Why your business needs to consider cyber insurance

More affordable for SMEs than you think...

The immediate threat of a recent global ransomware attack may have subsided, but if you’re wondering what your business should be doing to prepare for future incidents, perhaps you should be thinking about specialist insurance.

Shane Hennelly, joint managing director of Thompson Insurances Dublin, joined Breakfast Business to outline the steps you need to take to best protect your firm against WannaCry-style hits, how specialist insurance can cover them and what it will cost.

A relatively new area of specialist business insurance, it's one that has not been taken up by a significant number of Irish businesses as yet.

Hennelly attributed the "low traction rate" to Irish companies failing to understand the cover and underestimating the rise in online threats.

He said:

"The recent WannaCry ransomware went right to the root of the cyber ecosystem, affecting 200,000 organisations. But it's happening every single day and most people don't want to talk about it.

"If your business is breached, the last thing you want to do is go public and potentially affect your reputation, and have it stated that perhaps your systems weren't up-to-date or weren't robust enough to avoid that cyber breach."

So if you decide to take pre-emptive financial action to minimise the fallout if the worst happens, what exactly needs to be covered?

"78% of cyber claims costs last year related to crisis response costs," Hennelly explained. "So leaving aside somebody taking an action against you or a regulator imposing a fine, in the event of a breach, the first 24 hours are absolutely crucial.

"You need an IT forensics engineer to figure out what's actually happened. You need a specialist legal to figure out and mitigate the risk from a legal perspective. Potentially a PR firm who can manage the media message for you. The last thing you want is one of your own IT engineers trying to communicate to the media about what's just happened.

"So the policy starts by covering those crisis response cost in the event of a breach. But it also covers things like cyber extortion.

"For example, with the WannaCry ransom hit on May 12th, they were essentially looking for money; for bitcoin currency.

"Whilst an insurer wouldn't like you to pay ransoms willy-nilly ... if they feel it's appropriate to pay the ransom, that can be done. But often there's no guarantee that they will actually release your data that they've encrypted."

Hennelly said that outside expertise is generally crucial after a breach:

"Insurance probably comes at the end of the process; it's one of the ingredients. But your IT security policy should be robust, it should be updated and it should be tested.

"Towards the end of process, you can consider transferring the risk from our own balance sheet to an insurer."

Even if a firm believes it has very strong defensive shields, Hennelly said that "human weakness" can still quite easily bring it to its knees:

"35% of cyber breaches last year, studies show, related to events from within. And that could be innocent or it could be malicious. if you start with innocent, it's as simple as clicking on the attachment in an email and allowing ransomware to get into the system."

"On the malicious side," he continued. "It could be internal employees engaging with third parties, with hacking networks and groups.

"So no matter how robust your own IT security systems are, there's always ... that human threat that you need to be aware of. "

As for the cost?

"People would be surprised," he argues. "Typically an SME business turning over less than €10 million in Ireland –which doesn't fit into the real risky categories – would expect to pay somewhere in the region of €1,000 for limited indemnity of €500,000.

"And the limit of indemnity you choose very much depends on the size of your business, whether it's global, whether it's just Ireland and the UK..."

The cost, Hennelly noted, also depends on the sector in which you're operating:

"Financial services would possibly be more exposed than education, for example. So each business needs to look at its own risk."

Hennelly's advice comes ahead of increased data regulation in 2018:

"There's a new EU-wide regime which will be enforceable from May of next year. The Data Protection Commissioner's office will have mmuch wider powers. Today, for a serious breach, the data commissioner could fine up to €100,000.

"That will go [next year] to 4% of global turnover or up to €20m for a breach. So it's now a huge issue... Cyber insurers are now looking at how they will respond to this, but a lot of cyber insurance policies will pick up those regulatory fines."