The cyber threat landscape has changed so dramatically over the last three years that businesses thato operate in today’s digitally connected world need an effective risk management strategy, one that helps them identify and manage their business risks proactively. Good governance and risk management, when coupled with cyber insurance, put companies in good stead for covering the gaps in their cyber security measures, and more importantly, for surviving a cyber attack.
This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says that a security breach is costly from both financial and resource perspectives. The average cost of a cyber incident in South Africa ranges from R1-million for a small to medium-sized business and up to R16-million for a large enterprise. This is if you consider the direct costs associated to fraudulent transactions, data recovery, and incident investigation to disclose the breach to regulators, customers and the board of directors; indirect costs such as loss of productivity and downtime; as well as opportunity costs, due to reputational damage and potential loss of future income.
“Cyber insurance provides businesses with a double-layer safety net when it comes to cyber attacks, being a financial buffer against these incident costs while helping organisations get the security basics in place to meet the terms and conditions of their cyber insurance policies. This is much like making sure we keep our vehicles in a roadworthy condition for us to be able to make an insurance claim in the event of an accident. It forces prudence.”
Cyber insurance is an insurance product used to protect businesses and consumers against the damages caused by Internet-related risks, such as data breaches and loss of confidential digital information.
Ueckermann stresses that it cannot be a replacement for cyber security measures or good governance. However, it is becoming an increasingly important complement to these.
“Cyber insurance is not the silver bullet, but it can be one of your best tools for managing risk effectively. Cyber security solutions still need to be in place as no cyber insurance policy can cover you against outdated systems, lack of backups and poor software patch management. Cyber insurance offers you the ability to get back on track more quickly after an incident while limiting the financial impact.”
As cyber insurance is all about risk management, he says that before taking out an insurance policy, companies must have an accurate picture of their security posture, know what their risks are and understand what their risk appetite is.
“An independent risk assessment is always the first step to see where you are from a risk point of view. Once you understand your risk profile as well as the executive risk appetite, you can reasonably insure what you have less or no control over.”
Risk profiles are based on a number of factors, including the industry and country the business operates in; the type of business; internal governance practices and how far they are in their cyber protection journey. Companies in specific sectors, such as financial, legal and medical, typically have higher risk profiles due to the level of sensitive personal information they process. Those with poor internal governance controls around people, processes and technology will also have higher risk profiles.
“The level of cyber cover you need and the cost of your cyber insurance will be largely determined by your company’s risk profile. Companies could lower their cyber insurance costs by taking steps to improve their risk profile, for instance, by ensuring that security solutions are up-to-date and properly managed, and by practising good governance.”
Credible cyber insurance companies have several measures in place to help their clients lower their risk profiles. These include amongst others, advanced endpoint protection, remote system health monitoring and reporting, remote incident response, full disk backups, and security awareness training. These initiatives, says Ueckermann, will not only lower cyber insurance costs but will also lower cyber risk and by default organisational risk.
He adds that companies ensure that their cyber insurance providers include cover in other aspects of the business that could be impacted by a cyber breach. Other cyber insurance benefits may include receiving advise on managing the reputational component of an incident and action communication to the public and other stakeholders, as well as covering legal costs, such as court cases arising from a security breach.
“Not all cyber insurance companies are created equal. Do the due diligence beforehand to ensure that you choose a provider that is competent and delivers efficient solutions that will help you lower your risk profile,” says Ueckermann.
He concludes saying that while companies may have survived decades without cyber insurance, it is now becoming a must-have for effectively navigating increasing and evolving cyber threats.
“Doing business today is very different to a decade ago. The risk landscape has changed rapidly over the last few years, making it a bit reckless not to consider cyber insurance as part of your risk management portfolio.”