Organisations must always look for cost-effective ways to address the cyber security risks they face.
With more than 1,200 publicly disclosed data breaches last year, and organisations spending almost £3 million on average responding to security incidents, effective risk management is a top priority.
One of the most common ways to mitigate the risk of a cyber security incident is cyber insurance. Policies provide organisations with the means to implement incident response measures, such as forensic investigation, legal assistance and public relations support.
These activities aren’t typically included in standard business insurance policies, which tend to only cover costs related to technical issues, such as corrupted hard drives and lost devices.
Despite the benefits of cyber insurance, it is surprisingly undervalued. The UK government’s Cyber Security Breaches Survey 2022 found that only 43% of businesses have a cyber insurance policy.
Those that don’t have a policy are missing out on countless advantages and are exposed to potentially catastrophic damage should a data breach occur.
Rethinking the financial effects of data breaches
Data breaches are like earthquakes. There is the immediate shockwave when an incident occurs, with disruption to business processes and the need to adopt emergency response measures.
Then come the secondary waves that produce new problems. You must, for example, implement measures to restore your organisation’s public reputation. This might include setting up helplines for affected individuals or offering complimentary credit monitoring services.
Even with these actions, you’re likely to see a dip in customers and clients as they lose trust in your ability to protect their sensitive information.
This is followed by the threat of fines and enforcement action. Under the GDPR (General Data Protection Regulation) and its UK equivalent, supervisory authorities have the power to levy penalties of up to €20 million (about £17 million) or 4% of the organisation’s annual global turnover.
Most organisations won’t receive a fine anywhere close to this, but even a comparatively lenient penalty can cause significant problems.
Even if the regulator doesn’t issue a fine, it might require the organisation to invest in its security defences and enrol staff on awareness training programmes.
These costs can quickly add up, meaning organisations will still be paying the price for a security incident months or even years later.
Free PDF download: Cyber Security and Business Resilience – Thinking strategically
Even the most secure organisation can fall victim to a cyber attack.
It’s simply a case of having the odds stacked against you: while you need to protect all your assets from all types of threat, an attacker needs only one exploitable weakness to get into your systems.
On top of that, any security measure you put in place is only designed to stop a handful of threats at most. That means it is likely to be inherently ineffective against other risks.
So how should you protect yourself from cyber attacks in a way that’s effective but without breaking the bank? Find out by reading Cyber Security and Business Resilience – Thinking strategically.
Things are even worse for organisations that fall victim to ransomware. The malware locks them out of their systems, effectively halting business operations until they either pay the cyber criminals a ransom or restore their systems from a backup.
Either option will mean days of chaos, but even when an organisation regains access to its systems, there will be weeks, if not months, of disruption. In some cases, the effects are so devastating that the victim never recovers.
Lincoln College in the US recently closed permanently after it struggled to deal with the repercussions of a ransomware attack.
The same thing happened to the foreign exchange service Travelex. Its systems were compromised for weeks following a ransomware attack, resulting in financial damages that ultimately led to it collapsing into administration, with more than 1,000 people losing their jobs.
According to Sophos’s State of Ransomware 2021 report, it costs on average $1.85 million (about £1.5 million) to respond to a ransomware attack. It’s a sum that very few organisations have at their disposal. If they don’t have cyber insurance to cover the costs, their future could be in jeopardy.
The benefits of cyber insurance
Cyber insurance is a specific type of protection that helps organisations cover the financial costs of data breaches.
Most policies cover anything that affects the confidentiality, integrity and availability of information, meaning that organisations receive comprehensive protection from cyber attacks, network failures and human error.
AdvisorSmith estimates that the average cost of cyber insurance is about $1,485 (about £1,180) a year.
Like other types of insurance, your premium will decrease if you are perceived as less of a risk.
You can do this by implementing appropriate controls that are designed to bolster data protection and data privacy practices.
A good place to start is with certifying to Cyber Essentials. It’s a UK government-backed scheme that outlines five technical controls that organisations can implement to secure their systems, alongside a cyber liability policy that covers moderate damages.
Organisations can also find useful guidance in ISO 27001, the international standard that describes best practice for information security management. They can also reduce their premium by auditing their organisation to ensure that its practices address relevant laws, such as the GDPR.
By adopting these measures alongside a cyber insurance policy, you reap the full benefits of insurance. You are less likely to suffer a disruptive incident, plus you don’t have to worry about recovery costs should disaster strike.
You’ll have access to the support you need to respond to the breach promptly, including forensic investigation support and legal advice, and have confidence in your ability to provide comprehensive support to affected individuals.
Cyber insurance alone isn’t the answer
Although cyber insurance can greatly reduce the damage following a data breach, it is not an alternative to cyber security defences.
For one, most insurance providers require customers to implement certain information security controls. Without these, the organisation is highly vulnerable to data breaches and therefore not worth insuring.
More importantly, cyber insurance doesn’t prevent the immediate damage that a data breach causes. The organisation must still deal with incident response and its breach notification requirements, and it might still be found liable for the incident under the GDPR.
Cyber insurance is designed to prevent a bad situation from getting worse. However, this is something that few organisations – even those with an insurance policy – seem to understand.
The Cyber Security Breaches Survey 2022 found that while 43% of businesses have cyber insurance, only 6% adhere to Cyber Essentials and 8% to ISO 27001.
There is little benefit to obtaining cyber insurance if you don’t also invest in your information security defences.
It would be like getting contents insurance but leaving your doors and windows unlocked. The insurance will cover the cost of anything that’s stolen should someone break in, but you still have to deal with the headache of replacing those goods.
Moreover, when the insurance provider learns of your lax security, it might refuse payment.
Safeguard your organisation with IT Governance
The key to effective risk management is a combination of information security controls and cyber insurance.
Until recently, organisations had to do this as two separate activities. But with IT Governance’s new Cyber Safeguard service, you receive everything you need in one package.
It provides cyber security insurance of up to £500,000 alongside our expert cyber security support, which is based on best-practice advice from ISO 27001, the GDPR and the UK’s National Cyber Security Centre.
The service is available in three tiers – gold, silver and bronze – with each package designed to meet particular security and insurance needs.
Cyber Safeguard is part of IT Governance’s market-leading cyber-defence-in-depth solutions.
Our suite of offerings – which includes consultancy support, audits, e-learning and software – is one of the most comprehensive in the world and unrivalled in the UK.
Find out how Cyber Safeguard can help your organisation from just £300 a month.