Johannesburg, 15 Aug 2022
Cyber crime is a threat to organisations of every size. Automated tools and cyber crime as a service launch attacks indiscriminately and at scale. No company is safe: if you use software, retain data or transact using digital infrastructure, your operations are at risk. And it doesn't even have to directly impact your systems.
"Criminals attacking your business systems is one type of cyber attack, but they can be indirect as well," explains Winston Ritson, Chief Operations Officer, Liquid C2. "They could breach your social media accounts and damaging your brand or customer credibility. They might not even attack you at all, but create fake e-mails intercepting payments from customers. Even if you didn't do anything wrong and were not breached, they can still disrupt your business. When you think of cyber crime risk, that's the scope. How can criminals digitally harm your business or your customers?"
Chronic under-insurance
Cyber insurance is growing strongly as a way to mitigate these types of risks. According to Statista, the industry's current value of US$8 billion will more than double to $22 billion by 2025. Yet many companies – particularly medium and small businesses – don't insure against cyber crime. Why not?
"There are two reasons why companies don't add cyber insurance. First is the group that believes they don't need it because they are too small or insignificant to be targeted. But the evidence is overwhelming that criminals attack all companies and may even prefer smaller targets because they are less likely to have sufficient security in place. Don't believe it won't happen to you," says Ritson.
The second reason is the relative newness of cyber insurance. "There aren't a lot of historical trends to accurately calculate premiums and security coverage. So there might be overcharging and limited coverage. But the main problem is that companies don't understand how to buy cyber insurance and what they need."
Most companies are chronically underinsured or not insured against cyber threats. How do you know if your coverage falls short, and what should you ask to get coverage that fits your business and budget?
Getting value from cyber insurance
At a high level, cyber insurance is very similar to other forms of insurance. You get first- and third-party coverage. First-party covers damage to your business, such as loss of revenue or recovery costs, and third-party covers claims from other parties affected if they are exposed and impacted by an attack on your business.
You should start your cyber insurance queries with an insurer you already use. Chances are they have a relevant product or partner and you could negotiate lower premiums as part of your overall insurance package.
But once you get into the details, cyber insurance can turn complex. Insurers are very picky about what risks they cover. For example, fewer underwriters offer coverage for ransomware or business e-mail compromise attacks. Insurers can also differ in what they offer. Some might provide a monetary pay-out, while others have security teams to help with attack recovery and investigations. The questions are: what do you need, what will it cost your business to recover and what are your risks?
"Businesses should do two things when looking for cyber insurance," says Ritson. "Firstly, shop around. Policies are not standard and prices will vary a lot. Paying a big sum for comprehensive coverage means little. You need to know exactly what you are covering. Second, know your IT estate's risks. Are your people likely to be targeted by phishing? Or do you have an important social media presence? Or do you have a data centre with lots of personal customer information? An audit of your IT estate is critical if you want coverage that means anything. It is worth getting an external company in to assist with the audit or use various software tools to generate an audit report."
Why are insurers so finicky? Cyber crime continually evolves and new types of attacks could invalidate existing coverage conditions. Criminals will even selectively target insured companies with attacks such as ransomware, knowing they are very likely to get a payout. This is one reason why fewer insurers still cover this type of attack.
Follow the checklist
Don't expect blanket coverage for an unsecured estate. Insurers emphasise that clients take sufficient care to avoid and mitigate security attacks. In other words, cyber insurance does not make up for poor security practices. Quite the opposite, Ritson notes: "Any decent insurer will have a checklist that you must meet for coverage. If an insurer doesn't have a checklist, don't bother. They aren't serious. That checklist is a good way to see if your security is good or not. These can be small changes, such as activating multi-factor authentication and login alerts on your business social media account, or having regular phishing tests for your staff. It depends on what you want to protect."
Such diligence has another advantage. Many companies have discovered that overly broad policy language usually results in rejected claims. If you know what you want to cover, you have the policy language to cover the specifics.
"Take the time to find out what's right. That is why a checklist is important. It puts you and your insurer on the same page, helping you understand your cyber security risks and removing a lot of the coverage ambiguities. The insurance company must take a vested interest and have a consultant engage with your business around what the offerings are, what the risks are and how to mitigate the risks before taking any insurance policy. If they try and sell you anything before making sure that you've taken the minimum mitigation steps, they are not the right insurance firm to go with."
But do get cyber insurance. It's not just for big companies. Small and medium businesses can gain a lot from the process. They can grasp their most significant digital risk, bolster their security and have coverage that will pay out when the worst happens.
Share