As a result of the ever-growing number of cyberattacks on Australian small and medium sized businesses, an increasing number of business owners have opted to take up a cyber insurance policy to help manage their risk and protect their assets. This has led to the expansion of the cyber insurance market, as businesses begin to prioritise having a financial safeguard in the event of a cyber incident.
Although the number of businesses who have a cyber insurance policy has increased, several will still be financially unprotected in a cyber event, the reason being that they may be unable to make a claim for a cyber incident. Why? Because of a condition present in many cyber insurance policies. Although the specific wording varies between policies, the general proviso is this:
In order to make a claim for phishing or cyber fraud breaches from employee error (which is the most likely way an SME will suffer a cyber breach), the business must have first implemented procedures – such as employee training – to mitigate their cyber risk.
This is often a condition that is missed by businesses taking the policies. Undoubtedly, there is an onus on the business owner to have a clear understanding of the cyber insurance policy they have selected. It is their responsibility to examine the policy and ensure that they are aware of their own responsibilities and entitlements.
However, in saying this, there is also an obligation on the insurance broker who sells the policy to point out and explain any important conditions that the insured needs to adhere to in order to make a claim. If you are an insurance broker, this increasing demand of cyber insurance has considerable implications for the service you provide to your clients.
As a professional who your clients rely upon for advice on insurance (as well as your statutory obligations to act in good faith), it is important to explain to your clients their responsibility to mitigate their cyber risk if the policy contains this requirement. In some policies it is a condition precedent to making a claim that the company has a cyber policy and training to mitigate the risk of human error. In any case, of course, it makes good business sense for the insured to increase its cyber resilience.
The Australian Cyber Security Centre found that small business respondents generally had an “average” or “below average” understanding of cybersecurity. Accordingly, it is important if the policy requires it, that they understand the need to have a system in place to mitigate cyber risks, as it cannot be assumed they will already have something in place.
So how do you, as a broker, meet your obligations?
Your responsibility is not to actually ensure that the business does these things, but merely that they understand that they have to do them to claim on the policy if it contains such a condition. From here, the responsibility of implementing mitigation procedures is on the business itself. However, giving your client the heads up on where to look for a solution will no doubt be of considerable value to them.
A major reason small and medium sized businesses often overlook training procedures is that they believe that cybersecurity is too technical, or that they will have to spend large amounts of money on an IT security consultant to create the correct training procedures for them. There are online cybersecurity and awareness training platforms that are a much more cost effective and efficient way to cover employee cyber risk, since all of the training material will be included within the service and they include video based which is easy to understand. This means that all the business needs to do is sign up their employees to begin training online.
If asked, what kind of service should you suggest they consider ?
Not all platforms are created equal. If you are looking for a platform to direct your client to, the following list is a good guide in what to tell them to look out for:
- Does the training follow an established mitigation strategy guideline? The leading Australian authorities for cybersecurity, namely the Australian Cyber Security Centre and the Australian Signals Directorate, have created a guideline to mitigate the cyber risks for organisations called the Essential 8. This guideline addresses the key procedures that all businesses should undertake to protect themselves. If the training system bases its training around this guideline, then the business can be sure that it is receiving a holistic system of training that covers the key aspects of cybersecurity.
- Is the training one-off or repeated? Many policies will require that cyber awareness training be repeated, due to the fact that it is easy to forget what is learned if an employee is exposed to the material only once. Therefore, look for training systems that periodically alert the business to revisit the material, as this will ensure that the business is consistently educated, thereby reducing the risk that they will be the cause for a cyber incident. The cyber risk in the market also changes and the training should reflect any changing risks.
- Does the training system also provide policy documents? Policy documents are an essential part of cyber risk mitigation, since they lay out standard procedures that protect information and technology for businesses that staff can be trained to understand and comply with. Additionally, if a condition in a policy that you are selling requires that a business provide written materials for its employees regarding cybersecurity, having a platform that includes these written policies is a great way to help your client save time cost.
- Does it have other value added services such as dark web searching or alerts on potential cyber risks? Given the patchy knowledge of cyber risk and mitigation amongst SME’s, it cannot be assumed your client already has cyber risk mitigation in place, so it is critical they understand they must do so if the policy has this requirement in it. It will also be a valuable part of your service to alert them that cost effective online platforms exist.
Given the patchy knowledge of cyber risk and mitigation amongst SME’s, it cannot be assumed your client already has cyber risk mitigation in place, so it is critical they understand they must do so if the policy has this requirement in it. It will also be a valuable part of your service to alert them that cost effective online platforms exist.