Posted on: February 29, 2024
Cyber Insurance: Your Protection Against Data Breaches
Globally, a cyber breach to professional services businesses cost an average AU$6.77 M per company in 2023, according to IBM’s most recent data breach report. For businesses with fewer than 500 staff, the average cost was marginally lower at about $5M.
Crucially, it takes businesses from all sectors an average of 204 days to identify the breach, then another 73 days to contain it.
If you’re relying on your firm’s internal security teams and tools to identify the breaches, they’ll miss two-thirds of the attacks, IBM says. You’re more likely to find out about the breach from a benign third party of the cyber attacker.
This is a cyber hacker’s priority list: data about customers, employees, intellectual property, then anonymised customer data and other corporate data.
Here’s how data breaches cost businesses:
- Detection and escalation, such as cost to investigate, assess, audit, crisis manage, and communicate results of investigations to leadership
- Lost revenue, system downtime, customer exodus, cost to acquire new customers, reputational damage
- Notifying third parties, data subjects, regulators and paying penalties/fines.
As well, professional services must comply with the Competition and Consumer Act 2010.
The Rising Threat of Data Breaches in Professional Services
Cyber criminals are becoming increasingly sophisticated. They spread their nets wide to sell data and use it to extort businesses, organisations, governments, and individuals. Typically, hackers’ motivations are criminal, political, personal, and centre on financial gain, says IBM. Most, though by no means all, operate from outside the companies they attack.
Rising threats of data breaches in the professional services sector include:
- Phishing or stolen or compromised credentials (these take the longest to resolve – almost 11 months on average)
- Unknown vulnerability
- Cloud misconfiguration/security
- Business email compromise
- Social engineering
- Weak security for staff/contractors working remotely
- Ransomware
- Physical security compromise
- Breaches through supply chains.
Surprisingly, businesses that use artificial intelligence and automation extensively save on data breach costs. They can identify breaches quicker and contain them 100 days faster on average than those not using this tech.
Understanding Cyber Insurance
A cyber insurance policy helps minimise the financial risks of operating a business online. In essence, you’re transferring some risks to the insurer.
But it’s not set-and-forget for those risks. The cyber security landscape is dynamic, so policy terms and conditions must be to match.
Cyber insurance, also known as cyber security insurance or cyber liability insurance, aims to protect your professional services firm from the compromise, theft, or loss of the electronic data you’ve collected. Coverage generally will:
- Protect you against cyber risks
- Help you deal with cyber attacks and incidents through expert advice
- Offer financial support for damage cyber incidents cause, such as investigation costs, credit monitoring services, possible legal responsibilities, etc.
- Fund lawyers to deal with the fallout of your firm’s data breaches
- Demonstrate to your customers and regulators that your business takes cyber security seriously
- Provide support to bolster your system – repairs, or replacement, for instance.
However, here are the exclusions to a cyber insurance policy:
- Insiders or employees causing the cyber events
- Infrastructure failures
- Loss of your intellectual property value
- Pre-existing breaches or those that happened before you bought the policy
- Failure to fix a known vulnerability.
Selecting the Right Cyber Insurance Policy
Determining the right policy for your business involves considering your annual revenue, industry sector, business size, type of coverage, and risk profile.
Often, you’ll be asked to submit a cyber security audit to help determine the best policy for you. So, how can your business show its best cyber health?
Cyber Resilience Best Practices
The Australian Securities & Investments Commission lists 11 good cyber security practices (you’ll also find more tips under ‘useful links’ below).
These comprehensive practices cover strategy, governance, risk management, threat assessment, collaboration and information sharing, asset management, protective measures and controls, detective systems & processes, plus planning your response and recovery.
The Federal Government has allocated $7.2M in funding to set up a voluntary cyber health check program for small businesses. The government was also in the process of setting up its Small Business Cyber Resilience Service at the end of January – so watch this space for updates.
There’s only so much your professional services firm can do on its own to manage cyber risks. Talk to us about how cyber insurance can be part of your risk management arsenal.