Data breaches: they’re expensive. Research from IBM and the Ponemon Institute puts the average per-record cost of breaches at $139. Given that 41 per cent of their survey respondents had more than 1,000 records affected, this takes the immediate cost impact of a data breach to over the $100,000 mark.
Considering how quickly a breach can impact numerous records, that’s a cost that many businesses won’t be able to bear. While we at Over the Wire will always recommend managed security services and prevention as the best cure, for the majority of organisations it’s the employees that are the weakest link. A mobile workforce, IoT devices and spear-phishing campaigns all present a potential cyber risk, and your security policies need to address them all.
Enter cyber insurance. A relatively new phenomenon, it seems to offer
financial protection for businesses that do suffer a data breach. But
what sort of coverage does cyber insurance provide?
How cyber insurance works for Australian businesses
Cyber liability insurance generally covers against two primary costs: keeping your data and networks secure and the price of disruption to business continuity. Many policies can also cover specific events or types of attacks, such as DDoS breaches or malware infection.
The Government’s Australian Cyber Security Centre (ACSC) noted in its 2017 threat report that cyber insurance was an industry undergoing rapid growth. As more high-profile attacks occur and businesses become more aware of the widespread impacts a single breach can have, it’s popularity will increase.
For example, IBISWorld research from the USA in 2016 showed 15.3 per
cent annualised growth in the sector over the previous five years. While
this growth hasn’t been reflected in the
Australian market yet, it’s only a matter of time before it gains more
Can cyber insurance protect against every security threat?
This is unlikely. Insurance policies are, by design, tailored to protect a business or individual financially against specific events and have a wide set of exclusions. However, threats to cyber security evolve at an alarming rate, with new strains of malware or variants on existing viruses cropping up every single day. We’ve actually covered this recently – you can see three cyber threats that could defeat your legacy cyber security systems in 2018 highlighted by the ACSC here.
The point is, a cyber insurance policy would have to be impossibly broad to provide adequate cover for an Australian business. It can mitigate some of the cost of recovery or lost information, but the true breadth of a breach is as hard to cover as it is to predict.
Further to this, the ACSC argues that the allotted payment may not be enough to cover the true cost of a data breach. The IBM/Ponemon research shows that the costs of a data breach can include:
- Information recovery and repair.
- Breach identification and containment.
- Notifying affected parts (including the Office of the Australian Information Commissioner) of the breach.
- Fines for non-compliant reporting.
- Customer churn and associated reputational damage.
- Implementation of new security measures and training.
- Lost intellectual property and reinforcing of this protection.
Put simply, cyber insurance is a useful tool for mitigating some data breach costs. It is not, however, a catch-all.
Should you cyber insure your business?
The problem may be that the insurer may not want to insure your organisation unless you have the basic controls for cyber security in place. Therefore implementation of the Government’s Australian Signals Directorate Essential Eight may be a pre-condition to obtaining a premium.
As the ACSC rightly notes, cyber insurance has its place, and that is alongside existing data breach prevention strategies. In particular, organisations should be implementing the Essential Eight, and take any extra steps that are easy to enforce at a business level.
This is the true prevention method. Educate staff, tighten up your security protocols, whitelist and constantly patch/harden software, and limit your administrator privileges wherever possible. Cyber insurance can limit your exposure to financial risk should the worst happen – but in itself is not a preventative measure.
Partner with the experts
To start planning your cyber security strategy, make sure you partner with experts. Our white paper 6 steps to improve your business cybersecurity contains security tips you can put into action immediately to help protect your business.