Within insurance circles, we hear the phrase “cyber is the new fire” all the time. We use this phrase to say that cyber security insurance needs to be as commonplace for businesses of all sizes as fire insurance is now.
There have been different fire and property insurance schemes doing back thousands of years. But fire insurance as we know it today came about following the Great Fire of London in 1666 that consumed more than 13,000 houses and countless more lives. In the aftermath of the blaze, fire insurance went “from a matter of convenience into one of urgency”. In 1666, it took a massive disaster to spur the public and business community into action.
In our modern era, the same situation is playing out with cyber insurance. Almost every month we’re hearing about some new high profile cyber attack that dominates the news cycle. Companies like Equifax, Maersk, LinkedIn, Marriott International, and Sina Weibo have all been high profile victims.
With so many prominent incidents causing monetary damage that eclipses anything before it, SME’s and executives responsible for risk management and IT infrastructure should consider cyber insurance.
Here are 5 things to keep in mind when choosing cyber security insurance.
Cyber Security Insurance Is Not Just for the Big Guys
Yes, most of the headline dominating attacks are perpetrated on large multinational businesses. But that doesn’t mean you’re flying under the radar if you’re a small business.
In the past, hacking tools were difficult to use, required extensive knowledge of computers and programming, and often custom built to attack a high-value target such as a multinational corporation or government website. Today, what used to be the exclusive domain of nationstates or sophisticated criminal organizations can be rented online for as little as US$10/month.
With this technology effectively democratized, almost anyone with an internet connection anywhere in the world can launch an attack on your small business. Although the large attacks dominate the headlines, they make up just a tiny portion of the over US$6 trillion dollars in cybercrime costs predicted for 2021 - countless small businesses make up the bulk of that figure.
Defense in Depth
As cyber security insurance brokers, we have to remind clients about the purpose of cyber insurance. Cyber insurance can’t stop online criminals, but it CAN help you recover from the financial consequences when a breach occurs.
This means insurance alone isn’t enough to adequately protect your business. You should also work in parallel with your IT provider to implement proper security including: installing firewalls or antivirus software, encrypting devices, enabling multi-factor authentication wherever possible, training employees, backing up important data regularly, and choosing long passwords.
Not only will these measures make you less vulnerable to an attack, it’ll help you save money on your cyber insurance premiums as well.
Know Your Risk Exposures
As with traditional property and liability insurance, different businesses carry different risks when it comes to cybercrime. Some common attacks favoured by cyber criminals around the world include:
- Ransomware: This popular attack involves a piece of malware that encrypts your files and forces you to pay a ransom (usually in cryptocurrency) for their safe recovery.
- Phishing: An hacker tricks a user or employee into taking an action such as opening a malicious attachment or entering login information on a fake web page. From there, the attacker usually uses those legitimate credentials to steal data.
- Denial of service: An attacker floods your company’s website with more traffic than the servers can handle effectively blocking access for legitimate users.
For example, if you do a lot of business online (ie. as an e-commerce store), you could be especially susceptible to Distributed Denial of Service (DDoS) attacks. If you run a law office, medical clinic, or financial services firm, you may be more susceptible to ransomware or phishing attacks meant to steal client data.
Quantify Your Risk
Once you’ve identified your risk exposures, you’ll want to quantify them to see whether you need cyber insurance and if you do, how much you need.
First, you want to look at what it would take to recover your data if it was lost or damaged in an attack. Another thing to consider how quickly you can recover and the amount of income that you could lose during that time.
Secondly, you will want to examine the sensitive third party data that you keep. Typically, damages for leaked data are paid on a per-record basis. For example, if you store a client’s name, address, email, and credit card number, that constitutes 4 records per customer. Multiply that by the number of customers you have and the number can get very large very quickly. The more records you keep, the larger your third party liability exposure could be.
Know Your Coverage
Most cyber insurance policies are broken down into 2 coverage areas: First Party & Third Party.
First Party Cover
This takes care of damage your business suffers due to a cyber incident including:
- Loss or damage to data
- Cyber extortion (ie. ransom payments)
- Business interruption
- Reputation management & PR
- Notification costs & credit monitoring
Third Party Cover
On top of damages your business suffers from a cyber attack, you also have clients, employees, and third party liability claims to worry about. Once a breach occurs, they could come with claims alleging that you failed to adequately protect their data. In certain jurisdictions (like the EU), you could also face regulatory proceedings resulting in fines or other penalties if they determine that you breached privacy laws.
The third party portion of this policy helps pay for your legal defense and any damages or settlements you have to pay as a result.
Next Steps
Every business regardless of size is vulnerable to a devastating cyber attack. Especially with the COVID-19 pandemic forcing staff to work remotely, business operations to go digital and businesses to rely even more on e-commerce to bring in much-needed revenue, the risk is even greater.
While you’re in the midst of this digital transformation, don’t forget to include insurance as part of your risk management strategy. Get in touch with a cyber security insurance broker at Trusted Union to learn more about this new “fire” insurance.