When it comes to covering the risk of a cyberattack, prevention is better than a cure, and having strong cybersecurity practices in place can help protect your business. However, an additional important way of managing risk and protecting your assets is to have a cyber insurance policy in place in case you suffer a cyberattack.
“I have Cyber insurance, that means I’m protected right?”
Well, it depends. Although most cyber insurance policies will say that you are completely covered, often they have a caveat. To be able to actually make a claim in the event of a cyber incident, your insurer will require that your organisation has implemented procedures to mitigate your cyber risk prior to the incident.
It is important to check your policy and understand what you need to do to satisfy this requirement if you have this type of condition in your policy, which is likely. Whilst the wording varies depending on the insurer, usually it means you have to implement some procedures to reduce the risk of a cyberattack and if you don’t then you won’t be able to make a claim in the event of a cybersecurity incident.
In this article, we look at what you need to cover with cyber insurance and what you need to have in place to make sure you can claim if you have a breach. It’s not much point having the insurance if you can’t claim on it.
The Importance of Cyber Insurance in a Digital World
As businesses continue to move online, a cyber insurance policy is an important way to manage the risk of a cyber breach. Cyber insurance provides businesses with cover for financial losses and other expenses that it may suffer due to a “cyberevent”, which includes things such as cyberattacks from malware, social engineering attacks or cyber extortion. Although there are many types of cyber insurance now available, they will typically cover the following:
- Incident response costs
- Business income loss
- Data restoration
- Breach response costs
- Breach notification costs
- Legal defence costs
Given the fact that more than 60% of Australian small to medium sized businesses have experienced a cybersecurity incident, it is no surprise that an increasing number of small and medium sized businesses have opted to have a dedicated cyber insurance policy in place.
Additionally, the Federal Government’s Notifiable Data Breaches Scheme, which came into effect in early 2018, has placed greater compliance pressure on business owners. Under this scheme, it is now mandatory for certain businesses to report a data breach to any affected individuals and the Office of the Australian Information Commissioner. This scheme applies to Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, any entities that hold TFN’s, and credit reporting bodies, among others. Given this, it is advisable for businesses to have a cyber insurance policy that covers not only the cost of data restoration, but also the cost of breach notification.
Another key reason behind the importance of cyber insurance is the fact that smaller businesses that deal with larger companies are also being targeted by cyberattacks as a way to hack the larger company. For this reason, many large companies are requiring that those smaller companies in the supply chain have in place cyber compliance including policies and training. This means that having cyber insurance could eventually become a necessary part of any agreements between your business and other organisations.
Therefore, it is extremely important to understand:
- What cyber risks does my business face?
- Which risks can be minimised, addressed, or managed?
- What are the remaining risks?
From here, your business should implement specific procedures to address these concerns and ensure your insurance policy covers you so that you can make a claim in the event of cyber breach.
How to Ensure that you can Claim
So, what specifically can you do to ensure that your business can make a claim if needed?
Understand the Insurance Policy Inside-and-Out
Although this might seem obvious, don’t just skim through it. You don’t want to be reading it fully for the first item when you are making a claim. If a section is unclear, talk to your insurance broker or the insurer and have them explain it to you. In addition to this, be prepared to ask specific questions about your entitlements, responsibilities and how you can make a claim so that there are no misunderstandings.
You should also make note of any important conditions that are laid out in the policy and ensure that you are prepared to make the necessary changes to implement these conditions. For example, if the policy explicitly states that you need to provide your employees with training materials about the dangers of cyber risks, then you must ensure that you have implemented this within your business. Consider the following example, which is a condition from a real cyber insurance policy:
“It is a condition precedent to cover under the Policy that the Insured maintains procedures:
for the provision of written training materials to all Employees regarding the dangers of Social Engineering Fraud, Phishing, Phreaking and Cyber Fraud which incorporate regular review…”
If we take a closer look at this condition, we can see a few things. First, note that this condition refers to written material which is subject to regular review. The fact it says training material also means that a business needs to provide not only policy documents, but also training documents to their employees. Furthermore, “regular review” must be read in context of training – i.e., a review of whether employees of the business have used and understand the training material, and as such, would require more than just giving it to them. As you can see, this condition within a policy may have various aspects that you will need to consider. Once you have a complete understanding of each of the conditions within a policy, you will then need to implement changes in your business to meet these requirements. This leads us to our next point.
Implement Training Procedures that Cover Policy Requirements
First up, have a cyber policy. That way all your staff and contractors understand how they should use your technology and what is expected of them. Then you can train them on the policies and how to avoid a breach.
There are ways you can train your staff without having to create the material yourself or spending a significant amount to get an IT security consultant. Utilising an online cybersecurity and awareness training platform may be a worthwhile investment for your business as it will be the most cost effective and efficient way for your small or medium size business to cover cyber risk. When choosing an online platform, look to see whether it:
- Keeps up to date with cybersecurity news and provides relevant alerts. By having a platform that stays up to date on relevant news and alerts you of any new cyberattack, you can be assured that its training remains relevant for your business.
- Is intuitive and easy to understand. A major reason that employees are often intimidated by cybersecurity training is the perception that it is highly technical and difficult to learn. This is why it is important that you find a platform that is simple to use yet provides effective training materials.
- Includes methods of allowing employees to review material. For example, does the platform include quizzes to test whether employees understand the material? Perhaps the platform includes periodic alerts to remind your business to review the training materials so that your skills stay sharp.
- Includes cyber policies for your business and updates these policies periodically. Cyber policies will assist you in setting out standard processes that protect information and technology in your business. These policies also need to be updated periodically to keep up to date with best practice as well as recommendations or requirements from government bodies.
- Follow a cybersecurity guideline established by leading Australian agencies for cybersecurity.
By following a nationally established cybersecurity guideline, you are more likely to address the critical aspects of your business’s cybersecurity and any conditions an insurance policy might contain. In any case, it’s good business practice. One such guideline that we recommend you follow is the Essential Eight Mitigation Strategies, created by the Australian Cyber Security Centre (ACSC) in cooperation with the Australian Signals Directorate (ASD). The Essential Eight are the eight most effective strategies that the ACSC and ASD recommend all businesses implement and can assist your business in mitigating cyber incidents caused by various threats.
The Essential Eight acts as an effective, practical baseline in addressing cyber concerns within your business and can help to prevent a large-scale cybersecurity incident. Combined with training your staff, it should satisfy any conditions in your cyber policy.
Cyber insurance has become a necessity for all small to medium sized businesses. As a small business owner or employee, you must verify that you have understood and complied with all the conditions in the policy. This will ensure that in the event of a cyber incident, your business is able to make a claim and recover some of the financial loss experienced. However, remember that ultimately, prevention is better than a cure, and that having strong cybersecurity practices in place can help protect your business from having to face the ramifications of a cyberattack.
