Protecting your organisation with cyber-insurance alone is not enough
- 16 January, 2017 05:12
Taxes, death and data breaches are now a fact of life. So how can businesses better protect themselves and manage the risks related to a data breaches and reduce the significant costs that can result from them?
One of the options is to integrate cyber-insurance into your cybersecurity incident response plans (CSIRP). Cyber-insurance has become a necessity for organisations. This is because the cost of cyber security breaches can quickly add up with fines, reputational damage and overhauls to network security.
Furthermore, according to experts, mandatory breach notification could become law over the coming months which could see a drastic uptick in the amount of cyber coverage in Australia.
Results from Ponemon Institute’s ‘2016 Cost of Data Breach Report, show that the average cost of a data breach in Australia is now AU$2.64 million. That is a hefty bill to handle for organisations without cyber-insurance. The news can be even worse if an organisation suffers a business-extinction-level event where the cost of dealing with the breach is so high its forces the company out of business.
Where to start?
The prospect of a category five cybersecurity storm makes it vital to ensure that an organisation’s cyber-insurance policy is integrated into its cybersecurity incident response plan.
That begins by involving the organisation’s insurance manager in discussions about the company’s response plan as well as its testing. When it comes to insurance plans, the devil is in the details, and reading the fine print may reveal criteria that impacts the development and efficacy of the plan.
For example, some plans have a prescribed list of vendors that organisations must use during the response. Others have requirements that mandate the organisation follow certain industry best practices. Failing to meet these requirements could result in the organisation not getting reimbursed for its expenses.
When a breach occurs, the insurance manager should be the one doing the hand-holding with insurance company. After all, the other members of the incident response team will have enough on their hands. Let the insurance manager do the hand-holding with the insurance company once a breach occurs.
While other members of the team liaise with law enforcement, media, customers, and vendors, the insurance manager can answer questions from the insurance company and make sure they are notified of what is happening. Remember – the insurance company is not simply going to write an organisation a check, before having questions answered and their own requirements met.
Understand the policy notification requirements
Another common element of cyber-insurance plans are notification requirements in the event of a security incident. In some cases, insurance companies will not reimburse organisations for money they spend on a breach prior to notifying them of the incident. Even then, the definition of security incident can vary from policy to policy, making it even more important that the insurance manager understands the various requirements imposed by the insurance company and makes sure the organisation follows through.
Business-level-extinction events may be few and far between, but it only takes one to bring an entire business to its knees. Having cyber-insurance is not enough. It is crucial for your organisation to understand the policies and weave any requirements into your CSIRP.
