Not all cyber insurance policies are created equal which is why it’s so important businesses seek the advice of their brokers to ensure they get the right policy to cover the right risks, Gallagher Bassett (GB) believes.
“A broker will be able to evaluate their business and will be able to understand, either formally or informally, what their risk appetite and risk treatments are, and then overlay the nature of the business and the risk framework with the cyber policy and determine what is an appropriate policy for that insured,” GB New Zealand’s head of cyber insurance Gerard Ward says. “Cyber insurance is looking to smooth the unexpected costs that can come out of a cyber breach.”
The best approach for businesses is to discuss their risks with their broker, who most clients have a trusted relationship with, he said.
“I think it’s probably an education piece for the broker to make sure they’re aware of what this product does and where this product sits with their client’s risk management framework or processes and know the different cyber policies available in the market - but there are a lot of different businesses,” he explained. “Not all policies are directly suited to an insured and not all insureds are suited to a policy.
“So, a broker does need to do an evaluation to look at the nature of the business, the risk that gives rise to, what their risk treatments are and then which cyber policy would be appropriate in the context of those risk treatments.
“What the insured asset is, in many respects, is data and how data supports business processes. Even organisations that don’t sell online such as an engineering firm or a manufacturing or distribution, typically use electronic processes.
“I use the analogy that even the blacksmith probably invoices his clients via an accounting service, such as Xero, or checks his bank statements online, or files his GST return using an online accounting service.”
Being online is an integral part of how businesses work today. Even small businesses communicate with customers via email, send invoices to them via email, and their suppliers send invoices to them by email, he said.
But what happens if you accidently release customer data to a third party? Or there is a malicious breach where hackers gain access to your systems and they extract information from those systems and then release that information that causes harm to the public?
“Your material damages policy, or even your business interruption policy, isn’t going to respond to those type of events,” Ward said.
“Cyberattacks are very sexy, and people like to talk about hackers, but the reality is that, in everyday business, processes fall down, somebody emails the wrong piece of information to a third party. These are all the areas where omission and errors contribute to create a business problem.”
