Cyber insurance is your company's double-layer safety net
Cyber insurance is a financial buffer against incident costs and helps companies get their security basics in place for their cyber insurance policies, says Charl Ueckermann, CEO of AVeS Cyber Security.
The cyber threat landscape has changed so dramatically over the past three years that businesses operating in today's digitally connected world need an effective risk management strategy, one that helps them identify and manage their business risks proactively.
Good governance and risk management, when coupled with cyber insurance, can put companies in good stead for covering the gaps in their cyber security measures, and, more importantly, for surviving a cyber attack.
This is according to Charl Ueckermann, CEO of AVeS Cyber Security. He says a security breach is costly from both a financial and a resource perspective. The average cost of a cyber incident in SA ranges from R1 million for a small to medium-sized business (SME) to R16 million for a large enterprise. This is if you consider the direct costs associated with fraudulent transactions, from data recovery and the investigation of the incident to disclosing the breach to regulators, customers and the board of directors.
There are also indirect costs, such as loss of productivity and downtime, as well as opportunity costs, given the reputational damage that may occur and the potential loss of future income.
"Cyber insurance provides businesses with a double-layer safety net when it comes to cyber attacks as it serves as a financial buffer against these incident costs while helping organisations get the security basics in place to meet the terms and conditions of their cyber insurance policies," says Ueckermann.
"This is much like making sure we keep our vehicles in a roadworthy condition for us to be able to make an insurance claim in the event of an accident. It forces prudence."
Cyber insurance is an insurance product used to protect businesses and consumers against the damages caused by Internet-related risks, such as data breaches and loss of confidential digital information.^1
Ueckermann stresses that it cannot be a replacement for cybersecurity measures or good governance. However, it is becoming an increasingly important complement to these.
"Cyber insurance is not the silver bullet, but it can be one of your best tools for managing risk effectively," he says.
"Cybersecurity solutions still need to be in place as no cyber insurance policy can cover you against outdated systems, lack of backups and poor software patch management. Cyber insurance offers you the ability to get back on track more quickly after an incident, while limiting the financial impact."
As cyber insurance is all about risk management, Ueckermann says that before taking out an insurance policy, companies must have an accurate picture of their security posture, know what their risks are and understand what their risk appetite is.
"An independent risk assessment is always the first step to see where you are from a risk point of view. Once you understand your risk profile as well as the executive risk appetite, you can reasonably insure what you have less or no control over."
Risk profiles are based on a number of factors, including: the industry and country the business operates in; the type of business; internal governance practices; and how far a business is in its cyber protection journey.
Companies in specific sectors, such as financial, legal and medical, typically have higher risk profiles given the level of sensitive personal information they process. Those with poor internal governance controls regarding people, processes and technology will also have higher risk profiles.
"The level of cyber cover you need and the cost of your cyber insurance will be largely determined by your company's risk profile," Ueckermann says. "Companies could lower their cyber insurance costs by taking steps to improve their risk profile; for instance, by ensuring that security solutions are up to date and properly managed, and by practising good governance."
Credible cyber insurance companies have several measures in place to help their clients lower their risk profiles. These include, among others, advanced endpoint protection, remote system health monitoring and reporting, remote incident response, full disk backups, and security awareness training. These initiatives, says Ueckermann, will not only lower cyber insurance costs but will also lower cyber risk and, by default, organisational risk.
He adds that companies must ensure that their cyber insurance providers include cover in other aspects of the business that could be affected by a cyber breach.
Other cyber insurance benefits may include receiving advice on managing the reputational component of an incident and actioning communication to the public and other stakeholders, as well as covering legal costs, such as court cases arising from a security breach.
"Not all cyber insurance companies are created equal. Do the due diligence beforehand to ensure that you choose a provider that is competent and delivers efficient solutions that will help you lower your risk profile," says Ueckermann.
He says that while companies may have survived decades without cyber insurance, it is now becoming a must-have for effectively navigating increasing and evolving cyber threats.
"Doing business today is very different to a decade ago. The risk landscape has changed rapidly over the last few years, making it a bit reckless not to consider cyber insurance as part of your risk management portfolio."
1. Investopedia. (2018, 08 11). Cyber and Privacy Insurance. Retrieved from Investopedia: https://www.investopedia.com/terms/c/cyber-and-privacy-insurance.asp