Globally, lockdowns have accelerated the transformation of the way people communicate and many businesses operate permanently. Digital platforms have come into their own supporting greater connectivity and more efficient and flexible working arrangements.
Any change brings its own risks and cyber risk looms larger than ever, with incidents rising sharply. For the first half of 2020 CERT NZ reported a 73% increase in incident reports, with 3,100 incidents equating to $7.8 million in financial losses. Undetected and unreported attacks make the numbers much bigger.
In 2016, Lloyds’ estimated the cost of cyberattacks to businesses globally to be $450 billion, whereas Accenture Research suggests the cumulative value from attacks in the period from 2019 to 2023 will be up to US$5.2 trillion. While the costs to business are clearly large, the evidence is that many pay it scant attention.
Cyber attackers are becoming more sophisticated as use of online platforms has surged. Yet, in New Zealand, it is estimated as many as 90% of small businesses have no cyber insurance protection, indicative of low levels of cyber risk management.
SMEs tend to think that cyber risks and incidents are to be managed by their software provider and none have cyber risk managers. Not surprisingly, therefore, there is very low understanding of the risk at management and board level, particularly of the intangibles like reputation damage.
Cyber threats and resilient technologies are continually evolving, requiring constant vigilance and ability to adapt system controls in a risk-based manner. While it is not just a matter of transferring risk to insurers, approaching them and answering their questions will highlight vulnerabilities and point to resilient solutions.
Key elements to a cyber insurance policy cover business interruption, forensic investigation, data loss recovery, legal costs and crisis management, with each responding to a unique part of the claim.
Importantly, insurers have cyber response teams which operate 24/7 and are ready to respond immediately in the event of an attack. Once notified, insurers coordinate the appropriate response to the type of cyber incident, be it phishing, ransomware, or data breach.
An initial response may include forensic investigation of what information was stolen, how the attacker gained access to the system, and the extent of the damage.
Policies will cover damage to your system or, if access is restricted, it will cover losses in being unable to operate. Even being denied access for a short period can lead to very large, possibly crippling losses for some SMEs.
One of the lesser known responses provided by a cyber insurance policy is the provision of a public relations adviser. For some companies, the reputational damage caused by a cyberattack can be more damaging than the financial loss. Having access to expert public relations advice will help address reputational losses.
After a cyberattack, the experts appointed by your insurer will recommend how to be more resilient to reduce the risk of attacks in the future. Preventative assistance to enhance your IT system may also be part of the regular insurer service offering even if there has never been a claim made.
Brokers and advisers play an invaluable role in helping customers manage their risks. This week is Cyber Awareness Week and there’s a great opportunity to work with and explain to insureds the heightened vulnerability.
Businesses, no matter the size, cannot be complacent. All the evidence shows it isn’t a matter of if an attack occurs, it’s a matter of when.
Don’t let customers become a CERT statistic.