With the GDPR only months away from being implemented, more and more small and medium enterprises are adopting cyber insurance to protect their data in the event of cyber-attacks or breaches.
Small and medium enterprises believe cyber insurance policies will help them prepare incident response plans and reduce losses inflicted by cyber criminals.
Recently, 80% respondents in a survey conducted by CFC Underwriting at the 2017 Cyber Symposium in London said that they noticed a rise in demand for cyber insurance policies owing to the GDPR being only months away from implementation.
The GDPR will impose heavy fines on enterprises that fail to prevent loss of customer data in the event of cyber attacks or fail to inform relevant authorities within 72 hours of finding out about such incidents. As such, small and medium enterprises believe that cyber insurance plans will not only help them reduce losses but will also help them develop appropriate incident response strategies.
‘Under the GDPR there will be a requirement that businesses have an incident response plan in place and must notify any data breach no later than 72 hours of becoming aware of the event,’ said Graeme Newman, chief innovation officer at CFC Underwriting.
‘To do this, businesses are going to need access to a whole raft of specialists and that’s going to have a disproportionate effect on SMEs who are unlikely to have this level of capability in-house. They could find themselves scrambling for help and possibly face missing the cut off, thus exposing themselves to breaching the new rules,’ he added.
While cyber insurance is surely a game changer and needs to be implemented by every organisation that handles customer data, what’s more important is whether insurance policies are in sync with the threat landscape and if small and medium enterprises know exactly what they’re insuring.
‘What’s challenging operationally for the entire ecosystem is that the primary buyer of business insurance is the CFO and the risk department that doesn’t know enough about cybersecurity. And it’s being sold to them by an insurance broker who certainly doesn’t know cyber insurance,’ said Jeremiah Grossman, chief of security strategy at endpoint security software developer SentinelOne to SearchSecurity.
‘Every policy that you’ll read – and I’ve read probably a hundred of them now — is different. There are no standards. It’s a Wild West out there. In many cases, it looks like they took a property or fire insurance policy and substituted fire with computer, and it doesn’t really map that way.
‘When it’s a large policy – let’s say it’s over $100 million – there will be a survey that gets funneled down to the CISO that says: ‘Tell me about your IT environment,’ which will not move the premium one way or the other. And that’s the last time a CISO ever touches a cyber insurance policy, predominantly,’ he added.
In such a scenario, taking a few educated steps would go a long way in helping enterprise owners choose the right cyber insurance policy for their organisations:
1. Allow the CISO, who can effectively map out an organisation’s digital infrastructure, to identify high-risk areas and to choose a cyber insurance policy that is sufficient to cover the organisation’s losses following a cyber incident.
2. Review your insurers track record of reimbursing or helping other organisations that are in the same line of business and have suffered cyber incidents in the past.
3. Check your insurers understanding of your specific needs and compare insurance products offered by different brokers to avoid spending too much on policies.