Whilst businesses organise insurance policies for the likes of commercial property, business interruption or professional indemnity insurance as a matter of course, few are buying specialised cyber-insurance policies to supplement their existing insurance arrangements.
The complexity in finding a suitable cyber-insurance policy is thought to be one of the key factors for this. In fact, only two percent of large UK firms are currently covered. Many simply consider the hassle too much of a burden when compared against the value of their data. However, similar to how doctors prefer to vaccinate against diseases rather than treat them, businesses would benefit from investing in preventative measures to protect their data and assets.
Selecting the right cover is not as hard, nor as expensive, as some may think. Yet, when it comes to cyber-insurance, not already having robust infosecurity measures in place is the equivalent of admitting you left the front door unlocked when your house was robbed. The right processes need to be installed before CIOs can make such an important purchase. Security acts as the vaccination, while insurance is a cure should the worst happen.
In the current climate of daily cyber-attacks and threats, all data is valuable. A UK Government survey estimated that last year some 81 percent of large corporations and 60 percent of small businesses suffered a cyber-breach. Businesses without the right protection in place will not find an affordable insurance policy and could lose thousands of pounds in compensation if they suffer a data breach. These two aspects, protecting information and the other covering finances respectively are quickly becoming as important as each other.
The history of cyber-insurance can be considered as inconsistent at best as nobody is leading the way as the shining example of the industry. Yet the past decade has seen policies marketed at retailers as they have been considered to have the most to lose. Customer information, such as payment details and addresses are gold dust to hackers. Just imagine the pandemonium if Amazon was breached. A bank is another example of an organisation with too much to lose from a cyber-attack. However, all businesses store vital data, most are end user details, orders, payment details or can be just their own employees' personal information, but all are essential for a business's longevity and reputation to keep protected.
Some available policies are affordable as long as a business has the right protection in place. Much like how a heavy smoker who has health related issues is unlikely to be given an affordable health insurance plan, a business with a weak security system will have a tough time finding a cyber-insurance policy.
Private and sensitive data, like health records, can be covered for around £400 a year, while policies for less compromising information come at further reduced rates. It's a relatively small price to pay for such important coverage, and is much better than the potential thousands of pounds of compensation. Small businesses found themselves forking out up to £310,000 in 2014, while the average cost of an attack for larger firms reached £1.46 million.
Selecting cyber-insurance can be more complex than choosing the security system it is covering, so if the right option isn't available, it is paramount quality protection is in place. Two-factor authentication, using a zero knowledge foundation is a proven solution. An investment in the right method of cyber-security can be the difference between making a complicated claim, or protecting data to save everyone from sleepless nights.
As the number of security breaches increases and they become higher profile and sophisticated, protecting a company's finances is essential. Losing an employee's health records or a customer's payment details is devastating – but not being able to compensate them will exacerbate a terrible problem further and result in irreparable damage to a company's reputation. Finding the right cyber-insurance solution may take time, but investing hours rather than paying out those damaged by a security breach is much wiser use of resources.
Contributed by Steve Watts, co-founder, SecurEnvoy