Many Cyber Security articles begin setting the scene with the number of organisations that have reported a breach or the cost incurred in the event of a breach. What if we started differently?
If you were asked:
- Could you identify the key – or critical – information within your organisation that is vital to achieving business objectives and earning money?
- Do you know what impact a loss or compromise of that data would have on your ability to do business?
- Are there any threats to your critical information?
- Are you confident you are safeguarding and managing that critical information effectively?
If you were able to answer ‘Yes’ to those questions, you’re doing well. If you couldn’t answer those questions, read on as we discuss what you and your organisation could be doing to safeguard your critically important information.
Cyber attacks are on the increase, but that is old news. The number of attacks on large and small organisations reported in 2013 increased from 2012. 93% of large organisations and 87% of small organisations experienced a breach in the last year, so says the Department for Business, Innovation and Skills. Small organisations reported breaches costing between £35k and £65k each, which included productivity disruption, person hours and direct cash spent responding to the incident, loss of business, lost assets and damage to their reputation. Large organisations reported their losses to be between £450k and £850k, each. All these statistics may be redundant after insurance houses announced the launch of new Cyber protection cover.
Why didn’t we think of Cyber insurance before?
Cyber insurance has been around since 2000, however it hasn’t had much traction in the market until recently. Can anyone guess why? Companies are being hacked, data is going missing, information is being compromised and it’s starting to take its toll. Traditional commercial business liability insurance does not cover an organisation in Cyberspace. So, what does that mean? Liability insurance covers the assets but not the information the assets hold. In the event of a data breach, everything that is digital – and therefore usually intangible – is not covered. Sony found out the hard way in 2011, when a hacking attack by a criminal gang compromised 77 million PlayStation Network player accounts (including credit card details); Sony discovered that their commercial business liability insurance didn’t cover digital data breaches.
This is because the Cyber insurance needs of an organisation are harder to define than regular insurance plans.
“We don’t need to worry about cyber breaches, we’re covered.”
With the new Cyber protection plans on offer, do companies need to put anything in place to protect themselves because in the event of a breach they would be covered? We think so. Remember if your wallet and debit card are stolen, then used by a criminal because the PIN was in your wallet, the bank can refuse to reimburse you on the grounds you failed to look after your PIN adequately.
The same goes for protecting your company and its information against a Cyber attack. At the end of the day – although the product may be different, the premise behind it is the same – you will not be compensated if you neglect your systems, policies, procedures or people.
Like any other insurance premium, if you can show you are putting things in place, e.g.:
- Installing a burglar alarm for home insurance; or
- Taking the Advanced Driving Test or parking your car in your garage for car insurance;
You are showing your insurer that your actions represent a lowering of the risk because you have put things in place to decrease the risk of your house being burgled or having to claim for damage to your car.
Cost saving with the added bonus of protection, now that sounds like a good idea!
As consumers we want to save money and do so by partaking in activities that will bring our insurance premiums down. When setting Cyber protection premiums, insurance houses look into the information ‘hygiene’ of an organisation and whether they are prepared in the event of a breach. And interestingly they will consider the amount of information the organisation is holding and who that information belongs to. There is uncertainty in the event of a breach as to the number of organisations who may have claim to compensation, if the company that was breached is processing the data of other companies.
Ultimately there are things organisations can put in place to prove to an insurance company that the likelihood of a breach occurring is far less than that of an organisation that has done nothing.
At a high level, you might therefore like to consider:
- Initiating a cultural change programme to start a journey towards valuing information and knowing how to manage it safely while using it to achieve business objectives;
- Training your staff – raise awareness of the risks and threats to valuable information in the organisation;
- Implementing physical and technical controls to improve information security within the organisation; and
- Develop a suite of policies to provide defined boundaries within which individuals can operate.
We are living in a world where technology is developing much faster than the policy that is put in place to regulate and protect those using it. For that reason it is critical organisations put in place actions to regulate and protect the information that is vital to the success of their business.
CYBER PROTECTION INSURANCE: DO YOU NEED TO PUT ANYTHING ELSE IN PLACE IF ‘YOU’RE COVERED’