopping around for cyber insurance, it’s important to have a thorough understanding of exactly what you’re looking for.
A cyber security assessment can help give you an accurate picture of your organisation’s existing security posture. Compare your results to your target security posture, and then identify what actions you need to take to bridge the gap.
If you aren’t able to assess your security requirements on your own, an experienced partner can help. Speak with an expert at Canon Business Services ANZ (CBS) today.