It seems obvious that what used to be reasonable is now inadequate, and while insurance surveys used to just rely on businesses having good antivirus, backups and updates (the very items that our standard KARE focuses on), they will now also need policy holders to step up their precautions – hence our new KARE for Security offering.
But as we have worked hard to point out, nothing can make anyone 100% safe. We can only reduce risk, so on balance, insurance makes sense to us.
Which policy is best?
That’s a question for your broker! In writing this article, I quickly searched the internet for NZ policies and was overwhelmed with the number of choices. There are options for forensics, for system recovery, financial losses etc. These seem to vary from insurer to insurer, and some include things like business interruption which you might already have on another policy. Depending on your circumstances, you might need cover in case your trade secrets are exposed, or in case a breach threatens data that you have an obligation to others to keep private.
Policies will evolve. How often are you reviewing your cover?
Like many insurance products, cyber-insurance emerged from other products that most businesses had. Depending on your insurance, it might have been part of your business continuity insurance, or E&O or PI. No matter where it was in the past, these products keep changing, and we think cyber-insurance policies will keep changing too.
You need to look carefully at the cover you already have, then see what you need to add to it, alongside the costs, and make a business decision as to what it’s worth to you:
- Loss of business income through business interruption
- Direct financial losses such as forensic costs to ascertain the extent of the event or extortion costs incurred in the threat of an event or a ransomware assault
- Data and/or software restoration – Costs to restore the network and to replicate/replace lost data
- Legal costs
- Liability, Claims for compensation from customers or other third parties such as banks or suppliers, or regulatory fines and penalties
- Is there a risk that a cyber attack could cause physical damage and bodily injury in your operation?
- Crisis management, and public relations costs to minimise reputational damage
- Loss of intellectual property
- Costs of investigations instigated by privacy regulators
What are your obligations?
Just like leaving your front door open at home will cause an insurer to decline a claim, you need to not only ensure you are meeting your obligations, you need to prove it. You can expect to need to show your processes and systems are robust, maintained and you have visibility over them. The last thing any business needs is to pay insurance premiums, suffer an adverse event and then find their claims declined!