The slew of large-scale data breaches and cyber attacks have highlighted the need for organisations of all types to protect themselves against these risks. Cyber insurance is an effective way of mitigating these risks, particularly if you consider that the average cost of a data breach is up in the millions of rands.
“Deciding to get a policy is simple,” says Simon Campbell-Young, CEO of MyCyberCare. “However, finding the right policy, from the right provider, can prove far more challenging.”
He says many traditional insurance policies might, to a very limited extent, provide some coverage should a breach or another security incident occur, but no business in its right mind would rely on that. “It’s important when choosing a cyber insurance provider to remember that it’s not as simple as choosing regular insurance. There is very little standardisation in the cyber insurance industry, and the offerings from the different providers are bound to vary massively in terms of what is covered, and what is not.”
Comparing the various offerings and selecting coverage that meets your specific business needs is tricky, and you don’t want to be left with any crucial gaps in your coverage, he explains. “Therefore, before picking a cyber insurance policy, an organisation must have a very clear and thorough understanding of the cyber risks specific to itself.”
When choosing a policy, ensure that the policy covers your unique and specific needs, and to do this, conversations with the business team, legal team, and technical are essential, so the risks that really matter are taken into account, says Campbell-Young.
He says there are two major types of cyber risk coverage that organisations generally consider, and those are first-party coverage and third-party liability coverage. “The former will cover direct costs associated with responding to an attack, such as the leaking of personal customer data, and the theft, destruction or loss of any information resulting from a breach. It will also cover removing malware, cleaning the system, and data recovery.”
But, remember that a security breach can give rise to significant associated costs, such as forensics and investigation into the cause and impact of the breach, as well as interruption to systems and the business, including losses occurred due to downtime, he adds. “Then there’s the legal costs associated with determining notifications and regulatory obligations in the wake of an incident, as well as the costs incurred notifying any affected parties.”
Following a breach, there will also be expenses such as providing credit monitoring to affected parties, as well as claims, lawsuits and regulatory issues that come out of an incident. “These could include legal costs and settlements arising from stakeholders such as staff or customers who can prove breach of contract or negligence. There are also fines and penalties for violations of regulation which can be extremely heavy.”
Organisations looking for cyber insurance must also think about any provisions, disclaimers, and exclusions in the various policy options they are presented with. “For example, what if the policy contains exclusions that are pertinent to the organisation’s core business? Or, whether the coverage is broad, and what its limits and deductibles are. Is the insured allowed to choose its own forensics experts and legal team, or does the policy stipulate that the insurer will chose the providers? What about third-party partners and vendors? Is the company covered for their acts of negligence or omission?”
Campbell-Young says it is crucial to ask all these questions and more, to ensure that in the event of an attack the business isn’t caught short. “Security breaches and attacks can be hugely expensive, both for a company’s bottom-line and its good name. Organisations much protect themselves, and have an umbrella approach including good security tools, proper policies and procedures, as well as extensive insurance coverage.”