Cyber insurance – let’s think hard about this one…

All organisations, regardless of their size, shape and form face serious cyber risks. The news tells us this daily. What many organisations do not understand is that the cyber incidents that can cripple an organisation will not be covered under traditional insurances, for example professional indemnity and general liability. The financial costs will not be covered and there is no assistance for cyber incident response. It is all on you.

So the question becomes: Do you have a team of cyber forensic experts at hand? They are expensive, as are lawyers. Not to mention the cost of loss of confidence in your reputation and impact to revenue through customer churn. Ouch.

The only way to reduce the brand, reputation and financial damage from a cyber incident is to be prepared and handle it well.

If your organisation has no clear cyber incident response plan, including retainers for technical forensics; legal advice; PR, and has never tested the plan, then you could be in big trouble.

Let’s talk about “big trouble”. 

  • Australians are seeing an increased focus on enforcement of regulations post the Hayne Royal Commission; and
  • There is a proposed update to the Federal Government’s Australian Privacy legislation that will put fines for a failure to notify within the allotted time to AUD 10 million or 10% of your revenue. Biggest comes first if that makes sense. This aligns us more with the EU GDPR; and
  • What many people are not aware of is that Australia has many excellent litigation funding firms that will initiate class actions against organisations that haven’t appropriately addressed their cyber risks, for negligence among other things; and
  • What company directors don’t often understand is that directors and officers can be held personally accountable for a cyber incident.

Let’s talk about Director’s and Officer’s (D&O) insurance.

  • If you have a cyber risk that should have been identified and you, as an authorised representative of your organisation, haven’t addressed these risks then you can be held personally liable; and
  • Ensuring that this liability is minimised requires the experienced advice of both D&O and cyber insurance brokers; and
  • Never assume that because you have purchased “box-tick” policies that you are covered, run the scenarios past your policy. An experienced broker will help you profile these risks; and
  • A well-managed cyber incident reduces your exposure and will limit brand and reputation damage.

Let’s talk about how cyber insurance can help with the above.

  • There are cyber insurance policies that range in premium pricing from small independent businesses through to the ASX top 100; and
  • These policies are mature and will cover risks from malware through to ransomware/cryptolocker and also social engineering fraud. This is with the correct policy in place; and
  • Any decent cyber insurance policy will provide a panel of experts (an “A-team”) to fly in and help save your business. This includes IT, legal, identity protection and PR.

It is good business hygiene to assess overall organizational risk management.

How is insurance priced and what should you expect?

  • Limit – this is the amount of money that you can draw from your cyber insurer should you have an incident. Build a risk register and look at your worst-case scenarios, the more experienced cyber brokers can help you with this. Even the most experienced cyber risk consultants often struggle with this area of risk, gather as much knowledge from your internal resources and trusted service providers; and
  • Deductible – sometimes referred to as a retention or excess. All different things but basically mean how much of your money you need to fork out before the insurance kicks in; and
  • Premium – how much the insurance costs, typically annually.

The better your operational cyber security is, the better position you are in to negotiate on the above.

Simple tips when you are ready to purchase cyber insurance:

  • Speak with your broker, if they don’t understand then ask them to bring in another broker and/or underwriter that understands these risks; and
  • Quantifying actual cyber risks in financial terms is very difficult, ensure you have the right advice, consider risk profiling; and
  • Make sure the policy is fit for purpose, many don’t include coverage for good old-fashioned fraud/crime ; and
  • Have your environment assessed for its security (what CTRL does). Clear results on this will impact the effectiveness of your cyber insurance policy. Nobody wants to insure a potential train wreck; and
  • Look at building your operational cyber security (again what CTRL does). Tactics like managed security operations centres, virtual CSOs, monitoring and logging will reduce your insurable and operational cyber risk.

As always, feel free to get in touch with one of our experts for a chat on how we can help.