It seems like cyber attacks on big companies are happening every week. There are so many headlines about customers’ data being compromised. Worst among these stories is the data like contact details and payment information, being hijacked.
What you hear about less often is how a business recovers from a data breach. We know what the hack cost their customers (and we don’t mean to downplay this). What happens to the company? We know their reputation has taken a blow, but how do they handle the aftermath of an attack?
When your house gets burgled, you’ve got home insurance to help you deal with the damage. Cyber insurance works in the same way, but for cyber attacks. We’re going to show you what to look for in a policy. Of course, you wouldn’t make your home easy to break into. Hopefully because you’ve got common sense, but also as your policy may not help you out in such a case. You’d make precautions here. And you need to do that with cyber insurance too. Let’s get into it. But first, some context on cyber insurance.
Where Cyber Insurance Came from, and Why it Matters
The cyber insurance market emerged when it became clear traditional policies weren’t covering cyber attacks. Typically, this kind of insurance comes with first-party coverage for data loss, DoS attacks, theft and hacks. Third-party insurance is available too. This deals with any associated costs to an attack, such as legal fees for not compensating your customers properly.
Sounds helpful, right? Well, it seems like a lot of SMBs aren’t bothered by it. A report by Beaming showed that just 51% of companies employing 10 – 49 people had a documented cyber insurance policy. Meanwhile, only 38% had insurance for breaches and data theft at the start of 2018. To make things worse, smaller companies appear to be even less fussed. Only 51% of those with under 10 employees were using a network perimeter firewall to stop threats reaching their systems. And just 30% had intrusion detection systems for spotting malicious activity or policy violations.
With cyber attacks, it’s not a matter of ‘if’. It’s a matter of ‘when’. A lot of SMBs seem to be doing little to protect themselves from a breach or to plan their recovery in the event of one. There’s so much these companies could be doing to reduce the chances of an attack being successful, like sandboxing and patch management. But reducing the chances doesn’t eliminate them entirely. That’s why you need to have a cyber insurance policy in place to help you recover from a breach.
How to Choose a Policy
Before choosing a policy, figure out how you’d respond to a cyber attack. This will help you find one that covers everything you need. Here’s what you should do before picking insurance:
- Estimate how much a data breach will cost you. Think big. Consider what a cyber breach would cost you in terms of cash and assets lost, your employees’ time spent resolving the issue, time spent informing customers and responding to their complaints, compensating customers, paying legal fees and dealing with poor cyber security practices.
- Decide between first or third-party insurance. We talked about what first and third-party insurance policies cover above. Decide which one is right for your business, or if you need a combination of both.
- Work hard to protect your business. Your policy isn’t an excuse to be lazy with cyber security practices. Like we said before, there’s a lot you can do to protect your business.
- Educate your employees on cyber security. Technology isn’t everything. Your people can be just as helpful in stopping data breaches. But they need to know what to look out for and avoid. One wrong click can be devastating.
- Then, do a cyber security audit. Take a look at your people, procedures and technology. Do they have any cyber security knowledge gaps? What action would you take in the event of an attack, and how effective would it be? Is there any way you could be using your technology more securely? An audit can answer those questions for you, and give you advice on how to improve. Our free cyber security health check is one such audit.
- Know what your policy covers, and doesn’t cover. Seems obvious, but many of us love to ignore the smallprint. So read your policy carefully. As your business changes, review your insurance regularly. This will help you ensure your policy’s still fit for purpose, or if it needs a change.
Don’t Depend on Your Policy
We touched on this earlier. As a product, cyber insurance is still in its infancy. A lot of insurance providers don’t offer the amount of coverage people would like yet. One issues is a lack of core policies, or the bare minimum requirements. Another is the variety of terms used by policymakers. Often, suppliers will use several words that mean the same thing. It makes comparing policies a confusing, jargon-filled nightmare.
This isn’t helped by the fact that, in many cases, customers don’t actually know what to look for. Or understand just how important cyber health is. According to the Federation of Small Businesses (FSB), 66% of SMBs thought they weren’t in danger of a cyber attack in 2015.
Like we said at the start of this post, being attacked is not a matter of if, but when. And as you can see, the costs of being breached are painful for your finances and reputation. Cyber insurance can help you to recuperate from some of what you suffer. But as it’s still being worked out, you have to invest in your own security methods too.
Boost Your Defences. Then Get Cover
A cyber insurance policy can be of great value to SMBs. If you know what to look for in a policy, it can help you significantly in the event of a data breach. So get your costs together, decided what kind of policy you need, and find out what your policy will and won’t cover.
But don’t depend on cyber insurance alone. It won’t get you through the day unscathed in the event of an attack. So you need to understand what cyber security is and how you can apply its best practices to your business.
For a good overview of what you should be doing, download a copy of our Quick Guide to Cyber Security. In 13 pages, it shows you why SMBs are vulnerable to attacks, the ways an attack can happen, and how to better your people, procedures and technology to boost your defences.