Trust is central to our business. So, a finding from the 2018 Acumen-Edelman Trust Barometer, a global and local survey of trust in Business, Government, Media, and NGOs, caught my attention.
The survey found the top trust-building factor for business was protection of people’s privacy and personal information. Sixty four per cent (64%) said this was the top mandate for business, but only 42% thought business was meeting this obligation. Interestingly, driving economic prosperity and providing job opportunities rated lower as trust-building factors at 48% and 43% respectively.
Two things struck me about this. First, insurers hold a lot of personal information about their customers so a risk and opportunity proposition exists. Second, the same risks for all other businesses present an opportunity for insurers, but a fundamental disconnect exists.
One indicator of how seriously business is taking data protection might be the uptake of cyber insurance. Yet, according to a 2017 report from NZI only 6% of SMEs have taken out cyber insurance.
This massive protection gap should be a matter of the deepest concern for everyone given the volume of online transactions and data transfers. It also begs the question: what sort of conversation and advice is being given at renewal time?
The vast majority of businesses are unaware that they can insure against financial and reputational risk from cyber intrusions. As virtually all commercial cover is sold via intermediaries, underwriters and brokers have a serious communication challenge ahead.
The likely presumption is that traditional commercial property policies provide the cover required. There may be some overlap, but just how rigorously has this been tested given the specific risks each business faces?
All businesses dealing with the EU will need to be compliant with its General Data Protection Regulation (GDPR) from May 25, with very large fines for non-compliance. This means businesses must have well developed cyber risk management.
In addition to firewalls, encryption and data protocols, having a cyber incident response plan and cyber risk insurance will be critical to managing data protection. Last year we had the Notpetya, Wannacry and Equifax hacks. It’s only a matter of time before the first major hacks of 2018 occur.
Ninety five per cent (95%) of New Zealand businesses employ fewer than 20 people. That doesn’t mean SMEs are not targets, but points to the vulnerability of New Zealand businesses. In the US, where SMEs are larger, more than half experienced a cyberattack in the past 12 months.
While cyber security to protect against malware, phishing and ransomware attacks is fundamental, the causes of many breaches arise from human error, third party mistakes and system operating errors.
Responding to the penetration gap, advisers need to help businesses understand the risks by asking how well protected their systems are – not just from external access, but from human error or poor data back-up. If they can identify the damage caused by their most valuable information being compromised and understand their vulnerability, they will realise just how much they face.
Ask if they have a document management plan and disaster recovery plan for their data. Inquire whether they train employees on cyber security and what their recovery plan is, not just for the recovery of data, but the cost to trust and potential legal and technical costs.
Chances are most SME will have holes in some, if not all, of those areas and are unlikely to have a broad recovery plan. Cyber policies are a critical way of providing just that kind of support after an event. So, the conversations we can have with the businesses we support are fundamentally no different to how we would talk about any risk.
Cyber risks may seem less tangible than other risks, but it still comes down to customers’ understanding of potential losses and how to restore that. Do those basics well and we can contribute a lot to enhancing trust in the sector.