Something that quite often comes up is “I don’t need cyber insurance because I have a company looking after my cyber security” or “So now I’ve taken my cyber insurance, do I still need to pay for cyber security?”.
To put this into context using a different example, you insure your stock and contents but still have an alarm and lock your doors.
Cyber insurance and cyber security in an ideal world should go hand in hand. No business can be made 100% secure against cyber crime which is why you need insurance to provide that extra line of security.
There are two main reasons why some businesses believe that they do not need insurance as a result of what their IT company provide:
- The security provided will stop them being compromised
- The IT company will be able to resolve any issues
Cyber security
If we start with the cyber security measures being enough to stop all attempted hacks, it’s best to look at some of the main reasons why this statement isn’t true. Firstly, the majority of successful invasions whether it be ransomware, phishing or business email compromise have an element of human error. It’s natural to think of human error as being limited to an employee clicking on a link within an email or logging on to a “dummy” wifi hotspot but remember this can also be a mistake by those responsible for providing the protection. I’ve even known a new company director fall out with their website designer and, in-between finding a new one, their site was compromised as they missed out on vital updates leaving them vulnerable.
Remember, no business is 100% secure and it’s important to remember those responsible for providing your IT security look to minimize the opportunity and not prevent it altogether. Business owners need to work with their IT providers to ensure they are aware of what they need to do to be more secure. This will involve educating staff of the dangers and ensuring they have reporting procedures in case of any suspect emails or change in bank details.
Relying on your IT company
Now let’s look at why relying on the who provides your IT security is a mistake if you have fallen victim. Going back to what I mentioned previously, what if there is human error on their part? A fresh set of eyes is better to look at this.
More importantly though, cyber insurance is much more than having someone to fix the problem. Your customers are likely to need to be informed, whether it be downtime caused by the incident or keeping them up-to-date regarding their data. Doing this at the most appropriate time and with the right messages is important to ensuring your clients maintain confidence in both you and your business. This is why most good cyber insurance products will have a PR team, as they understand how important providing the right levels of communication is for a business.
Staying on the theme of communication, it’s important to know how and when you need to communicate with the Information Commissioners Office (ICO) to avoid any fines. In addition, if it’s ransomware, what do you do? Pay and lose high sums of money or do you leave it and hope the issue can be resolved leading to the inability to do business (again – loss of money)? In ransomware cases, most cyber insurance providers have members experienced with negotiating the ransom amount down. Whilst they also have cyber forensic experts who are more experienced in unravelling the virus installed maintaining your data. Finally, if all else fails, the insurance will pay the ransom. The speed of this process is determined on a case by case basis.
As the cover incorporates many different elements to support you during a cyber event, why not just have an insurance policy and save the money spent on security?
This isn’t meant in anyway meant to downplay the role of those providing your IT security. I started off by saying security and insurance should work hand in hand. Regardless of what any insurance can provide, it’s far better to avoid making a claim in the first place.
The insurer will relieve as much stress as possible for you, but it could still add a grey hair or two. If you’ve previously suffered from a claim, an insurance company is within their rights to ask what you have done to prevent a recurrence. Someone who knows your system both prior to the claim and after is best placed to give you advice on what needs implementing and why.
Cyber security and cyber insurance complement each other – if you want to look after your clients’ data, your employees’ data and minimise interruption to your business as a result of a cyber incident, I’d always recommend making the most of both.
Scott Whitney
Head of Business Development