CIO

Does your organisation have cyber insurance?

I am going to be bold here and speculate that the percentage of Australian businesses that currently have cyber insurance is very low, as from the many conversations that I have had over the last few months it has become obvious that many businesses don’t see the urgency or need for cyber insurance. Some just don’t understand what it really is for and why they need to have it.

With that in mind, I have decided to create this article to try and help readers of CSO and organisations from small businesses to enterprise organisations understand why they need cyber insurance. Let’s start at the beginning and outline a few statistics to indicate the cybersecurity problem as it exists in Australia and then I will outline what benefits cyber insurance can bring to your organisation. That way you can better make a decision on what cyber insurance packages are best suited for your organisation.

Without making this article a fear mongering exercise to terrify all business owners and readers, let's just look at some events that have occurred over the last year:

  • Both Cadbury and TNT were both brought to a halt in June 2017 from a ransomware infection, with TNT appearing to be have been the most severely affected in Australia (at least from what has been made public anyway) with their parent company FedEx providing an indicative loss of $374 million from the incident. It was also indicated that several systems as of late 2017 were still not restored and could be permanently lost. They had also indicated that operations had to be manually handled during the several months following the recovery with some processes still being handled manually due to some system never being fully restored.
  • In October 2017, personal information of 5,000 Australian public servants of the Department of Finance, the Australian Electoral Commission and National Disability Insurance Agency were publicly accessible because of a cloud services misconfiguration. There was also almost 50,000 private sector employee’s personal information, which had been insecurely stored on an Amazon cloud storage service (just one of several worldwide over the last few months) and was easily accessible by anyone. This breach was caused by a private contractor who works with both government agencies and the private sector. 
  • On May 23rd 2018, PageUp a hiring/recruitment software solutions provider detected some unusual activity on its IT systems and publicly announced on the June 5th 2018 of a possible breach. PageUp released the statement as required by the new data breach notification laws that had been introduced in February 2018. Will PageUp ever recover from this breach? Possibly not due to the damage that it has suffered to its reputation and likely financial hardship it will face trying to rebuild that faith in its customers.

These are just three of possibly hundreds of breaches that have occurred over the last year in Australia and it is hard to get an exact figure due to the mandatory notification laws only coming into effect in February. The reality is that cybercrime is estimated to cost Australian businesses of all sizes around $4.5 billion dollars every year with evidence that this trend will only get worse as we become more and more reliant on data and our electronic devices for both personal/business use, not to mention that (almost) everything is interconnected via IOT.

So what can you do about reducing your organisation's risks?

Some of these items are as simple as ensuring that you have an adequate set of policies/procedures in place, have your systems tested by a security professional and train your staff to recognise phishing and scam emails. All the above will help ensure that your systems are as secure as they can be and you are prepared to respond to an incident quickly and effectively when it happens - but what about the monetary costs involved with a breach?

The initial costs to a business from a security breach are easy to pin point, for example:

  • Time lost to the organisation from staff not being able to do their job, to labour costs for IT/security specialists to come in and recover your systems.
  • Loss of income from not being able to access encrypted data for all outstanding invoices in which you don’t have a physical printed copy. Some organisations will still pay but you don’t know what they owe or if what they are saying is true when they say they don’t have any outstanding invoices at all.
  • Cost of new equipment and tools/software required to remediate or prevent a secondary incident occurring (it is always more expensive to secure systems after a breach than before an incident occurs).

So that is the basics most people will be aware of but what about the hidden costs:

  • Loss of revenue due to the damage to your organisation's reputation.
  • Your organisation could be the target of a lawsuit because of a loss of sensitive data. This would mean you would have legal fees, possible compensation payouts.
  •  The organisation could be fined for not meeting regulatory requirements if this is something your organisation must adhere to.

The list can go on but as you can see there are many costs relating to a breach that is not always obvious and it can help bring into focus the need to look at cyber insurance for your organisation.

What does cyber insurance cover?

Although policies will vary between insurers, a typical cyber insurance policy is designed to help you with both preventing breaches in the first place and dealing with them if and when they occur.

Cyber insurance policies usually include the following:

  • The cost of restoring or recreating electronic data following a breach or leak
  • Forensic services to investigate a breach
  • PR coaching in the event a breach harms your business’s reputation
  • Assistance guarding against data breaches, hacking and employee error
  • Guidance on how to respond to a breach
  • Funds to cover the adverse financial effects related to a breach
  • Funds to cover any fines that might be payable following a breach

 Now you have the knowledge on why you should consider cyber insurance and what the policy will generally cover. It is very important that you clearly go through all of your options and understand any items that are covered and situations/items that are not covered under the policy as all policies are not equal. So do your organisation a favour and look into cyber insurance, so that when a breach occurs your organisation has the support it needs to survive. You will thank me later.