SME Cyber Insurance Facts and Myths
Cyber-attacks and cybercrime sure have been a hot topic these past few years. Every week there’s a new update on cyber risks to business, the likelihood of attack and the big news stories such as WannaCry, Red Cross and Ashley Maddison. At Aon we know that claims are on the rise, and we all know that Data Breach Notification Laws are here to stay. But what is the actual risk to you? And if you are a SME do you really need insurance? If you do, which one is right for you? Let’s look at some common myths “I am not a large business, cyber is just not an exposure for me” Hackers are increasingly targeting small businesses as their data security tends to be less advanced than that of larger businesses. In The Small Business Cyber Security Best Practice Guide¹, the Australian Small Business and Family Enterprise Ombudsman asserts that: • 43% of cybercrime targets smaller businesses. • 22% of smaller businesses hit by cyber-attacks are so badly affected they cannot continue operating. • 60% of smaller businesses that experience a significant cyber breach go out of business within the next 6 months “My IT guy knows his stuff, he is a guru” Firewalls, a quality IT team and antivirus protection are all great strategies around data protection, but they are not the silver bullet. Ask yourself this, how could companies like Yahoo, JP Morgan Chase, eBay and Target Stores with their large IT teams, and robust IT systems still experience data and security breaches, resulting in significant financial losses into the millions, as well as reputational damage to their business? “We don’t hold credit card or financial records why would someone want to target my business?” For a SME, the bigger risk is interruption to your business despite not having such sensitive information. This may include social engineering and cyber extortion. As a SME you’re more likely to have unique product offerings, client information, invoicing and payment records, etc. Essentially, your intellectual property that has been built over years of operation and is key to your success – and is also your asset. It’s not about the data being useful to the hacker; it’s how the data and records are useful to your organisation, and importantly, how well (or how long) your business could function without them. “I outsource to a Cloud provider – they’ll take care of it” When outsourcing to a third party (60% of Australian companies use cloud computer services), you don’t outsource your liability or responsibilities for the data that is managed externally. You’ll still be liable if a breach occurs at your service provider’s end. We recommend you discuss this with any third party cloud provider that you may be using. If your clients are providing you with their information (whether it be corporate information or personal),you have a duty of care, and are responsible for the safety of that information. As a business you should be aware of this as well as your obligations and the potential risks. With the arrival of mandatory data breach notification laws this points to a mounting problem. “I’ve got insurance, I am fully covered for any cyber exposure” Are you? When we consider the speed and complexity of cyber risk and exposures and how they evolve, ask yourself if your conventional insurance policies are evolving at the same pace? While endorsements are a nice to have, the traditional insurance policies were never designed or rated to cover cyber risks and will only ever provide partial cover, if any at all. It’s important to do your homework and clarify what’s covered and what limitations are associated with it. The truth is that cyber is no different to any non-statutory insurance being that you have a choice to insure or self-insure. However, the same way you would assess both options for your buildings and contents, your business needs to undertake the same assessment before determining whether to insure or self-insure your data and information.