Should your business buy cyber insurance protection?
Cyber risk is now the number one concern for businesses in the UK, whether this is the risk of hacker attack, data privacy breach or cyber crime. The forthcoming General Data Protection Regulation (GDPR) has also moved cyber security to the head of the list of topics to be discussed at board level. Steps can be made to make your business more resilient against cyber risk and this can be backed up by risk transfer in the form of a cyber insurance policy. However, your business has survived for a number of years without a cyber insurance policy so do you need to buy one now?
In this article, I'll explore ways you can make your business more cyber secure and then combined with incident response and business continuity planning, more cyber resilient. Cyber resilience is the key consideration and this needs to be tackled first before you look at the insurance solution. Cyber insurance complements cyber resilience. It's best to look at managing the risk first before making an informed decision on whether to buy insurance cover.
CYBER SECURITY AND BUSINESS CONTINUITY MANAGEMENT - Making your business more cyber resilient.
Firstly, there is no silver bullet. Hackers have been able to penetrate the most sophisticated IT systems, so the best approach is to assume that you will, at some stage, suffer a breach. This isn't necessarily a pessimistic view, but a proactive one. By making this assumption and combining the right cyber security and risk planning, you can reduce the impact of a cyber incident and hence make it easier for your organisation to recover. Key steps you can take include:
1) GET THE BASICS RIGHT - Establish an effective back up strategy for data, install antivirus software, use firewalls, regularly patch software, encrypt mobile devices. Guidance is available via the UK government Cyber Essentials and Cyber Essentials Plus schemes.
2) EMPLOYEE TRAINING AND AWARENESS - Train employees to be more cyber risk aware. The majority of cyber attacks still include an element of user error. Include training in recognising "phishing" scams, social media and social engineering, the importance of password security, on-line safety and the security of personal information.
3) DATA - Review data storage, protection and access rights. Minimise risk of insider breach as well as outsider attack.
4) BUSINESS CONTINUITY - Consider implementing a Cyber Incident Response Plan to run alongside your main Business Continuity Plan. With regular testing, this will ensure you are better prepared in the event of a real incident and this will reduce the impact on the organisation.
So should you buy a cyber insurance policy to sit behind the risk management measures you have put in place?
With cyber insurance, the considerations are the same as any other form of non-compulsory insurance. Do you feel your organisation is at risk of suffering financially in the event of a cyber attack. If the cost is in line with budget, would you feel more comfortable if the risk was transferred to a third party, an insurance company. Simple choice, but briefly I'll outline the common cover options under a cyber policy to assist. These fall under three headings; Incident Response, First Party insurance and Third Party insurance.
INCIDENT RESPONSE - 24/7 emergency hotline and support to respond to a cyber incident. Appointment of forensic, legal and PR experts to assist in identifying and dealing with the incident.
FIRST PARTY - Cover includes:
- Data restoration costs.
- Business Interruption - loss of revenue due to a network interruption following a cyber incident.
- Cyber Extortion - Losses associated with ransomware.
- Privacy breach notification costs.
- Computer Crime, although beware different wordings and exclusions. More extensive cover under a specialist crime insurance policy.
THIRD PARTY - Cover includes:
- Legal liability to data subjects for loss of confidential information following a privacy breach.
- Defence costs incurred during a regulatory investigation including under General Data Protection Regulation (GDPR). Policies can include fines, if insurable, but GDPR fines may not be insurable by law.
- Legal liability in connection with transmission of a virus/ransomware to a third party.
So essentially the better products on the market are a combination of risk management response and insurance cover. Until recently, take up of cyber insurance in the UK has been on the low side, but more high profile cyber attacks and awareness of the potential consequences of a privacy breach are changing matters.
Should your business buy the cover? Entirely your decision.
John Baty ACII - Director - Cheviot Insured